MCP Server: ATT&CK Visualization for Full MITRE Framework Access

Complete Mitre Attack MCP Server

The MITRE ATT&CK MCP Server is an AI - native threat intelligence tool that provides comprehensive access to the MITRE ATT&CK framework through the Model Context Protocol. It has the ability to query over 200 techniques, over 140 threat groups, and over 700 software entries, supports the generation of ATT&CK Navigator visualization layers, and is designed for security teams and AI agents.

Security Research and data #Threat Intelligence #Security Framework #AI Tool #MCP Service .Python

rating : 2 points

downloads : 0

update time : 2025-12-29

Open Site

What is the MITRE ATT&CK MCP Server?

This is a server based on the Model Context Protocol (MCP), specifically designed to provide AI systems with access to the MITRE ATT&CK framework. MITRE ATT&CK is the world's most authoritative knowledge base of adversary tactics, techniques, and procedures (TTPs). This server converts complex threat intelligence data into a structured format friendly to LLMs, allowing AI assistants to query and analyze threat information like security experts.

How to use the MITRE ATT&CK MCP Server?

After installation, AI assistants (such as Claude Desktop) can directly query MITRE ATT&CK data through natural language. For example, you can ask 'What initial access techniques does APT29 use?' or 'Generate an ATT&CK navigation map for ransomware groups'. The server will automatically download the official data and cache it locally, providing fast responses.

Applicable scenarios

Suitable for security teams, threat hunters, detection engineers, AI researchers, and any users who need intelligent access to threat intelligence. It can be used for threat analysis, detection rule development, red - team exercise planning, security posture assessment, and automated security report generation.

Main Features

Comprehensive coverage of the ATT&CK framework

Supports the Enterprise, Mobile, and Industrial Control System (ICS) versions of ATT&CK, including over 200 attack techniques, over 140 threat groups, over 700 malware tools, over 100 mitigation measures, and all tactical phases.

Over 65 dedicated query tools

Provides specially designed MCP tools, including querying techniques by ID, searching for threat groups, finding software associations, generating visualization layers, etc., covering all ATT&CK entities and relationships.

ATT&CK navigation map generation

Automatically generate JSON layer files compatible with the ATT&CK Navigator, which can be uploaded to the official navigator website for visual analysis, supporting threat coverage maps, detection gap analysis, etc.

Intelligent caching and automatic updates

Automatically download the official STIX data (~59MB) and cache it locally during the first run. Subsequent queries do not require an internet connection, ensuring fast responses and data consistency.

LLM-friendly output

All data is converted into a structured and easy - to - understand format, specifically optimized for large language models, supporting natural language queries and complex reasoning.

Multi - platform installation support

Supports Python pip installation, Node.js npm installation, and direct npx execution, compatible with macOS, Windows, and Linux systems.

Advantages

No need to manually query the MITRE website. AI assistants can directly access the latest threat intelligence.

Structured data facilitates automated analysis and report generation.

Supports complex relationship queries (e.g., 'Which groups use specific techniques').

Visual output helps quickly understand the threat situation.

Based on official MITRE data, ensuring accuracy and authority.

Seamlessly integrated with MCP clients such as Claude Desktop.

Limitations

The first use requires downloading an approximately 59MB data file.

Requires basic knowledge of MCP client configuration.

Advanced custom analysis may require combining other tools.

Data updates depend on the MITRE official release cycle.

How to Use

Install the server

Choose an installation method suitable for your environment. It is recommended to use npx without installation, or use pip to install the Python version.

Configure Claude Desktop

Add the MCP server configuration to the Claude Desktop configuration file. The macOS configuration file is located at ~/Library/Application Support/Claude/claude_desktop_config.json, and the Windows configuration file is located at %APPDATA%\Claude\claude_desktop_config.json.

Restart and start using

Completely exit and restart Claude Desktop. The server will automatically download MITRE data during the first run. After that, you can query ATT&CK information through natural language.

Usage Examples

Threat intelligence analysis

Security analysts need to quickly understand the attack patterns and technique usage of specific threat groups (such as APT29).

Detection rule development

Detection engineers need to understand the detection methods and data sources of specific attack techniques (such as process injection T1055).

Red - team exercise planning

Red - teams need to plan a simulated attack exercise and need to understand common attack techniques on specific platforms (such as Windows).

