The Salient MCP server (ttx-salient) exposes 41 tools organized by category. All tools use JSON-RPC 2.0 over stdio transport.
Exercises
| Tool | Description |
list_scenarios | List available TTX scenario files |
get_scenario | Get full scenario JSON (injects, questions, rubrics, control mappings) |
create_scenario | Create a new scenario with injects, questions, and scoring rubrics |
delete_scenario | Delete a user-uploaded scenario |
save_session | Save exercise answers after facilitating a TTX |
save_evaluation | Write AI evaluation results (scores, gaps, organic captures) to a session |
list_sessions | List completed exercise sessions |
get_session_scores | Get scoring results for a completed session |
Twin Intelligence
| Tool | Description |
query_twin | Ask a natural language question about the organization — searches across profile, exercises, gaps, events, operations |
twin_facts | View extracted organizational facts, filterable by category and confidence |
twin_facts_summary | Summary of organizational intelligence — fact counts, contradictions, most-confirmed facts |
detect_patterns | Detect recurring weakness themes across exercises using semantic similarity |
recommend_scenario | Recommend what to exercise next based on weakest areas and gap patterns |
event_bridge | Find related gaps, exercises, playbooks, and operations for a security event |
Posture
| Tool | Description |
posture_assessment | Generate a unified security posture assessment synthesizing all twin knowledge — the capstone output |
posture_report | Generate a board-ready security posture report in markdown |
posture_timeline | Track how posture has evolved — exercise scores, gap trends, fact accumulation |
Connectors
| Tool | Description |
list_connectors | List all connectors with configuration status and available data |
twin_coverage | Analyze what the twin knows vs. what it is missing — coverage gaps and recommendations |
discover_connector | Run a lightweight discovery scan on a configured connector |
okta_sync | Sync Okta data — security logs, user inventory, MFA coverage, SSO applications |
okta_status | Check if Okta connector is configured |
entra_id_sync | Sync Entra ID data — users, MFA, groups, privileged roles, sign-in logs, CA policies, apps |
entra_id_status | Check if Entra ID connector is configured |
Threat Intel
| Tool | Description |
ingest_threat_intel | Fetch a threat intel article from a URL, extract TTPs and IOCs |
list_threat_intel | List all ingested threat intelligence reports |
generate_scenario_from_intel | Generate a twin-aware TTX scenario from ingested threat intel |
MCP Ingestion
These tools enable Salient to consume data from sibling MCP servers (Gmail, Notion, Calendar, etc.):
| Tool | Description |
ingest_from_mcp | Ingest data from a sibling MCP server — classifies, extracts facts, creates events, indexes for search |
ingest_document | Ingest a full document (IR plan, policy, runbook, etc.) from an external MCP source |
list_mcp_sources | List external MCP data sources that have contributed to the twin |
Playbooks
| Tool | Description |
generate_playbook | Generate an incident response playbook from a scored exercise session |
get_playbook | Retrieve a previously generated playbook |
Dashboard
| Tool | Description |
get_dashboard | Dashboard summary — maturity score, function scores, session count, gap count |
get_org_profile | Fetch the organization profile (digital twin markdown) |
Resources
The MCP server also exposes resources:
| URI | Description |
salient://evaluator-context | Scoring framework, gap taxonomy, NIST CSF mapping, organic capture methodology |
salient://twin/executive | Compiled twin — Tier 1 SIF (~150 tokens) |
salient://twin/standard | Compiled twin — Tier 2 SIF (~800 tokens) |
salient://twin/full | Compiled twin — Tier 3 SIF (~3K tokens) |
Authentication
All tools require a valid JWT token passed via the SALIENT_TOKEN environment variable. The token is sent as a Bearer header to the backend API.
export SALIENT_TOKEN="your-jwt-token"
MCP Setup · API Authentication