Skip to main content
Risks capture potential threats to your organization. Each risk tracks both inherent values (before controls are applied) and residual values (after controls), along with a treatment decision.

The Risk object

id
string
required
Global ID (GID) of the risk.
organization_id
string
required
GID of the organization this risk belongs to.
name
string
required
Name of the risk.
description
string | null
Optional description of the risk.
category
string
required
Risk category (free-form string, e.g. "Access Control", "Data Privacy").
treatment
RiskTreatment
required
How the organization has decided to address this risk. See RiskTreatment enum.
inherent_likelihood
integer
required
Likelihood of the risk occurring before any controls are applied (1–5 scale).
inherent_impact
integer
required
Impact of the risk if it occurs before any controls are applied (1–5 scale).
inherent_risk_score
integer
required
Computed inherent risk score (typically inherent_likelihood × inherent_impact).
residual_likelihood
integer
required
Likelihood after controls are applied.
residual_impact
integer
required
Impact after controls are applied.
residual_risk_score
integer
required
Computed residual risk score.
note
string
required
Notes on the risk, treatment rationale, or any other relevant context.
owner_id
string | null
GID of the profile responsible for this risk.
snapshot_id
string | null
GID of the snapshot this risk belongs to, or null for live data.
created_at
string (date-time)
required
ISO 8601 timestamp of when the risk was created.
updated_at
string (date-time)
required
ISO 8601 timestamp of the last update.

RiskTreatment enum

ValueDescription
MITIGATEDControls have been applied to reduce the risk to an acceptable level
ACCEPTEDThe organization has decided to accept the risk without additional controls
AVOIDEDThe activity or condition creating the risk has been eliminated
TRANSFERREDRisk has been transferred to a third party (e.g. via insurance or contract)

Operations

listRisks

Returns all risks for the organization. MCP tool: listRisks

Parameters

organization_id
string
required
GID of the organization.
size
integer
Number of results per page.
cursor
string
Pagination cursor from a previous response’s next_cursor.
order_by
object
filter
object

Response

risks
Risk[]
required
Array of risk objects.
next_cursor
string
Cursor for the next page.

getRisk

Returns a single risk by ID. MCP tool: getRisk

Parameters

id
string
required
GID of the risk.

Response

risk
Risk
required
The requested risk object.

addRisk

Creates a new risk. MCP tool: addRisk

Parameters

organization_id
string
required
GID of the organization.
name
string
required
Risk name.
category
string
required
Risk category.
treatment
RiskTreatment
required
Treatment decision.
inherent_likelihood
integer
required
Inherent likelihood (1–5).
inherent_impact
integer
required
Inherent impact (1–5).
description
string
Optional description.
owner_id
string
GID of the risk owner.
residual_likelihood
integer
Residual likelihood after controls.
residual_impact
integer
Residual impact after controls.
note
string
Notes or treatment rationale.

Response

risk
Risk
required
The created risk object.

updateRisk

Updates an existing risk. MCP tool: updateRisk

Parameters

id
string
required
GID of the risk to update.
All other fields from addRisk are optional. Only provided fields are updated.

Response

risk
Risk
required
The updated risk object.

deleteRisk

Deletes a risk. MCP tool: deleteRisk

Parameters

id
string
required
GID of the risk to delete.

Response

deleted_risk_id
string
required
GID of the deleted risk.

Example

curl -X POST https://your-probo-instance/api/mcp/v1 \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "addRisk",
      "arguments": {
        "organization_id": "gid://probo/Organization/01J5XKZW9QMXP3N6V8HTJA2FKB",
        "name": "Unauthorized access to production database",
        "category": "Access Control",
        "treatment": "MITIGATED",
        "inherent_likelihood": 3,
        "inherent_impact": 5,
        "residual_likelihood": 1,
        "residual_impact": 5,
        "note": "Mitigated through MFA enforcement, VPN requirement, and least-privilege IAM policies."
      }
    }
  }'

Build docs developers (and LLMs) love

Get started for freeTalk to us