io.github.imouiche/mitre-attack-mcp-server
平台与服务by imouiche
MCP server providing 50+ tools for MITRE ATT&CK techniques, groups, and mitigations
什么是 io.github.imouiche/mitre-attack-mcp-server?
MCP server providing 50+ tools for MITRE ATT&CK techniques, groups, and mitigations
README
🛡️ MITRE ATT&CK MCP Server
AI-Native Access to the World's Leading Threat Intelligence Framework
Features • Installation • Quick Start • Tools • Examples • Roadmap
</div>🎯 Overview
The MITRE ATT&CK MCP Server transforms the world's leading adversary knowledge base into an AI-native interface. Built for the Model Context Protocol, it enables LLMs and agentic systems to:
- 🔍 Query 200+ techniques, 140+ groups, 700+ software entries
- 🧠 Reason over complex threat relationships and TTPs
- 📊 Visualize coverage gaps with ATT&CK Navigator layers
- ⚡ Scale threat intelligence workflows with structured tools
Perfect for: Security teams, threat hunters, detection engineers, AI researchers, and anyone building intelligent security systems.
What is this?
mitre-attack-mcp-server is a self-contained MCP server that provides machine-callable access to the MITRE ATT&CK framework using official STIX data with LLMs friendly structured outputs.
It enables:
- 🤖 LLMs to reason about ATT&CK techniques, groups, software, and mitigations
- 🧠 Agentic workflows to generate threat explanations and coverage maps
- 🔍 Security teams to query ATT&CK relationships programmatically
- 📊 Visualization via ATT&CK Navigator layers
No scraping.
No fragile APIs.
Just official MITRE data, structured and reliable.
📑 Table of Contents
- Overview
- Key Features
- Installation
- Quick Start
- MCP Registry
- Available Tools
- Example Queries
- ATT&CK Navigator
- Technical Details
- Roadmap & Vision
- Contributing
- License
- About the Author
- Acknowledgments
✨ Key Features
- ✅ 65+ MCP tools across ATT&CK domains (Enterprise, Mobile, ICS)
- ✅ Automatic STIX download & caching on first run
- ✅ Native ATT&CK Navigator layer generation
- ✅ Designed for LLMs & MCP-compatible clients
- ✅ In-memory caching for instant query responses
- ✅ Type-safe with Pydantic models
- ✅ Clean, production-ready, self-contained server
- ✅ Comprehensive test coverage
📦 Installation
Via PyPI (recommended) - Python Users
pip install mitre-mcp-server
npm
npm install -g @imouiche/mitre-attack-mcp-server
npx (no installation required)
npx @imouiche/mitre-attack-mcp-server
Via uv (Modern Python)
uv pip install mitre-mcp-server
Local Development
git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
npm install
Using uv (Python package manager)
git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync
⚡ Quick Start
1. Install
pip install mitre-mcp-server
2. Configure Claude Desktop
Add to your claude_desktop_config.json:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"mitre-attack": {
"command": "npx",
"args": ["-y", "@imouiche/mitre-attack-mcp-server"]
}
}
}
3. Restart Claude Desktop
Quit Claude Desktop completely (Cmd+Q on macOS) and reopen it.
4. Start Querying!
Ask Claude:
"What techniques does APT29 use for initial access?"
"Generate an ATT&CK Navigator layer for ransomware groups"
"Show me all Windows persistence techniques"
Data downloads automatically on first run (~59MB, cached at ~/.mitre-mcp-server/data/).
📦 MCP Registry
This server is officially registered in the Model Context Protocol (MCP) Registry.
Registry ID: io.github.imouiche/mitre-attack-mcp-server
View in Official Registry: https://registry.modelcontextprotocol.io/?q=mitre-attack-mcp-server
Installation Options
Option 1: Direct NPM
npm install -g @imouiche/mitre-attack-mcp-server
Option 2: NPX (no installation)
npx @imouiche/mitre-attack-mcp-server
Option 3: Discover via Registry
- Visit MCP Registry
- Search for "mitre-attack"
- Click the server card for installation instructions
🛠️ Available Tools
The server exposes 50+ MCP tools covering all major MITRE ATT&CK entities and relationships.
