MITRE ATT&CK MCP Server
A Model-Context Protocol server for the MITRE ATT&CK knowledge base
Key Features • Installation • How To Use • Use Cases • Credits
Key Features
- 50+ Tools for MITRE ATT&CK Querying
- Comprehensive access to the MITRE ATT&CK knowledge base through structured API tools
- Automatic ATT&CK Navigator Layer Generation
- Generate visual representations of techniques used by threat actors
- Threat Actor and Malware Attribution
- Query relationships between malware, threat actors, and techniques
- Technique Overlap Analysis
- Compare techniques used by different threat actors or malware families
Installation
To clone and run this server, you'll need Git, Python, and PipX installed on your computer.
- Ensure Git, Python, and PipX have been installed using their official respective installation instructions for Windows/Mac/Linux
- Install the MCP Server using PipX
pipx install git+https://github.com/stoyky/mitre-attack-mcp
How To Use
Configure with Claude AI Desktop
- Open Claude's MCP server configuration file.
Windows
C:\\Users\\[YourUsername]\\AppData\\Roaming\\Claude\\claude_desktop_config.json
# or
C:\\Users\\[YourUsername]\\AppData\\Local\\AnthropicClaude\\claude_desktop_config.json
Linux / Mac
~/.config/Claude/claude_desktop_config.json
- Add the following to that file if it doesn't already exist. If it already exists, merge the two JSON structures accordingly.
{
"mcpServers": {
"mitre-attack": {
"command": "mitre-attack-mcp",
"args": [
]
}
}
}
Note: By default the MCP server stores the mitre-related data in the current users default cache directory. You can specify a custom data directory to use with the following config:
{
"mcpServers": {
"mitre-attack": {
"command": "mitre-attack-mcp",
"args": [
"--data-dir",
"<path-to-data-dir>"
]
}
}
}
Changelog
- v1.0.2 - Now installable via PipX on Windows, Mac, and Linux. "data directory" argument is now optional and will use the default cache directory if omitted.
- v1.0.0 - Initial release
- V1.0.1 - Improved robustness of layer metadata generation and error handling in layer generation function
Use Cases
- Query for detailed information about specific malware, tactics, or techniques
- Discover relationships between threat actors and their tools
- Generate visual ATT&CK Navigator layers for threat analysis
- Find campaign overlaps between different threat actors
- Identify common techniques used by multiple malware families
Please see my blog for more information and examples.
Credits
- MITRE ATT&CK - Knowledge base of adversary tactics and techniques
- MITRE ATT&CK Python - Python library to interact with the knowledge base
- ATT&CK Navigator - Tool for visualizing ATT&CK matrices
- Anthropic - Developers of the Model-Context Protocol
Created by Remy Jaspers
Recommend MCP Servers 💡
isaac-sim-mcp
Isaac Simulation MCP Extension and Server
ifly-spark-agent-mcp
A simple example of using MCP Server to invoke the task chain of the iFlytek SparkAgent Platform
mcp-server-chatsum
Query and Summarize your chat messages.
jen6/ticktick-mcp
Enhance TickTick workflow with MCP server for better task filtering and management.
ggRMCP
A Go-based gateway that converts gRPC services into MCP-compatible tools, enabling AI models to call gRPC services seamlessly.
awslabs.bedrock-kb-retrieval-mcp-server
An MCP server for accessing and querying Amazon Bedrock Knowledge Bases, enabling natural language retrieval, data source filtering, and result reranking.