npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@imouiche/mitre-attack-mcp-server

v0.1.4

Published

Complete MCP server for MITRE ATT&CK threat intelligence framework with 50+ tools

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

imouicheimouiche

Keywords

mcpmitreattackcybersecuritythreat-detectionincident-responsecyber-threat-intelligencethreat-intelligencecyber-defensesecurity-operationsthreat-analysisthreat-huntingblue-teamred-teamcyber-attackcybersecurity-toolsopen-sourcemodel-context-protocol

Readme

🛡️ MITRE ATT&CK MCP Server

AI-Native Access to the World's Leading Threat Intelligence Framework

npm npm downloads License MCP Registry GitHub release

FeaturesInstallationQuick StartToolsExamplesRoadmap

🎯 Overview

The MITRE ATT&CK MCP Server transforms the world's leading adversary knowledge base into an AI-native interface. Built for the Model Context Protocol, it enables LLMs and agentic systems to:

  • 🔍 Query 200+ techniques, 140+ groups, 700+ software entries
  • 🧠 Reason over complex threat relationships and TTPs
  • 📊 Visualize coverage gaps with ATT&CK Navigator layers
  • Scale threat intelligence workflows with structured tools

Perfect for: Security teams, threat hunters, detection engineers, AI researchers, and anyone building intelligent security systems.

What is this?

mitre-attack-mcp-server is a self-contained MCP server that provides machine-callable access to the MITRE ATT&CK framework using official STIX data with LLMs friendly structured outputs.

It enables:

  • 🤖 LLMs to reason about ATT&CK techniques, groups, software, and mitigations
  • 🧠 Agentic workflows to generate threat explanations and coverage maps
  • 🔍 Security teams to query ATT&CK relationships programmatically
  • 📊 Visualization via ATT&CK Navigator layers

No scraping.
No fragile APIs.
Just official MITRE data, structured and reliable.

📑 Table of Contents

✨ Key Features

  • 65+ MCP tools across ATT&CK domains (Enterprise, Mobile, ICS)
  • ✅ Automatic STIX download & caching on first run
  • ✅ Native ATT&CK Navigator layer generation
  • ✅ Designed for LLMs & MCP-compatible clients
  • In-memory caching for instant query responses
  • Type-safe with Pydantic models
  • ✅ Clean, production-ready, self-contained server
  • ✅ Comprehensive test coverage

📦 Installation

Via PyPI (recommended) - Python Users

pip install mitre-mcp-server

npm

npm install -g @imouiche/mitre-attack-mcp-server

npx (no installation required)

npx @imouiche/mitre-attack-mcp-server

Via uv (Modern Python)

uv pip install mitre-mcp-server

Local Development

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
npm install

Using uv (Python package manager)

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync

⚡ Quick Start

1. Install

pip install mitre-mcp-server

2. Configure Claude Desktop

Add to your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "npx",
      "args": ["-y", "@imouiche/mitre-attack-mcp-server"]
    }
  }
}

3. Restart Claude Desktop

Quit Claude Desktop completely (Cmd+Q on macOS) and reopen it.

4. Start Querying!

Ask Claude:

"What techniques does APT29 use for initial access?"
"Generate an ATT&CK Navigator layer for ransomware groups"
"Show me all Windows persistence techniques"

Data downloads automatically on first run (~59MB, cached at ~/.mitre-mcp-server/data/).

📦 MCP Registry

This server is officially registered in the Model Context Protocol (MCP) Registry.

Registry ID: io.github.imouiche/mitre-attack-mcp-server

View in Official Registry: https://registry.modelcontextprotocol.io/?q=mitre-attack-mcp-server

Installation Options

Option 1: Direct NPM

npm install -g @imouiche/mitre-attack-mcp-server

Option 2: NPX (no installation)

npx @imouiche/mitre-attack-mcp-server

Option 3: Discover via Registry

  1. Visit MCP Registry
  2. Search for "mitre-attack"
  3. Click the server card for installation instructions

🛠️ Available Tools

The server exposes 50+ MCP tools covering all major MITRE ATT&CK entities and relationships.

