AI-Native Access to the World’s Leading Threat Intelligence Framework
Overview
The MITRE ATT&CK MCP Server transforms the world’s leading adversary knowledge base into an AI-native interface. Built for the Model Context Protocol, it enables LLMs and agentic systems to:
🔍 Query 200+ techniques, 140+ groups, 700+ software entries
🧠 Reason over complex threat relationships and TTPs
📊 Visualize coverage gaps with ATT&CK Navigator layers
⚡ Scale threat intelligence workflows with structured tools
Perfect for: Security teams, threat hunters, detection engineers, AI researchers, and anyone building intelligent security systems.
What is this?
mitre-attack-mcp-server is a self-contained MCP server that provides machine-callable access to the MITRE ATT&CK framework using official STIX data with LLMs friendly structured outputs.
It enables:
🤖 LLMs to reason about ATT&CK techniques, groups, software, and mitigations
🧠 Agentic workflows to generate threat explanations and coverage maps
🔍 Security teams to query ATT&CK relationships programmatically
📊 Visualization via ATT&CK Navigator layers
No scraping, No fragile APIs.
Just official MITRE data, structured and reliable.
** Key Features**
✅ 65+ MCP tools across ATT&CK domains (Enterprise, Mobile, ICS)
✅ Automatic STIX download & caching on first run
✅ Native ATT&CK Navigator layer generation
✅ Designed for LLMs & MCP-compatible clients
✅ In-memory caching for instant query responses
✅ Type-safe with Pydantic models
✅ Clean, production-ready, self-contained server
✅ Comprehensive test coverage
📦 Installation
Via PyPI (recommended) — Python Users
pip install mitre-mcp-server
Via npm
npm install -g @imouiche/mitre-attack-mcp-server
npx (no installation required)
npx @imouiche/mitre-attack-mcp-server
Via uv (Modern Python)
uv pip install mitre-mcp-server
Local Development
git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync
Configure Claude Desktop
Add to your claude_desktop_config.json:
macOS: `~/Library/Application Support/Claude/claude_desktop_config.json`
Windows: `%APPDATA%\Claude\claude_desktop_config.json`
{
"mcpServers": {
"mitre-attack": {
"command": "npx",
"args": ["-y", "@imouiche/mitre-attack-mcp-server"]
}
}
}
Restart Claude Desktop
Quit Claude Desktop completely (Cmd+Q on macOS) and reopen it.
Start Querying!
Ask Claude:
"What techniques does APT29 use for initial access?"
"Generate an ATT&CK Navigator layer for ransomware groups"
"Show me all Windows persistence techniques"
Data downloads automatically on first run (~59MB, cached at~/.mitre-mcp-server/data/).
MCP Registry
This server is officially registered in the Model Context Protocol (MCP) Registry.
Registry ID: io.github.imouiche/mitre-attack-mcp-server
🛠️ Available Tools
The server exposes 65+ MCP tools covering all major MITRE ATT&CK entities and relationships.
| Tool | Description |
|---|---|
get_data_stats |
Show download status, file paths, sizes, and ATT&CK release version |
generate_layer |
Generate an ATT&CK Navigator layer (JSON output) |
get_layer_metadata |
Return Navigator layer metadata template |
🎯 Techniques
| Tool | Description |
|---|---|
get_technique_by_id |
Get a technique by ATT&CK ID (e.g., T1055) |
search_techniques |
Search techniques by name or description |
get_all_techniques |
Retrieve all techniques |
get_all_parent_techniques |
Parent techniques only |
get_all_subtechniques |
All subtechniques |
get_subtechniques_of_technique |
Subtechniques of a parent |
get_parent_technique_of_subtechnique |
Parent of a subtechnique |
get_technique_tactics |
Tactics associated with a technique |
get_techniques_by_tactic |
Techniques under a tactic |
get_techniques_by_platform |
Techniques for a platform |
get_revoked_techniques |
Revoked techniques |
🧑💻 Groups (Threat Actors)
| Tool | Description |
|---|---|
get_group_by_name |
Find group by name or alias |
search_groups |
Search groups |
get_all_groups |
All ATT&CK groups |
get_groups_by_alias |
Lookup groups by alias |
get_groups_using_technique |
Groups using a technique |
get_groups_using_software |
Groups using software |
get_groups_attributing_to_campaign |
Groups attributed to a campaign |
Software (Malware & Tools)
| Tool | Description |
|---|---|
get_software |
Get all software |
search_software |
Search software |
get_software_by_alias |
Lookup software by alias |
get_software_used_by_group |
Software used by a group |
get_software_used_by_campaign |
Software used in campaigns |
get_software_using_technique |
Software using a technique |
📌 Campaigns
| Tool | Description |
|---|---|
get_all_campaigns |
Get all campaigns |
get_campaigns_by_alias |
Lookup campaigns by alias |
get_campaigns_using_technique |
Campaigns using a technique |
get_campaigns_using_software |
Campaigns using software |
get_campaigns_attributed_to_group |
Campaign attribution |
🛡️ Mitigations
| Tool | Description |
|---|---|
get_all_mitigations |
Get all mitigations |
get_mitigations_mitigating_technique |
Mitigations for a technique |
get_techniques_mitigated_by_mitigation |
Techniques mitigated by a mitigation |
🧭 Tactics, Data Sources & ICS
| Tool | Description |
|---|---|
get_all_tactics |
Get all tactics |
get_all_datasources |
Get all data sources |
get_all_datacomponents |
Get all data components |
get_datacomponents_detecting_technique |
Data components detecting a technique |
get_all_assets |
Get ICS assets |
get_assets_targeted_by_technique |
Assets targeted by a technique |
💡 Example Queries
Threat Intelligence
Threat Intelligence
"What techniques does APT29 use for initial access?"
