npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mitre-mcp

v2.0.0

Published

MCP server for MITRE ATT&CK knowledge base - technique lookup, threat intelligence, detection coverage analysis

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

solomonneassolomonneas

Keywords

mcpmitreattackatt&cksocsecuritythreat-intelligencettpstix

Readme

MITRE ATT&CK MCP Server

TypeScript 6 Node.js 20+ MCP 1.x License: MIT

An MCP server providing comprehensive access to the MITRE ATT&CK knowledge base with full SOC stack integration. Enables LLMs to look up techniques, map alerts to ATT&CK, analyze detection coverage, profile campaigns, generate Navigator layers, and correlate across Wazuh, TheHive, Cortex, and MISP.

Features

  • 39 tools for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, Navigator layer export, and SOC integration
  • 3 resources for matrix overview, version info, and tactic listing
  • 4 prompts for incident mapping, threat hunting, gap analysis, and attribution
  • SOC Integration: Wazuh alert mapping, TheHive case management, Cortex analyzer correlation, MISP event/IOC management
  • Cross-stack correlation: Search for ATT&CK techniques across all connected platforms simultaneously
  • ATT&CK Navigator: Generate layer JSON for heatmaps, group overlays, coverage maps, and diff views
  • Campaign support: Full STIX campaign object parsing and attribution
  • Offline-capable with local STIX 2.1 data caching
  • Auto-updating with configurable refresh intervals
  • Enterprise, Mobile, and ICS matrix support

Prerequisites

  • Node.js 20 or later
  • Internet access for initial ATT&CK data download (cached locally after first run)
  • (Optional) Wazuh, TheHive, Cortex, and/or MISP instances for SOC integration

Installation

git clone https://github.com/solomonneas/mitre-mcp.git
cd mitre-mcp
npm install
npm run build

Configuration

Core Settings

| Variable | Default | Description | |----------|---------|-------------| | MITRE_DATA_DIR | ~/.mitre-mcp/data | Local cache directory for STIX bundles | | MITRE_MATRICES | enterprise | Comma-separated matrices: enterprise, mobile, ics | | MITRE_UPDATE_INTERVAL | 86400 | Auto-update check interval in seconds (default 24h) |

SOC Integration (all optional)

| Variable | Description | |----------|-------------| | WAZUH_URL | Wazuh API URL (e.g., https://wazuh.example.internal:55000) | | WAZUH_USERNAME | Wazuh API username (default: wazuh-wui) | | WAZUH_PASSWORD | Wazuh API password | | WAZUH_VERIFY_SSL | Verify SSL certs (default: true, set false for self-signed) | | THEHIVE_URL | TheHive URL (e.g., http://thehive.example.internal:9000) | | THEHIVE_API_KEY | TheHive API key | | CORTEX_URL | Cortex URL (e.g., http://cortex.example.internal:9001) | | CORTEX_API_KEY | Cortex API key | | MISP_URL | MISP URL (e.g., https://misp.example.internal) | | MISP_API_KEY | MISP API key (authkey) | | MISP_VERIFY_SSL | Verify SSL certs (default: true, set false for self-signed) |

Usage

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-mcp",
      "env": {
        "MITRE_MATRICES": "enterprise",
        "WAZUH_URL": "https://wazuh.example.internal:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_VERIFY_SSL": "false",
        "THEHIVE_URL": "http://thehive.example.internal:9000",
        "THEHIVE_API_KEY": "your-api-key",
        "CORTEX_URL": "http://cortex.example.internal:9001",
        "CORTEX_API_KEY": "your-api-key",
        "MISP_URL": "https://misp.example.internal",
        "MISP_API_KEY": "your-api-key",
        "MISP_VERIFY_SSL": "false"
      }
    }
  }
}

Claude Code

claude mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Add --scope user to make it available from any directory instead of only the current project. Add --env flags for any SOC integrations (Wazuh, TheHive, Cortex, MISP) you want to enable.