📊 Infrastructure & Metadata

| Tool | Description | |---|---| | get_data_stats | Show download status, file paths, sizes, and ATT&CK release version | | generate_layer | Generate an ATT&CK Navigator layer (JSON output) | | get_layer_metadata | Return Navigator layer metadata template |

🎯 Techniques

| Tool | Description | |---|---| | get_technique_by_id | Get a technique by ATT&CK ID (e.g., T1055) | | search_techniques | Search techniques by name or description | | get_all_techniques | Retrieve all techniques | | get_all_parent_techniques | Parent techniques only | | get_all_subtechniques | All subtechniques | | get_subtechniques_of_technique | Subtechniques of a parent | | get_parent_technique_of_subtechnique | Parent of a subtechnique | | get_technique_tactics | Tactics associated with a technique | | get_techniques_by_tactic | Techniques under a tactic | | get_techniques_by_platform | Techniques for a platform | | get_revoked_techniques | Revoked techniques |

🧑‍💻 Groups (Threat Actors)

| Tool | Description | |---|---| | get_group_by_name | Find group by name or alias | | search_groups | Search groups | | get_all_groups | All ATT&CK groups | | get_groups_by_alias | Lookup groups by alias | | get_groups_using_technique | Groups using a technique | | get_groups_using_software | Groups using software | | get_groups_attributing_to_campaign | Groups attributed to a campaign |

🧪 Software (Malware & Tools)

| Tool | Description | |---|---| | get_software | Get all software | | search_software | Search software | | get_software_by_alias | Lookup software by alias | | get_software_used_by_group | Software used by a group | | get_software_used_by_campaign | Software used in campaigns | | get_software_using_technique | Software using a technique |

📌 Campaigns

| Tool | Description | |---|---| | get_all_campaigns | Get all campaigns | | get_campaigns_by_alias | Lookup campaigns by alias | | get_campaigns_using_technique | Campaigns using a technique | | get_campaigns_using_software | Campaigns using software | | get_campaigns_attributed_to_group | Campaign attribution |

🛡️ Mitigations

| Tool | Description | |---|---| | get_all_mitigations | Get all mitigations | | get_mitigations_mitigating_technique | Mitigations for a technique | | get_techniques_mitigated_by_mitigation | Techniques mitigated by a mitigation |

🧭 Tactics, Data Sources & ICS

| Tool | Description | |---|---| | get_all_tactics | Get all tactics | | get_all_datasources | Get all data sources | | get_all_datacomponents | Get all data components | | get_datacomponents_detecting_technique | Data components detecting a technique | | get_all_assets | Get ICS assets | | get_assets_targeted_by_technique | Assets targeted by a technique |

💡 Example Queries

Threat Intelligence

"What techniques does APT29 use for initial access?"
"Which groups target financial institutions?"
"Show me all ransomware-related software"
"What are the aliases for the Lazarus Group?"
Blog demo coming soon...

Detection Engineering

"What data sources detect credential dumping?"
"Generate a coverage map for EDR capabilities"
"List all techniques for Windows privilege escalation"
"What can detect T1055 (Process Injection)?"
Blog demo coming soon...

Threat Hunting

"What techniques use PowerShell?"
"Show me lateral movement techniques for Linux"
"Which groups use Cobalt Strike?"
"What persistence techniques target macOS?"
Blog demo coming soon...

Mitigation & Defense

"What mitigations exist for phishing attacks?"
"Show me all mitigations for privilege escalation"
"What techniques does MFA mitigate?"
Blog demo coming soon...

Compliance & Gap Analysis

"Generate a layer for all techniques our EDR covers"
"Compare APT29 TTPs against our detection capabilities"
"Show unmitigated techniques in our environment"
Blog demo coming soon...

📊 ATT&CK Navigator Visualization

The generate_layer tool produces ATT&CK Navigator–compatible JSON.