📊 Infrastructure & Metadata
| Tool | Description |
|---|---|
get_data_stats | Show download status, file paths, sizes, and ATT&CK release version |
generate_layer | Generate an ATT&CK Navigator layer (JSON output) |
get_layer_metadata | Return Navigator layer metadata template |
🎯 Techniques
| Tool | Description |
|---|---|
get_technique_by_id | Get a technique by ATT&CK ID (e.g., T1055) |
search_techniques | Search techniques by name or description |
get_all_techniques | Retrieve all techniques |
get_all_parent_techniques | Parent techniques only |
get_all_subtechniques | All subtechniques |
get_subtechniques_of_technique | Subtechniques of a parent |
get_parent_technique_of_subtechnique | Parent of a subtechnique |
get_technique_tactics | Tactics associated with a technique |
get_techniques_by_tactic | Techniques under a tactic |
get_techniques_by_platform | Techniques for a platform |
get_revoked_techniques | Revoked techniques |
🧑💻 Groups (Threat Actors)
| Tool | Description |
|---|---|
get_group_by_name | Find group by name or alias |
search_groups | Search groups |
get_all_groups | All ATT&CK groups |
get_groups_by_alias | Lookup groups by alias |
get_groups_using_technique | Groups using a technique |
get_groups_using_software | Groups using software |
get_groups_attributing_to_campaign | Groups attributed to a campaign |
🧪 Software (Malware & Tools)
| Tool | Description |
|---|---|
get_software | Get all software |
search_software | Search software |
get_software_by_alias | Lookup software by alias |
get_software_used_by_group | Software used by a group |
get_software_used_by_campaign | Software used in campaigns |
get_software_using_technique | Software using a technique |
📌 Campaigns
| Tool | Description |
|---|---|
get_all_campaigns | Get all campaigns |
get_campaigns_by_alias | Lookup campaigns by alias |
get_campaigns_using_technique | Campaigns using a technique |
get_campaigns_using_software | Campaigns using software |
get_campaigns_attributed_to_group | Campaign attribution |
🛡️ Mitigations
| Tool | Description |
|---|---|
get_all_mitigations | Get all mitigations |
get_mitigations_mitigating_technique | Mitigations for a technique |
get_techniques_mitigated_by_mitigation | Techniques mitigated by a mitigation |
🧭 Tactics, Data Sources & ICS
| Tool | Description |
|---|---|
get_all_tactics | Get all tactics |
get_all_datasources | Get all data sources |
get_all_datacomponents | Get all data components |
get_datacomponents_detecting_technique | Data components detecting a technique |
get_all_assets | Get ICS assets |
get_assets_targeted_by_technique | Assets targeted by a technique |
💡 Example Queries
Threat Intelligence
"What techniques does APT29 use for initial access?"
"Which groups target financial institutions?"
"Show me all ransomware-related software"
"What are the aliases for the Lazarus Group?"
Detection Engineering
"What data sources detect credential dumping?"
"Generate a coverage map for EDR capabilities"
"List all techniques for Windows privilege escalation"
"What can detect T1055 (Process Injection)?"
Threat Hunting
"What techniques use PowerShell?"
"Show me lateral movement techniques for Linux"
"Which groups use Cobalt Strike?"
"What persistence techniques target macOS?"
Mitigation & Defense
"What mitigations exist for phishing attacks?"
"Show me all mitigations for privilege escalation"
"What techniques does MFA mitigate?"
Compliance & Gap Analysis
"Generate a layer for all techniques our EDR covers"
"Compare APT29 TTPs against our detection capabilities"
"Show unmitigated techniques in our environment"
📊 ATT&CK Navigator Visualization
The generate_layer tool produces ATT&CK Navigator–compatible JSON.
