Active 2025-01-12

MITRE ATT&CK MCP

MCP server providing AI assistants with instant access to the complete MITRE ATT&CK framework - techniques, tactics, groups, software, and mitigations.

mcp mitre-attack threat-intelligence ai detection-engineering
View on GitHub Documentation
Quickstart
Get started instantly
npx -y mitre-attack-mcp

The Problem

The MITRE ATT&CK framework contains thousands of techniques, tactics, groups, and software entries. Manually searching the framework, understanding relationships, and mapping coverage is time-consuming. AI assistants need structured access to ATT&CK data to help with detection engineering and threat analysis.

The Solution

MITRE ATT&CK MCP provides AI assistants with instant, queryable access to the complete ATT&CK framework. Ask questions like 'What techniques does APT29 use?' or 'Show me all execution techniques for Windows' and get immediate, accurate answers with full context.

Impact

Transforms how detection engineers and threat analysts work with ATT&CK. Instead of manually browsing the framework, let AI assistants query it instantly and provide contextual analysis.

What is This?

MITRE ATT&CK MCP makes the entire MITRE ATT&CK framework queryable by AI assistants through the Model Context Protocol.

Complete ATT&CK Coverage

Techniques & Sub-Techniques

  • All 14 tactics
  • 200+ techniques
  • 400+ sub-techniques
  • Detection guidance
  • Mitigation strategies
  • Data sources

Threat Groups

  • APT groups
  • Cybercrime groups
  • Techniques used
  • Software employed
  • Target sectors

Software & Tools

  • Malware families
  • Hacking tools
  • Techniques employed
  • Associated groups
  • Platform support

Mitigations

  • Mitigation strategies
  • Technique coverage
  • Implementation guidance
  • Effectiveness ratings

Natural Language Queries

Ask your AI assistant:

“What techniques does APT29 use?”

“Show me all Windows execution techniques”

“What are the mitigations for T1059.001?”

“Which groups use Mimikatz?”

“What data sources detect credential dumping?”

Key Features

🔍 Technique Search

  • Search by name or description
  • Filter by tactic
  • Filter by platform
  • Get detection guidance

🎯 Group Analysis

  • Query threat groups
  • Get group techniques
  • Understand TTPs
  • Coverage analysis

🛠️ Software Tracking

  • Search malware and tools
  • Understand capabilities
  • Map to techniques
  • Track usage by groups

🛡️ Mitigation Guidance

  • Get mitigations for techniques
  • Implementation guidance
  • Effectiveness analysis
  • Prioritization support

📊 Coverage Analysis

  • Analyze detection coverage
  • Identify gaps
  • Compare against threat groups
  • Generate ATT&CK Navigator layers

ATT&CK Navigator Integration

Generate Navigator layers directly:

// Generate coverage layer
generate_navigator_layer({
  name: "My Detection Coverage",
  techniques: [
    { technique_id: "T1059.001", score: 85 },
    { technique_id: "T1003.001", score: 90 }
  ]
})

Layer Types

  • Coverage layers - Show your detection coverage
  • Gap analysis - Identify missing coverage
  • Group layers - Visualize threat group TTPs
  • Custom layers - Build any visualization

Use Cases

Detection Engineering

  • Map detections to ATT&CK
  • Identify coverage gaps
  • Prioritize new detections
  • Validate technique understanding

Threat Intelligence

  • Research threat groups
  • Understand campaign TTPs
  • Track software usage
  • Analyze trends

Red Team Planning

  • Select techniques for engagements
  • Understand detection likelihood
  • Plan evasion strategies
  • Validate tool selection

Security Assessment

  • Measure detection coverage
  • Compare against threats
  • Prioritize improvements
  • Report to leadership

Installation

npx -y mitre-attack-mcp

Global Install

npm install -g mitre-attack-mcp

Configuration

Add to your MCP config:

{
  "mcpServers": {
    "mitre-attack": {
      "command": "npx",
      "args": ["-y", "mitre-attack-mcp"]
    }
  }
}

Available Tools

Technique Tools

  • get_technique(id) - Get technique details
  • search_techniques(query) - Search techniques
  • list_techniques_by_tactic(tactic) - Filter by tactic
  • list_techniques_by_platform(platform) - Filter by platform
  • get_mitigations(technique_id) - Get mitigations
  • get_data_sources(technique_id) - Get data sources

Group Tools

  • get_group(id) - Get group details
  • search_groups(query) - Search groups
  • get_group_techniques(group_id) - Get group’s techniques

Software Tools

  • get_software(id) - Get software details
  • search_software(query) - Search malware/tools

Coverage Tools

  • analyze_coverage(covered_ids) - Analyze your coverage
  • find_group_gaps(group_id, covered_ids) - Find gaps vs group
  • generate_layer(techniques, name) - Create Navigator layer

Technical Details

  • Database: SQLite with FTS5 search
  • Auto-updates: Downloads latest ATT&CK on first run
  • Performance: Sub-second queries
  • Storage: ~/.cache/mitre-attack-mcp/

Pair With Security Detections MCP

Use both MCPs together for ultimate detection engineering:

  1. Query ATT&CK for technique details
  2. Search for existing detections
  3. Identify coverage gaps
  4. Build new detections

NPM Package

Available on npm: mitre-attack-mcp

Get started: GitHub | npm

Query ATT&CK with AI

Get Started Report Issue

Related Modules

Active

CRXMiner

Chrome Extension Security API - AI-powered threat detection for 10,000+ Chrome extensions. Analyze extensions for security risks, malicious behavior, and privacy concerns.

chrome-extensions security-api ai threat-detection +1
View Module → GitHub
Active

Security Detections MCP

MCP server that lets AI assistants query 6,500+ security detection rules from Sigma, Splunk ESCU, and Elastic. Detection engineer harder and smarter with AI.

mcp detection-engineering sigma splunk +2
View Module → GitHub