OpenClaw

If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:

openclaw mcp set mitre-attack '{
  "command": "node",
  "args": ["/absolute/path/to/mitre-mcp/dist/index.js"],
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Or, with the global npm install:

openclaw mcp set mitre-attack '{
  "command": "mitre-mcp",
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "mitre-attack" is registered

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  mitre-attack:
    command: "mitre-mcp"
    env:
      MITRE_MATRICES: "enterprise"

Or, when running from a source checkout instead of the global npm install:

mcp_servers:
  mitre-attack:
    command: "node"
    args: ["/absolute/path/to/mitre-mcp/dist/index.js"]
    env:
      MITRE_MATRICES: "enterprise"

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Or, when running from a source checkout:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- node /absolute/path/to/mitre-mcp/dist/index.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.mitre-attack]. Verify with:

codex mcp list

Standalone

npm run start

Development

npm run dev

Tool Reference

Core ATT&CK Tools (19)

Technique Lookup

| Tool | Description | |------|-------------| | mitre_get_technique | Get full details of a technique by ID (T1059, T1059.001) | | mitre_search_techniques | Search techniques by keyword, tactic, platform, data source |

Tactic Navigation

| Tool | Description | |------|-------------| | mitre_list_tactics | List all tactics in kill-chain order | | mitre_get_tactic | Get tactic details with all associated techniques |

Threat Group Intelligence

| Tool | Description | |------|-------------| | mitre_get_group | Get group details including techniques and software used | | mitre_search_groups | Search groups by keyword or technique usage | | mitre_list_groups | List all known threat groups |

Software & Malware

| Tool | Description | |------|-------------| | mitre_get_software | Get software details with techniques and associated groups | | mitre_search_software | Search software by name, technique, or type (malware/tool) |

Mitigation Mapping

| Tool | Description | |------|-------------| | mitre_get_mitigation | Get mitigation details with addressed techniques | | mitre_mitigations_for_technique | Get all mitigations for a specific technique | | mitre_search_mitigations | Search mitigations by keyword |

Detection & Data Sources

| Tool | Description | |------|-------------| | mitre_get_datasource | Get data source details with detectable techniques | | mitre_detection_coverage | Analyze detection coverage based on available data sources |

Mapping & Correlation

| Tool | Description | |------|-------------| | mitre_map_alert_to_technique | Map security alerts to likely ATT&CK techniques | | mitre_technique_overlap | Find technique overlap between groups for attribution | | mitre_attack_path | Generate possible attack paths through the kill chain |

Data Management

| Tool | Description | |------|-------------| | mitre_update_data | Force update of the local ATT&CK data cache | | mitre_data_version | Get current data version and object counts |

Campaign Tools (4)

| Tool | Description | |------|-------------| | mitre_campaign_profile | Build a technique profile with group/software/campaign matching | | mitre_get_campaign | Get campaign details with techniques, software, and groups | | mitre_list_campaigns | List all known ATT&CK campaigns | | mitre_search_campaigns | Search campaigns by keyword or technique |

Navigator Layer Export (1)

| Tool | Description | |------|-------------| | mitre_navigator_layer | Generate ATT&CK Navigator JSON layers (coverage, group, campaign, diff) |

Wazuh Integration (4)

| Tool | Description | |------|-------------| | mitre_wazuh_status | Wazuh manager status, agents, and rule stats | | mitre_map_wazuh_alert | Map Wazuh alerts to ATT&CK techniques by rule ID/description/groups | | mitre_wazuh_rule_coverage | Analyze Wazuh rules mapped to ATT&CK techniques | | mitre_wazuh_alerts | Fetch recent alerts enriched with ATT&CK context |

TheHive Integration (3)

| Tool | Description | |------|-------------| | mitre_thehive_enrich | Enrich a TheHive case with ATT&CK techniques and mitigations | | mitre_thehive_create_case | Create a case pre-populated with ATT&CK context | | mitre_thehive_list_cases | List cases with ATT&CK technique filtering |

Cortex Integration (2)

| Tool | Description | |------|-------------| | mitre_cortex_analyzer_coverage | Map Cortex analyzers to ATT&CK data sources | | mitre_cortex_run_analyzers | Run analyzers on observables with ATT&CK context |