Usage:
-
Ask Claude to generate a layer:
"Generate an ATT&CK Navigator layer for all techniques used by APT29"
-
Save the JSON output to a file (e.g.,
apt29_layer.json) -
Upload to ATT&CK Navigator
-
Visualize technique coverage, threat actor usage, or mitigation mapping
Real-World Example Using LangGraph
-
Threat Investigation:
Read my Medium blog demonstrating how a multi-agent LangGraph system leverages these tools to perform a real-world threat investigation. -
Live Demo:
Explore the interactive Gradio 6.2 demo on Hugging Face Spaces.
Example Layer Use Cases:
- Red Team Coverage: Map all techniques used in an exercise
- Detection Gaps: Highlight unmonitored techniques
- Threat Actor Profile: Visualize group TTPs
- Mitigation Coverage: Show what's protected vs. exposed
🔧 Technical Details
Architecture
- Language: Python 3.12+
- Framework: FastMCP for Model Context Protocol
- Data Library: Official
mitreattack-python(v5.3.0+) - Async/Await: Optimal performance for concurrent queries
- Type Safety: Full Pydantic models for all data structures
- Testing: Comprehensive pytest coverage
Data
- Enterprise ATT&CK: v18.1+ (~50.9MB)
- Mobile ATT&CK: v18.1+ (~4.9MB)
- ICS ATT&CK: v18.1+ (~3.5MB)
- Total: ~59MB cached locally
- Storage:
~/.mitre-mcp-server/data/v{version}/ - Update: Auto-downloads on install, uses cached data on subsequent runs
Performance
- In-memory caching: All domains loaded at startup
- Query speed: Sub-second for most operations
- Graph traversal: Efficient relationship queries
- Concurrent: Handles multiple simultaneous requests
Requirements
- Python: 3.12 or higher
- Node.js: 16+ (for NPM installation)
- Disk Space: ~150MB (includes dependencies + data)
- Memory: ~200MB RAM when running
🚀 Roadmap & Vision
This project is the first component of a larger vision to build comprehensive agentic security automation by integrating multiple security knowledge bases and frameworks.
Current Status
- ✅ MITRE ATT&CK - Threat intelligence & adversary TTPs (v18.1)
Planned Integrations
- 🔜 CVE/NVD - Vulnerability intelligence and exploit mapping
- 🔜 MITRE D3FEND - Defensive countermeasure knowledge graph
- 🔜 Sigma Rules - Detection rule translation and management
- 🔜 CAPEC - Common Attack Pattern Enumeration
- 🔜 CWE - Software weakness enumeration
- 🔜 Agentic Pentesting - Multi-agent autonomous security testing
Ultimate Goal
Enable AI agents to autonomously:
- 🎯 Map attack surfaces and identify vulnerabilities
- 🛡️ Recommend defensive countermeasures
- 🔍 Generate detection rules and validate coverage
- 🤖 Orchestrate multi-stage security assessments
- 📊 Reason about complete attack-defense lifecycles
Get Involved
We welcome contributions from:
- 🎓 Students working on thesis projects (cybersecurity, AI, agentic systems)
- 🔬 Researchers in AI security, threat intelligence, or agent frameworks
- 💻 Developers passionate about security automation
- 🏢 Organizations interested in research partnerships or commercial applications
Areas of Interest:
- Integrating additional security frameworks (CVE, D3FEND, Sigma)
- Building agentic workflows for pentesting and red teaming
- Developing detection rule generation pipelines
- Creating threat intelligence reasoning systems
- Improving MCP tooling and documentation
📬 Interested? Open an issue, start a discussion, or reach out directly!
🤝 Contributing
Found a bug? Have a feature request? Want to contribute to the roadmap?
All contributions welcome!
Development Setup
git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync
# uv run pytest (test/ folder not yet released)
uv run python -m mitre_mcp_server.server
📜 License
Apache License 2.0
See LICENSE for full details.
👨💻 About the Author
Inoussa Mouiche, Ph.D.
