Threat Reports
The Threats section of the dashboard is where you investigate and respond to security events detected by CyberCage.
Accessing Threat Reports
Navigate to Threats in the sidebar to view all detected security events for your organization.
Dashboard Overview
The threat dashboard shows:
- Summary metrics - Active threats, recent trends, and top threat types
- Threat list - All detected threats with severity, timestamp, type, and status
- Filters - Search and filter by severity, threat type, user, server, or date range
Threat List
Each threat in the list displays:
| Field | What It Shows |
|---|---|
| Severity | Critical, High, Medium, or Low priority |
| Timestamp | When the threat was detected |
| Threat Type | Category of attack (e.g., credential theft, prompt injection) |
| Server | Which MCP server was involved |
| User | Team member whose session triggered detection |
| Status | Whether the request was blocked or allowed |
Click any threat to view full details.
Understanding Threat Reports
When you open a threat report, you'll see:
Threat Details
- What was detected - The threat category and why it was flagged
- Risk level - Severity assessment of the threat
- Action taken - Whether the request was blocked or allowed
- Detection time - When the threat occurred
Request Information
- MCP request details - The complete request that triggered detection
- Server context - Which MCP server was being accessed
- User context - Which application and user made the request
Response Information (if applicable)
- Response content - What the server returned
- Data involved - Any sensitive data detected in the response
Investigating Threats
When reviewing a threat, ask yourself:
Is this a real threat?
- Does the detected activity look malicious?
- Does it match the threat category description?
- Would this activity pose a security risk?
Is this a false positive?
- Was the user doing legitimate work?
- Does the context explain why this was flagged?
- Should this type of activity be allowed for this user/team?
What should I do?
- Block the MCP server if it's malicious
- Mark as false positive if it's legitimate activity
- Adjust policies if you're seeing repeated false positives
- Contact the user to understand their intent
Taking Action
From a threat report, you can:
Block the Server
If the MCP server is malicious or compromised, block it organization-wide to prevent future use.
Mark as False Positive
If the detection was incorrect, mark it as a false positive. This helps you track which policies may need adjustment.
Adjust Policies
If you're seeing repeated false positives from a specific policy, consider:
- Temporarily disabling the policy
- Working with your security team to tune detection settings
- Creating exceptions for known-safe activity
Document Findings
Add notes to the threat report to:
- Record your investigation findings
- Document actions taken
- Flag for follow-up
- Share context with your team
Managing Threats
Filtering and Searching
Use filters to focus on specific threats:
- By severity - Focus on Critical or High priority threats
- By type - Review specific threat categories
- By status - See only blocked or allowed threats
- By date - Investigate threats from a specific timeframe
- By user or server - Track activity from specific sources
Bulk Actions
Select multiple threats to:
- Mark several false positives at once
- Export threat data for external analysis
- Archive resolved threats to clean up your view
Threat Timeline
View threats over time to:
- Identify patterns or trends
- Spot unusual spikes in activity
- Track improvement as you tune policies
Common Scenarios
Confirmed Malicious Activity
If you identify a real threat:
- Verify the server is blocked (if not, block it)
- Check if other users accessed the same server
- Review any allowed requests from that server
- Document the incident for your records
False Positive
If the detection was incorrect:
- Mark the threat as a false positive
- Add notes explaining why it's legitimate
- If it's recurring, consider adjusting the policy
- Notify the user that their request is now understood
User Error
If a user triggered detection accidentally:
- Contact the user to understand what they were trying to do
- Explain why the activity was flagged
- Guide them to a safer approach if possible
- Monitor for repeated issues
Troubleshooting
Too Many False Positives
If you're seeing many false alerts:
- Review which policies are triggering most often
- Consider temporarily disabling overly sensitive policies
- Look for patterns in false positives (same server, same user, same activity type)
- Work with your team to tune policy settings
Not Seeing Expected Threats
If you expect to see threats but don't:
- Verify the application is configured to use CyberCage
- Check that the daemon is running and connected
- Confirm relevant policies are enabled in organization settings
- Ensure the MCP server isn't in your blocked list (blocked servers bypass threat detection)
Threat Details Unclear
If a threat report doesn't make sense:
- Look at the full MCP request context
- Check what the user was doing at that time
- Review similar threats for patterns
- Consult the Policy & Threats guide for threat category descriptions
Best Practices
Regular Review
- Check threats regularly to catch issues early
- Focus on high-severity threats first
- Clear false positives promptly to keep your view clean
Pattern Recognition
- Look for repeated threats from the same server
- Notice if specific users trigger more detections
- Identify which threat types are most common for your organization
Policy Tuning
- Use threat data to inform policy decisions
- Disable policies that generate too many false positives
- Enable additional policies if you're missing threats you want to catch
Team Communication
- Share relevant threats with affected users
- Document significant incidents
- Use threat data to educate your team about AI security risks
Next Steps
- Policy & Threats - Understand threat categories and configure policies
- MCP Catalog - Manage which servers are approved or blocked
- Integrations - Set up automated threat notifications