Usage:

  1. Ask Claude to generate a layer:

    "Generate an ATT&CK Navigator layer for all techniques used by APT29"

  2. Save the JSON output to a file (e.g., apt29_layer.json)

  3. Upload to ATT&CK Navigator

  4. Visualize technique coverage, threat actor usage, or mitigation mapping

Example Layer Use Cases:

  • Red Team Coverage: Map all techniques used in an exercise
  • Detection Gaps: Highlight unmonitored techniques
  • Threat Actor Profile: Visualize group TTPs
  • Mitigation Coverage: Show what's protected vs. exposed

🔧 Technical Details

Architecture

  • Language: Python 3.12+
  • Framework: FastMCP for Model Context Protocol
  • Data Library: Official mitreattack-python (v5.3.0+)
  • Async/Await: Optimal performance for concurrent queries
  • Type Safety: Full Pydantic models for all data structures
  • Testing: Comprehensive pytest coverage

Data

  • Enterprise ATT&CK: v18.1+ (~50.9MB)
  • Mobile ATT&CK: v18.1+ (~4.9MB)
  • ICS ATT&CK: v18.1+ (~3.5MB)
  • Total: ~59MB cached locally
  • Storage: ~/.mitre-mcp-server/data/v{version}/
  • Update: Auto-downloads on install, uses cached data on subsequent runs

Performance

  • In-memory caching: All domains loaded at startup
  • Query speed: Sub-second for most operations
  • Graph traversal: Efficient relationship queries
  • Concurrent: Handles multiple simultaneous requests

Requirements

  • Python: 3.12 or higher
  • Node.js: 16+ (for NPM installation)
  • Disk Space: ~150MB (includes dependencies + data)
  • Memory: ~200MB RAM when running

🚀 Roadmap & Vision

This project is the first component of a larger vision to build comprehensive agentic security automation by integrating multiple security knowledge bases and frameworks.

Current Status

  • MITRE ATT&CK - Threat intelligence & adversary TTPs (v18.1)

Planned Integrations

  • 🔜 CVE/NVD - Vulnerability intelligence and exploit mapping
  • 🔜 MITRE D3FEND - Defensive countermeasure knowledge graph
  • 🔜 Sigma Rules - Detection rule translation and management
  • 🔜 CAPEC - Common Attack Pattern Enumeration
  • 🔜 CWE - Software weakness enumeration
  • 🔜 Agentic Pentesting - Multi-agent autonomous security testing

Ultimate Goal

Enable AI agents to autonomously:

  • 🎯 Map attack surfaces and identify vulnerabilities
  • 🛡️ Recommend defensive countermeasures
  • 🔍 Generate detection rules and validate coverage
  • 🤖 Orchestrate multi-stage security assessments
  • 📊 Reason about complete attack-defense lifecycles

Get Involved

We welcome contributions from:

  • 🎓 Students working on thesis projects (cybersecurity, AI, agentic systems)
  • 🔬 Researchers in AI security, threat intelligence, or agent frameworks
  • 💻 Developers passionate about security automation
  • 🏢 Organizations interested in research partnerships or commercial applications

Areas of Interest:

  • Integrating additional security frameworks (CVE, D3FEND, Sigma)
  • Building agentic workflows for pentesting and red teaming
  • Developing detection rule generation pipelines
  • Creating threat intelligence reasoning systems
  • Improving MCP tooling and documentation

📬 Interested? Open an issue, start a discussion, or reach out directly!

Join the Discussion →

🤝 Contributing

Found a bug? Have a feature request? Want to contribute to the roadmap?

All contributions welcome!

Development Setup

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync
# uv run pytest (test/ folder not yet released)
uv run python -m mitre_mcp_server.server

📜 License

Apache License 2.0

See LICENSE for full details.

👨‍💻 About the Author

Inoussa Mouiche, Ph.D.
AI/ML Researcher | Cybersecurity | Agentic AI Systems | Software Engineering

🎓 University of Windsor - WASP Lab
🔬 Research Focus: Threat Intelligence Automation, Machine Learning, Multi-Agent Security Systems, LLM-Powered Security Operations

📫 Connect

🎓 Award Nomination

💼 Open to opportunities in:

  • AI/ML Engineering & Research
  • Cybersecurity & Threat Intelligence
  • Agentic AI Development
  • Security Automation & Orchestration
  • Academic & Industry Collaborations

🙏 Acknowledgments

MITRE ATT&CK® is a registered trademark of The MITRE Corporation.

⭐ Star this repo if you find it useful!

Interested in collaborating on agentic engineering systems? Let's connect!

Made with ❤️ for the cybersecurity and AI communities

⬆ Back to Top