Public Docs / MCP / Tools

MCP Tools Reference

Phoenix exposes tools across three categories: CVE intelligence, scoring, and end-of-life risk. Enterprise tiers unlock additional simulation and explanation tools. Tools marked Enterprise only require an api_unlimited scope key.

How to Call a Tool

All tool calls use the tools/call JSON-RPC method with name and arguments parameters:

{
  "jsonrpc": "2.0",
  "id": "1",
  "method": "tools/call",
  "params": {
    "name": "get_cve_intelligence",
    "arguments": { "cve_id": "CVE-2024-27198" }
  }
}

The response wraps the tool result in a content array. For CVE intelligence tools, a markdown summary is also returned as a text content item.

CVE Intelligence Tools

search_cves

Search the CVE database with optional filters. Returns a paginated list of matching CVEs enriched with PS-HP scoring.

Show inputs
ParameterTypeDescription
querystringFree-text search
yearintegerFilter by CVE year
severityCRITICAL | HIGH | MEDIUM | LOWCVSS severity band
kev_onlybooleanRestrict to CISA KEV entries
ps_hp_minnumberMinimum PS-HP score (0–100)
ps_hp_tier1 | 2 | 3PS-HP tier (1=confirmed, 2=likely, 3=emerging)
enterprise_watchlistbooleanFilter to PS-EW flagged CVEs only
limitintegerPage size (tier-limited)
offsetintegerPagination offset

get_cve_intelligence

Retrieve full intelligence for a single CVE — PS-HP scoring, EPSS, KEV status, exploit maturity, threat actor associations, and a markdown summary.

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID in format CVE-YYYY-NNNNN

get_threat_actors_by_cve

Return a list of threat actor groups and campaigns known to exploit a specific CVE.

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID

check_enterprise_critical

Check whether a vendor/product combination is classified as enterprise-critical and return its risk category.

Show inputs
ParameterTypeDescription
vendor requiredstringVendor name
product requiredstringProduct name

Scoring Tools

get_phoenix_score

Calculate and return the PS-HP score for a CVE with component breakdown detail (depth depends on your tier).

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID
include_rationaleboolean (default true)Include scoring rationale text

get_high_profile_cves

Retrieve PS-HP classified CVEs filtered by tier (1=confirmed actively exploited, 2=likely high-risk, 3=emerging threat).

Show inputs
ParameterTypeDescription
tier1 | 2 | 3PS-HP tier
limitinteger (max 100)Number of results
enterprise_categorystringFilter by enterprise product category

get_enterprise_watchlist

Return CVEs on the PS-EW (Enterprise Watchlist) — high-severity vulnerabilities in enterprise-critical products that lack public exploitation evidence but carry significant latent risk.

Show inputs
ParameterTypeDescription
categorystringOptional enterprise product category filter
limitinteger (default 25)Number of results

volerion_rescore

Fetch the Volerion ML rescore and delta for a CVE. Shows how Volerion's exploitability model diverges from CVSS. Requires Registered tier or above.

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID

calculate_custom_phoenix_score Enterprise only

Compute a hypothetical PS-HP score from custom inputs — useful for threat modelling before a CVE is officially scored.

Show inputs
ParameterTypeDescription
cvss requirednumber (0–10)CVSS base score
epssnumber (0–1)EPSS probability
in_kevbooleanIs in CISA KEV?
has_ransomwarebooleanLinked to ransomware activity?
exploit_statusnone | poc | verified | weaponized | in_ransomwareExploit maturity level
vendorstringVendor name (for enterprise CPE weighting)
productstringProduct name
github_starsintegerGitHub stars on associated PoC repos
github_forksintegerGitHub forks on associated PoC repos
bugbounty_reportsintegerNumber of public bug bounty reports

explain_score_components Enterprise only

Return a detailed breakdown of every PS-HP scoring component for a CVE with numeric weights and rationale text.

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID

End-of-Life Risk Tools

list_eol_products

List products from the EOL intelligence catalog with optional filters by status, category, vendor, or search string.

Show inputs
ParameterTypeDescription
statusstringLifecycle status filter (e.g. eol, approaching)
categorystringProduct category
vendorstringVendor name
searchstringFree-text search
limit / offsetintegerPagination

get_eol_product

Retrieve full lifecycle detail for a specific product by its slug identifier.

Show inputs
ParameterTypeDescription
product_slug requiredstringProduct slug (e.g. ubuntu-20.04)

get_eol_cve_correlations

Get CVEs correlated with EOL or approaching-EOL products. Useful for identifying non-fixable vulnerabilities tied to lifecycle gaps.

Show inputs
ParameterTypeDescription
non_fixable_onlybooleanOnly CVEs with no patch path
kev_onlybooleanOnly CISA KEV entries
min_cvssnumberMinimum CVSS base score
limit / offsetintegerPagination

get_cve_eol_status

Return EOL lifecycle information for the products affected by a specific CVE.

Show inputs
ParameterTypeDescription
cve_id requiredstringCVE ID

get_eol_replacements

List recommended replacement products for EOL items, optionally filtered by category.

Show inputs
ParameterTypeDescription
categorystringProduct category
limitintegerNumber of results

get_eol_replacement

Get the specific replacement recommendation for a single product slug.

Show inputs
ParameterTypeDescription
product_slug requiredstringProduct slug

get_eol_statistics

Return aggregate EOL statistics including counts by status, category, and vendor breakdowns. No inputs required.

get_eol_timeline

Get upcoming EOL events within a time window for timeline visualisation or alerting workflows.

Show inputs
ParameterTypeDescription
daysintegerLook-ahead window in days
categorystringProduct category filter

get_eol_risk_score

Calculate the SLR (Software Lifecycle Risk) composite score for a product based on EOL proximity, open CVEs, and patch availability.

Show inputs
ParameterTypeDescription
product_slug requiredstringProduct slug