"Which groups target financial institutions?"
"Show me all ransomware-related software"
"What are the aliases for the Lazarus Group?"
Detection Engineering
"What data sources detect credential dumping?"
"Generate a coverage map for EDR capabilities"
"List all techniques for Windows privilege escalation"
"What can detect T1055 (Process Injection)?"
Threat Hunting
"What techniques use PowerShell?"
"Show me lateral movement techniques for Linux"
"Which groups use Cobalt Strike?"
"What persistence techniques target macOS?"
Mitigation & Defense
"What mitigations exist for phishing attacks?"
"Show me all mitigations for privilege escalation"
"What techniques does MFA mitigate?"
Compliance & Gap Analysis
"Generate a layer for all techniques our EDR covers"
"Compare APT29 TTPs against our detection capabilities"
"Show unmitigated techniques in our environment"
📊 ATT&CK Navigator Visualization
The generate_layer tool produces ATT&CK Navigator–compatible JSON.
Usage:
- Ask Claude to generate a layer:
"Generate an ATT&CK Navigator layer for all techniques used by APT29"
Save the JSON output to a file (e.g.,
apt29_layer.json)Upload to ATT&CK Navigator
Visualize technique coverage, threat actor usage, or mitigation mapping
Real-World Example Using LangGraph
Read my Medium blog demonstrating how a multi-agent LangGraph system leverages these tools to perform a real-world threat investigation.
Red Team Coverage: Map all techniques used in an exercise
Detection Gaps: Highlight unmonitored techniques
Threat Actor Profile: Visualize group TTPs
Mitigation Coverage: Show what’s protected vs. exposed
Live Demo
Explore the interactive Gradio 6.2 demo on Hugging Face Spaces.
Technical Details:
Enterprise ATT&CK: v18.1+ (~50.9MB)
Mobile ATT&CK: v18.1+ (~4.9MB)
ICS ATT&CK: v18.1+ (~3.5MB)
Total: ~59MB cached locally
Storage: ~/.mitre-mcp-server/data/v{version}/
Update: Auto-downloads on install, uses cached data on subsequent runs.
Performance:
- In-memory caching: All domains loaded at startup
- Query speed: Sub-second for most operations
- Graph traversal: Efficient relationship queries
- Concurrent: Handles multiple simultaneous requests
Requirements:
Python: 3.12 or higher
Node.js: 16+ (for NPM installation)
Disk Space: ~150MB (includes dependencies + data)
Memory: ~200MB RAM when running
🚀** Roadmap & Vision**
This project is the first component of a larger vision to build comprehensive agentic security automation by integrating multiple security knowledge bases and frameworks.
Planned Integrations
- CVE/NVD — Vulnerability intelligence and exploit mapping
- MITRE D3FEND — Defensive countermeasure knowledge graph
- Sigma Rules— Detection rule translation and management
- CAPEC — Common Attack Pattern Enumeration
- CWE — Software weakness enumeration
- Agentic Pentesting— Multi-agent autonomous security testing Ultimate Goal
Enable AI agents to autonomously:
- Map attack surfaces and identify vulnerabilities
- Recommend defensive countermeasures
- Generate detection rules and validate coverage
- Orchestrate multi-stage security assessments Reason about complete attack-defense lifecycles Get Involved
We welcome contributions.
Areas of Interest:
Integrating additional security frameworks (CVE, D3FEND, Sigma)
Building agentic workflows for pentesting and red teaming
Developing detection rule generation pipelines
Creating threat intelligence reasoning systems
Improving MCP tooling and documentation
Interested? Open an issue, start a discussion, or reach out directly!
Contributing
Found a bug? Have a feature request? Want to contribute to the roadmap?
All contributions welcome!
Inoussa Mouiche, Ph.D.
AI/ML Researcher | Cybersecurity | Agentic AI Systems | Software Engineering
🎓 University of Windsor— WASP Lab
🔬 Research Focus: Threat Intelligence Automation, Machine Learning, Multi-Agent Security Systems, LLM-Powered Security Operations
Connect
🐙 GitHub: @imouiche
Email: mouiche@uwindsor.ca
💼 LinkedIn: Inoussa Mouiche, Ph.D.
Award Nomination
- Gold Medal: The Governor General’s Academic Medal
Open to opportunities in:
AI/ML Engineering & Research
Cybersecurity & Threat Intelligence
Agentic AI Development
Security Automation & Orchestration
Academic & Industry Collaborations
Interested in collaborating on agentic engineering systems? [Let’s connect!]
Made with ❤️ for the cybersecurity and AI communities
Top comments (0)