MISP Integration (4)

| Tool | Description | |------|-------------| | mitre_misp_event_to_attack | Map MISP event attributes/galaxies to ATT&CK | | mitre_misp_search_indicators | Search MISP IOCs by technique or group | | mitre_misp_create_event | Create events pre-tagged with ATT&CK techniques | | mitre_misp_list_events | List events with ATT&CK enrichment |

Cross-Stack Correlation (2)

| Tool | Description | |------|-------------| | mitre_soc_status | Connection status for all SOC integrations | | mitre_cross_correlate | Search for techniques across Wazuh, TheHive, and MISP simultaneously |

Resource Reference

| URI | Description | |-----|-------------| | mitre://matrix/enterprise | Full Enterprise ATT&CK matrix (tactics x techniques) | | mitre://version | Current data version and statistics | | mitre://tactics | All tactics in kill-chain order |

Prompt Reference

| Prompt | Description | |--------|-------------| | map-incident-to-attack | Map incident observables to ATT&CK techniques | | threat-hunt-plan | Generate a threat hunting plan | | gap-analysis | Perform detection gap analysis | | attribution-analysis | Assist with threat attribution |

Examples

Check SOC integration status

Use mitre_soc_status to check which SOC platforms are connected.

Map a Wazuh alert to ATT&CK

Use mitre_map_wazuh_alert with ruleId 5710 and ruleGroups ["sshd", "authentication_failed"]
to find matching ATT&CK techniques.

Create an ATT&CK-enriched TheHive case

Use mitre_thehive_create_case with title "Suspected APT28 Activity",
techniques ["T1059.001", "T1566.001", "T1078"] and severity 3
to create a case with ATT&CK context, mitigations, and investigation tasks.

Generate a Navigator coverage layer

Use mitre_navigator_layer with mode "coverage" and
dataSources ["Process", "Network Traffic", "File"]
to generate a heatmap of detection coverage.

Cross-correlate across the SOC stack

Use mitre_cross_correlate with techniques ["T1059.001", "T1566.001"]
to search for related alerts in Wazuh, cases in TheHive, and events in MISP.

Map a MISP event to ATT&CK

Use mitre_misp_event_to_attack with eventId "1"
to extract ATT&CK techniques from MISP galaxies and attributes.

Compare two threat groups

Use mitre_navigator_layer with mode "diff" and
compareGroupIds ["G0007", "G0016"]
to generate a visual comparison of APT28 vs APT29 techniques.

Testing

npm test            # Run all tests
npm run test:watch  # Watch mode
npm run lint        # Type check

Project Structure

mitre-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config (core + SOC)
    types.ts              # STIX/ATT&CK type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    data/
      loader.ts           # STIX bundle downloader and cache manager
      parser.ts           # STIX 2.1 JSON parser (incl. campaigns)
      index.ts            # Indexed, queryable ATT&CK data store
    tools/
      techniques.ts       # Technique lookup and search
      tactics.ts          # Tactic navigation
      groups.ts           # Threat group intelligence
      software.ts         # Software/malware lookup
      mitigations.ts      # Mitigation mapping
      datasources.ts      # Data source and detection coverage
      mapping.ts          # Alert-to-technique mapping and correlation
      campaigns.ts        # Campaign analysis and attribution
      navigator.ts        # ATT&CK Navigator layer generation
      management.ts       # Data update management
    soc/
      client.ts           # HTTP clients for Wazuh, TheHive, Cortex, MISP
      wazuh.ts            # Wazuh alert mapping and rule coverage
      thehive.ts          # TheHive case enrichment and creation
      cortex.ts           # Cortex analyzer coverage mapping
      misp.ts             # MISP event/IOC management
      correlation.ts      # Cross-stack ATT&CK correlation
      index.ts            # SOC module barrel export
  tests/
    parser.test.ts        # STIX parser tests
    tools.test.ts         # Data store query tests
    mapping.test.ts       # Mapping and correlation tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

Data Sources

ATT&CK data is sourced from the official MITRE STIX 2.1 bundles:

  • Enterprise ATT&CK: Windows, Linux, macOS, Cloud, Network, Containers
  • Mobile ATT&CK: Android and iOS
  • ICS ATT&CK: Industrial control systems

Data is downloaded on first run and cached locally. Set MITRE_UPDATE_INTERVAL to control how often the server checks for updates.

License

MIT