Security posture assessment

CISOs need to assess the coverage of an organization's current security controls against common threats.

Frequently Asked Questions

Is an internet connection required for use?

How often is the data updated?

Which MCP clients are supported?

How to generate visual charts?

Can sub - techniques be queried?

Where is the data stored? Can the storage location be customized?

Related Resources

GitHub Repository

Project source code, issue tracking, and contribution guidelines

MCP Official Registry

Entry in the Model Context Protocol official registry

MITRE ATT&CK Official Website

Official documentation and knowledge base of the MITRE ATT&CK framework

ATT&CK Navigator

Online ATT&CK matrix visualization tool

Medium Technical Blog

Practical case of using this server for threat investigation

Hugging Face Demo

Interactive Gradio demo showing multi - agent threat investigation

🚀 MITRE ATT&CK MCP Server

AI-Native Access to the World's Leading Threat Intelligence Framework

This server transforms MITRE ATT&CK, the world's leading adversary knowledge base, into an AI-native interface. It enables LLMs and agentic systems to query techniques, reason over threat relationships, visualize coverage gaps, and scale threat intelligence workflows. Ideal for security teams, threat hunters, detection engineers, AI researchers, and those building intelligent security systems.

🚀 Quick Start

1. Install

pip install mitre-mcp-server

2. Configure Claude Desktop

Add to your claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "mitre-attack": {
      "command": "npx",
      "args": ["-y", "@imouiche/mitre-attack-mcp-server"]
    }
  }
}

3. Restart Claude Desktop

Quit Claude Desktop completely (Cmd+Q on macOS) and reopen it.

4. Start Querying!

Ask Claude:

"What techniques does APT29 use for initial access?" "Generate an ATT&CK Navigator layer for ransomware groups" "Show me all Windows persistence techniques"

Note: Data downloads automatically on first run (~59MB, cached at ~/.mitre-mcp-server/data/).

✨ Features

✅ 65+ MCP tools across ATT&CK domains (Enterprise, Mobile, ICS).
✅ Automatic STIX download & caching on first run.
✅ Native ATT&CK Navigator layer generation.
✅ Designed for LLMs & MCP-compatible clients.
✅ In-memory caching for instant query responses.
✅ Type-safe with Pydantic models.
✅ Clean, production-ready, self-contained server.
✅ Comprehensive test coverage.

📦 Installation

Via PyPI (recommended) - Python Users

pip install mitre-mcp-server

npm

npm install -g @imouiche/mitre-attack-mcp-server

npx (no installation required)

npx @imouiche/mitre-attack-mcp-server

Via uv (Modern Python)

uv pip install mitre-mcp-server

Local Development

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
npm install

Using uv (Python package manager)

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync

📦 MCP Registry

This server is officially registered in the Model Context Protocol (MCP) Registry.

Registry ID: io.github.imouiche/mitre-attack-mcp-server

View in Official Registry: https://registry.modelcontextprotocol.io/?q=mitre-attack-mcp-server

Installation Options

Option 1: Direct NPM

npm install -g @imouiche/mitre-attack-mcp-server

Option 2: NPX (no installation)

npx @imouiche/mitre-attack-mcp-server

Option 3: Discover via Registry

Visit MCP Registry.
Search for "mitre-attack".
Click the server card for installation instructions.

💻 Usage Examples

Threat Intelligence

"What techniques does APT29 use for initial access?"
"Which groups target financial institutions?"
"Show me all ransomware-related software"
"What are the aliases for the Lazarus Group?"

Detection Engineering

"What data sources detect credential dumping?"
"Generate a coverage map for EDR capabilities"
"List all techniques for Windows privilege escalation"
"What can detect T1055 (Process Injection)?"

Threat Hunting

"What techniques use PowerShell?"
"Show me lateral movement techniques for Linux"
"Which groups use Cobalt Strike?"
"What persistence techniques target macOS?"

Mitigation & Defense

"What mitigations exist for phishing attacks?"
"Show me all mitigations for privilege escalation"
"What techniques does MFA mitigate?"

Compliance & Gap Analysis

"Generate a layer for all techniques our EDR covers"
"Compare APT29 TTPs against our detection capabilities"
"Show unmitigated techniques in our environment"

🛠️ Available Tools

The server exposes 50+ MCP tools covering all major MITRE ATT&CK entities and relationships.

