MCP Tool Calls#

One of AttackTrace's core experiences is that you can ask in natural language and let the workspace use available tools, evidence, memory, and reports in the same investigation flow.

What you see#

When the AI uses a tool, a collapsible tool card appears in the interface showing:

Tool name
Parameters used for this query
Execution status
Return results

This helps you verify:

Exactly what the AI queried
Which tool it used
Whether the results are trustworthy and whether you need to follow up

Automatic invocation#

In most cases, simply describe your need in natural language:

Check whether this IP is suspicious: 8.8.8.8

Look up failed login logs from the past 24 hours

Explain the likely attack path for this alert and list the next pivots

The AI selects the appropriate tool automatically.

Specifying a tool manually#

If you want to explicitly use a particular tool, you can say so:

Use available threat intelligence to check this file hash: 44d88612fea8a8f36de82e1278abb02f

Use Splunk to search for failed login events in the last hour

Calling multiple tools at once#

AttackTrace can combine multiple sources within a single investigation turn, depending on what is configured:

Built-in threat intelligence for IOC context
SIEM or log tools for environment evidence
Cloud tools for identity, network, and resource context
Ticketing or knowledge-base tools for handoff

This lets you cross-validate findings without manually switching between platforms.

Prerequisites#

If a tool has not been enabled or configured yet, the AI will typically prompt you to complete the setup first.

The simplest check is:

The tool is enabled in the marketplace
The relevant API key, token, or credentials have been filled in
Your account has permission to use that tool

Tips#

The more specific your question, the more accurate the tool call
When starting an investigation, narrow the time range or result scope first
If results seem off, expand the tool card and check whether the input parameters match what you expected