npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mitre-mcp

v1.0.0

Published

MCP server for MITRE ATT&CK knowledge base - technique lookup, threat intelligence, detection coverage analysis

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

solomonneassolomonneas

Keywords

mcpmitreattackatt&cksocsecuritythreat-intelligencettpstix

Readme

MITRE ATT&CK MCP Server

TypeScript 5.7 Node.js 20+ MCP 1.x License: MIT

An MCP server providing comprehensive access to the MITRE ATT&CK knowledge base. Enables LLMs to look up techniques, map alerts to ATT&CK, analyze detection coverage, profile campaigns, and generate threat intelligence context.

Features

  • 19 tools for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, and data management
  • 3 resources for matrix overview, version info, and tactic listing
  • 4 prompts for incident mapping, threat hunting, gap analysis, and attribution
  • Offline-capable with local STIX 2.1 data caching
  • Auto-updating with configurable refresh intervals
  • Enterprise, Mobile, and ICS matrix support

Prerequisites

  • Node.js 20 or later
  • Internet access for initial ATT&CK data download (cached locally after first run)

Installation

git clone https://github.com/solomonneas/mitre-mcp.git
cd mitre-mcp
npm install
npm run build

Configuration

| Variable | Default | Description | |----------|---------|-------------| | MITRE_DATA_DIR | ~/.mitre-mcp/data | Local cache directory for STIX bundles | | MITRE_MATRICES | enterprise | Comma-separated matrices: enterprise, mobile, ics | | MITRE_UPDATE_INTERVAL | 86400 | Auto-update check interval in seconds (default 24h) |

Usage

Claude Desktop

Add to your Claude Desktop configuration (claude_desktop_config.json):

{
  "mcpServers": {
    "mitre-attack": {
      "command": "node",
      "args": ["/path/to/mitre-mcp/dist/index.js"],
      "env": {
        "MITRE_MATRICES": "enterprise"
      }
    }
  }
}

OpenClaw

Add to your openclaw.json:

{
  "mcp": {
    "servers": {
      "mitre-attack": {
        "type": "stdio",
        "command": "node",
        "args": ["/path/to/mitre-mcp/dist/index.js"]
      }
    }
  }
}

Standalone

npm run start

Development

npm run dev

Tool Reference

Technique Lookup

| Tool | Description | |------|-------------| | mitre_get_technique | Get full details of a technique by ID (T1059, T1059.001) | | mitre_search_techniques | Search techniques by keyword, tactic, platform, data source |

Tactic Navigation

| Tool | Description | |------|-------------| | mitre_list_tactics | List all tactics in kill-chain order | | mitre_get_tactic | Get tactic details with all associated techniques |

Threat Group Intelligence

| Tool | Description | |------|-------------| | mitre_get_group | Get group details including techniques and software used | | mitre_search_groups | Search groups by keyword or technique usage | | mitre_list_groups | List all known threat groups |

Software & Malware

| Tool | Description | |------|-------------| | mitre_get_software | Get software details with techniques and associated groups | | mitre_search_software | Search software by name, technique, or type (malware/tool) |

Mitigation Mapping

| Tool | Description | |------|-------------| | mitre_get_mitigation | Get mitigation details with addressed techniques | | mitre_mitigations_for_technique | Get all mitigations for a specific technique | | mitre_search_mitigations | Search mitigations by keyword |

Detection & Data Sources

| Tool | Description | |------|-------------| | mitre_get_datasource | Get data source details with components and detectable techniques | | mitre_detection_coverage | Analyze detection coverage based on available data sources |

Mapping & Correlation

| Tool | Description | |------|-------------| | mitre_map_alert_to_technique | Map security alerts to likely ATT&CK techniques with scoring | | mitre_technique_overlap | Find technique overlap between groups for attribution | | mitre_attack_path | Generate possible attack paths through the kill chain |

Campaign Analysis

| Tool | Description | |------|-------------| | mitre_campaign_profile | Build a technique profile from observed techniques |

Data Management

| Tool | Description | |------|-------------| | mitre_update_data | Force update of the local ATT&CK data cache | | mitre_data_version | Get current data version and object counts |

Resource Reference

| URI | Description | |-----|-------------| | mitre://matrix/enterprise | Full Enterprise ATT&CK matrix (tactics x techniques) | | mitre://version | Current data version and statistics | | mitre://tactics | All tactics in kill-chain order |

Prompt Reference

| Prompt | Description | |--------|-------------| | map-incident-to-attack | Map incident observables to ATT&CK techniques | | threat-hunt-plan | Generate a threat hunting plan | | gap-analysis | Perform detection gap analysis | | attribution-analysis | Assist with threat attribution |

Examples

Look up a technique

Use mitre_get_technique with techniqueId "T1059.001" to get PowerShell technique details.

Find techniques for a tactic

Use mitre_search_techniques with tactic "initial-access" to list all initial access techniques.

Analyze detection coverage

Use mitre_detection_coverage with availableDataSources ["Process", "Network Traffic", "File"]
to see what percentage of techniques your environment can detect.

Profile a campaign

Use mitre_campaign_profile with techniques ["T1059.001", "T1566.001", "T1078"]
to identify likely threat actors and recommended mitigations.

Map an alert

Use mitre_map_alert_to_technique with alertType "PowerShell encoded command execution detected"
and platform "Windows" to find matching ATT&CK techniques.

Testing

npm test            # Run all tests
npm run test:watch  # Watch mode
npm run lint        # Type check

Project Structure

mitre-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config
    types.ts              # STIX/ATT&CK type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    data/
      loader.ts           # STIX bundle downloader and cache manager
      parser.ts           # STIX 2.1 JSON parser
      index.ts            # Indexed, queryable ATT&CK data store
    tools/
      techniques.ts       # Technique lookup and search
      tactics.ts          # Tactic navigation
      groups.ts           # Threat group intelligence
      software.ts         # Software/malware lookup
      mitigations.ts      # Mitigation mapping
      datasources.ts      # Data source and detection coverage
      mapping.ts          # Alert-to-technique mapping and correlation
      campaigns.ts        # Campaign analysis
      management.ts       # Data update management
  tests/
    parser.test.ts        # STIX parser tests
    tools.test.ts         # Data store query tests
    mapping.test.ts       # Mapping and correlation tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

Data Sources

ATT&CK data is sourced from the official MITRE STIX 2.1 bundles:

  • Enterprise ATT&CK - Covers Windows, Linux, macOS, Cloud, Network, Containers
  • Mobile ATT&CK - Covers Android and iOS
  • ICS ATT&CK - Covers industrial control systems

Data is downloaded on first run and cached locally. Set MITRE_UPDATE_INTERVAL to control how often the server checks for updates.

License

MIT