MITRE ATT&CK MCP Server
A Model-Context Protocol server for the MITRE ATT&CK knowledge base
Key Features • Installation • How To Use • Use Cases • Credits
Key Features
- 50+ Tools for MITRE ATT&CK Querying
- Comprehensive access to the MITRE ATT&CK knowledge base through structured API tools
- Automatic ATT&CK Navigator Layer Generation
- Generate visual representations of techniques used by threat actors
- Threat Actor and Malware Attribution
- Query relationships between malware, threat actors, and techniques
- Technique Overlap Analysis
- Compare techniques used by different threat actors or malware families
Installation
To clone and run this server, you'll need Git, Python, and PipX installed on your computer.
- Ensure Git, Python, and PipX have been installed using their official respective installation instructions for Windows/Mac/Linux
- Install the MCP Server using PipX
pipx install git+https://github.com/stoyky/mitre-attack-mcp
How To Use
Configure with Claude AI Desktop
- Open Claude's MCP server configuration file.
Windows
C:\\Users\\[YourUsername]\\AppData\\Roaming\\Claude\\claude_desktop_config.json
# or
C:\\Users\\[YourUsername]\\AppData\\Local\\AnthropicClaude\\claude_desktop_config.json
Linux / Mac
~/.config/Claude/claude_desktop_config.json
- Add the following to that file if it doesn't already exist. If it already exists, merge the two JSON structures accordingly.
{
"mcpServers": {
"mitre-attack": {
"command": "mitre-attack-mcp",
"args": [
]
}
}
}
Note: By default the MCP server stores the mitre-related data in the current users default cache directory. You can specify a custom data directory to use with the following config:
{
"mcpServers": {
"mitre-attack": {
"command": "mitre-attack-mcp",
"args": [
"--data-dir",
"<path-to-data-dir>"
]
}
}
}
Changelog
- v1.0.2 - Now installable via PipX on Windows, Mac, and Linux. "data directory" argument is now optional and will use the default cache directory if omitted.
- v1.0.0 - Initial release
- V1.0.1 - Improved robustness of layer metadata generation and error handling in layer generation function
Use Cases
- Query for detailed information about specific malware, tactics, or techniques
- Discover relationships between threat actors and their tools
- Generate visual ATT&CK Navigator layers for threat analysis
- Find campaign overlaps between different threat actors
- Identify common techniques used by multiple malware families
Please see my blog for more information and examples.
Credits
- MITRE ATT&CK - Knowledge base of adversary tactics and techniques
- MITRE ATT&CK Python - Python library to interact with the knowledge base
- ATT&CK Navigator - Tool for visualizing ATT&CK matrices
- Anthropic - Developers of the Model-Context Protocol
Created by Remy Jaspers
Recommend MCP Servers 💡
brave-search-mcp
An MCP Server implementation that integrates the Brave Search API, providing, Web Search, Local Points of Interest Search, Image Search, Video Search, News Search and LLM Context Search capabilities
MCPJungle
Self-hosted MCP Gateway for AI agents
@aashari/mcp-server-atlassian-confluence
Node.js/TypeScript MCP server for Atlassian Confluence. Provides tools enabling AI systems (LLMs) to list/get spaces & pages (content formatted as Markdown) and search via CQL. Connects AI seamlessly to Confluence knowledge bases using the standard MCP interface.
prashalruchiranga/arxiv-mcp-server
An MCP server that enables natural language interaction with the arXiv API to retrieve scholarly article metadata, download PDFs, search the database, and load articles into LLM context.
RafaelCartenet/mcp-databricks-server
MCP server for Databricks that enables AI agents to interact with Unity Catalog metadata for data discovery, lineage analysis, and SQL execution
simple-loki-mcp
A Model Context Protocol (MCP) server for querying Grafana Loki logs, enabling AI assistants to access log data directly.