AI/ML Researcher | Cybersecurity | Agentic AI Systems | Software Engineering
🎓 University of Windsor - WASP Lab
🔬 Research Focus: Threat Intelligence Automation, Machine Learning, Multi-Agent Security Systems, LLM-Powered Security Operations
📫 Connect
- 🐙 GitHub: @imouiche
- 📧 Email: mouiche@uwindsor.ca
- 💼 LinkedIn: Inoussa Mouiche, Ph.D.
- 📚 Google Scholar: Publications
🎓 Award Nomination
- Gold Medal: The Governor General's Academic Medal
💼 Open to opportunities in:
- AI/ML Engineering & Research
- Cybersecurity & Threat Intelligence
- Agentic AI Development
- Security Automation & Orchestration
- Academic & Industry Collaborations
🙏 Acknowledgments
- Built on MITRE ATT&CK® - the industry standard for adversary tactics and techniques
- Powered by mitreattack-python - official MITRE library
- Implements Model Context Protocol - Anthropic's standard for AI-tool integration
- Inspired by the amazing MCP developer community including R. Jasper, and more...
MITRE ATT&CK® is a registered trademark of The MITRE Corporation.
<div align="center">
⭐ Star this repo if you find it useful!
Interested in collaborating on agentic engineering systems? Let's connect!
Made with ❤️ for the cybersecurity and AI communities
</div>常见问题
io.github.imouiche/mitre-attack-mcp-server 是什么?
MCP server providing 50+ tools for MITRE ATT&CK techniques, groups, and mitigations
相关 Skills
MCP构建
by anthropics
聚焦高质量 MCP Server 开发,覆盖协议研究、工具设计、错误处理与传输选型,适合用 FastMCP 或 MCP SDK 对接外部 API、封装服务能力。
✎ 想让 LLM 稳定调用外部 API,就用 MCP构建:从 Python 到 Node 都有成熟指引,帮你更快做出高质量 MCP 服务器。
Slack动图
by anthropics
面向Slack的动图制作Skill,内置emoji/消息GIF的尺寸、帧率和色彩约束、校验与优化流程,适合把创意或上传图片快速做成可直接发送的Slack动画。
✎ 帮你快速做出适配 Slack 的动图,内置约束规则和校验工具,少踩上传与播放坑,做表情包和演示都更省心。
MCP服务构建器
by alirezarezvani
从 OpenAPI 一键生成 Python/TypeScript MCP server 脚手架,并校验 tool schema、命名规范与版本兼容性,适合把现有 REST API 快速发布成可生产演进的 MCP 服务。
✎ 帮你快速搭建 MCP 服务与后端 API,脚手架完善、扩展顺手,尤其适合想高效验证服务能力的开发者。
相关 MCP Server
Slack 消息
编辑精选by Anthropic
Slack 是让 AI 助手直接读写你的 Slack 频道和消息的 MCP 服务器。
✎ 这个服务器解决了团队协作中需要 AI 实时获取 Slack 信息的痛点,特别适合开发团队让 Claude 帮忙汇总频道讨论或发送通知。不过,它目前只是参考实现,文档有限,不建议在生产环境直接使用——更适合开发者学习 MCP 如何集成第三方服务。
by netdata
io.github.netdata/mcp-server 是让 AI 助手实时监控服务器指标和日志的 MCP 服务器。
✎ 这个工具解决了运维人员需要手动检查系统状态的痛点,最适合 DevOps 团队让 Claude 自动分析性能数据。不过,它依赖 NetData 的现有部署,如果你没用过这个监控平台,得先花时间配置。
by d4vinci
Scrapling MCP Server 是专为现代网页设计的智能爬虫工具,支持绕过 Cloudflare 等反爬机制。
✎ 这个工具解决了爬取动态网页和反爬网站时的头疼问题,特别适合需要批量采集电商价格或新闻数据的开发者。不过,它依赖外部浏览器引擎,资源消耗较大,不适合轻量级任务。