Security Posture
Query the current risk scores, anomaly flags, compliance state, and behavioral baselines for any device, user, or workload in your fleet.
The posture tools give an AI assistant a complete, structured view of the security state of your environment at any point in time. Posture is derived continuously from behavioral telemetry, threat intelligence matching, policy compliance, and identity verification — not from periodic scans.
Tools
get_fleet_posture
Returns the overall security posture summary for the entire fleet.
{
"name": "get_fleet_posture",
"description": "Get the current security posture summary for the entire fleet.",
"inputSchema": {
"type": "object",
"properties": {}
}
}Example response:
{
"score": 84,
"trend": "improving",
"assessed_at": "2026-05-21T09:00:00.000Z",
"device_count": 312,
"active_incidents": 0,
"open_anomalies": 3,
"policy_violations_24h": 7,
"devices_at_risk": [
{ "device_id": "dev_camera_parking_07", "risk": "high", "reason": "firmware_eol" },
{ "device_id": "dev_sensor_hvac_b2", "risk": "medium", "reason": "unexpected_offline" }
],
"compliance": {
"iso_27001": "compliant",
"nis2": "compliant",
"nist_csf": "partial"
}
}get_device_posture
Returns the full security posture for a single device.
{
"name": "get_device_posture",
"description": "Get the security posture of a specific device.",
"inputSchema": {
"type": "object",
"required": ["device_id"],
"properties": {
"device_id": {
"type": "string",
"description": "The Threatmatic device ID"
}
}
}
}Example response:
{
"device_id": "dev_camera_floor3_east",
"device_type": "ip_camera",
"manufacturer": "Axis",
"firmware_version": "11.8.93",
"firmware_status": "current",
"enrolled_at": "2025-11-04T14:22:00.000Z",
"trust_level": "verified",
"risk_score": 28,
"risk_factors": [],
"behavioral_baseline": {
"established": true,
"established_at": "2025-11-18T00:00:00.000Z",
"avg_connections_per_hour": 2.1,
"known_destinations": ["mgmt.axis-cloud.com", "10.0.2.5"],
"deviation_score": 0.04
},
"active_policies": ["pol_camera_mgmt_only", "pol_no_lateral_movement"],
"last_seen": "2026-05-21T09:13:58.000Z",
"open_anomalies": 0
}get_user_posture
Returns the security posture associated with a user identity — across all devices they are active on.
{
"name": "get_user_posture",
"description": "Get the security posture for a specific user identity.",
"inputSchema": {
"type": "object",
"required": ["user_id"],
"properties": {
"user_id": {
"type": "string",
"description": "User ID or UPN (e.g. sarah.k@acmecorp.com)"
}
}
}
}get_workload_posture
Returns the posture for a server, container, or cloud workload.
{
"name": "get_workload_posture",
"description": "Get the security posture for a workload.",
"inputSchema": {
"type": "object",
"required": ["workload_id"],
"properties": {
"workload_id": {
"type": "string"
}
}
}
}list_anomalies
Returns all currently open anomalies, optionally filtered by severity or entity type.
{
"name": "list_anomalies",
"description": "List open anomalies across the fleet.",
"inputSchema": {
"type": "object",
"properties": {
"severity": {
"type": "string",
"enum": ["low", "medium", "high", "critical"]
},
"entity_type": {
"type": "string",
"enum": ["device", "user", "workload"]
},
"limit": {
"type": "integer",
"default": 20
}
}
}
}Example response:
{
"anomalies": [
{
"id": "ano_01HWXK9A",
"entity_type": "device",
"entity_id": "dev_workstation_sarah_k",
"type": "lateral_movement_attempt",
"severity": "critical",
"confidence": 0.97,
"detected_at": "2026-05-21T09:11:44.000Z",
"description": "Device attempting connections to 14 internal hosts not in its baseline",
"recommended_action": "isolate"
}
],
"total": 1
}get_threat_context
Enriches an IP address, domain, or file hash with live threat intelligence from Threatmatic's feeds.
{
"name": "get_threat_context",
"description": "Get live threat intelligence context for an IP, domain, or hash.",
"inputSchema": {
"type": "object",
"required": ["indicator"],
"properties": {
"indicator": {
"type": "string",
"description": "IP address, domain, or SHA-256 hash"
}
}
}
}Example response:
{
"indicator": "185.234.47.21",
"type": "ip",
"reputation": "malicious",
"categories": ["c2_server", "ransomware_infrastructure"],
"threat_actors": ["APT-44", "BlackCat"],
"first_seen": "2025-08-12T00:00:00.000Z",
"last_seen": "2026-05-21T08:47:00.000Z",
"feed_sources": 14,
"blocked_in_fleet": true,
"block_policy_id": "pol_c2_block_global"
}How Posture Scores Work
Posture scores are calculated continuously — not on a schedule — using a weighted model across four dimensions:
| Dimension | Weight | What drives it |
|---|---|---|
| Identity verification | 30% | Cryptographic device identity, certificate freshness, enrollment status |
| Behavioral conformance | 30% | Deviation from established baseline (connections, volumes, destinations) |
| Policy compliance | 25% | Active violations, unenforced recommendations, policy coverage gaps |
| Threat exposure | 15% | IoC matches, firmware CVEs, known-vulnerable component versions |
A score of 0–40 is high risk. 41–70 is moderate. 71–100 is healthy. The fleet posture score is the device-count-weighted average across all enrolled entities.
Privacy Guarantees
Posture queries return behavioral metadata only. No payload data, no personal information beyond the identity provided in your query, and no content from device communications is ever stored or returned. See Privacy Enhancing Technology for details on how Threatmatic achieves this with FHE-backed fleet analytics.
How is this guide?
Last updated on