📊 Infrastructure & Metadata

Property	Details
`get_data_stats`	Show download status, file paths, sizes, and ATT&CK release version
`generate_layer`	Generate an ATT&CK Navigator layer (JSON output)
`get_layer_metadata`	Return Navigator layer metadata template

🎯 Techniques

Property	Details
`get_technique_by_id`	Get a technique by ATT&CK ID (e.g., T1055)
`search_techniques`	Search techniques by name or description
`get_all_techniques`	Retrieve all techniques
`get_all_parent_techniques`	Parent techniques only
`get_all_subtechniques`	All subtechniques
`get_subtechniques_of_technique`	Subtechniques of a parent
`get_parent_technique_of_subtechnique`	Parent of a subtechnique
`get_technique_tactics`	Tactics associated with a technique
`get_techniques_by_tactic`	Techniques under a tactic
`get_techniques_by_platform`	Techniques for a platform
`get_revoked_techniques`	Revoked techniques

🧑‍💻 Groups (Threat Actors)

Property	Details
`get_group_by_name`	Find group by name or alias
`search_groups`	Search groups
`get_all_groups`	All ATT&CK groups
`get_groups_by_alias`	Lookup groups by alias
`get_groups_using_technique`	Groups using a technique
`get_groups_using_software`	Groups using software
`get_groups_attributing_to_campaign`	Groups attributed to a campaign

🧪 Software (Malware & Tools)

Property	Details
`get_software`	Get all software
`search_software`	Search software
`get_software_by_alias`	Lookup software by alias
`get_software_used_by_group`	Software used by a group
`get_software_used_by_campaign`	Software used in campaigns
`get_software_using_technique`	Software using a technique

📌 Campaigns

Property	Details
`get_all_campaigns`	Get all campaigns
`get_campaigns_by_alias`	Lookup campaigns by alias
`get_campaigns_using_technique`	Campaigns using a technique
`get_campaigns_using_software`	Campaigns using software
`get_campaigns_attributed_to_group`	Campaign attribution

🛡️ Mitigations

Property	Details
`get_all_mitigations`	Get all mitigations
`get_mitigations_mitigating_technique`	Mitigations for a technique
`get_techniques_mitigated_by_mitigation`	Techniques mitigated by a mitigation

🧭 Tactics, Data Sources & ICS

Property	Details
`get_all_tactics`	Get all tactics
`get_all_datasources`	Get all data sources
`get_all_datacomponents`	Get all data components
`get_datacomponents_detecting_technique`	Data components detecting a technique
`get_all_assets`	Get ICS assets
`get_assets_targeted_by_technique`	Assets targeted by a technique

📊 ATT&CK Navigator Visualization

The generate_layer tool produces ATT&CK Navigator–compatible JSON.

Usage:

Ask Claude to generate a layer:

"Generate an ATT&CK Navigator layer for all techniques used by APT29"
Save the JSON output to a file (e.g., apt29_layer.json).
Upload to ATT&CK Navigator.
Visualize technique coverage, threat actor usage, or mitigation mapping.

Real-World Example Using LangGraph

Threat Investigation:
Read my Medium blog demonstrating how a multi-agent LangGraph system leverages these tools to perform a real-world threat investigation.
Live Demo:
Explore the interactive Gradio 6.2 demo on Hugging Face Spaces.

Example Layer Use Cases

Red Team Coverage: Map all techniques used in an exercise.
Detection Gaps: Highlight unmonitored techniques.
Threat Actor Profile: Visualize group TTPs.
Mitigation Coverage: Show what's protected vs. exposed.

🔧 Technical Details

Architecture

Language: Python 3.12+
Framework: FastMCP for Model Context Protocol
Data Library: Official mitreattack-python (v5.3.0+)
Async/Await: Optimal performance for concurrent queries
Type Safety: Full Pydantic models for all data structures
Testing: Comprehensive pytest coverage

Data

Enterprise ATT&CK: v18.1+ (~50.9MB)
Mobile ATT&CK: v18.1+ (~4.9MB)
ICS ATT&CK: v18.1+ (~3.5MB)
Total: ~59MB cached locally
Storage: ~/.mitre-mcp-server/data/v{version}/
Update: Auto-downloads on install, uses cached data on subsequent runs

Performance

In-memory caching: All domains loaded at startup.
Query speed: Sub-second for most operations.
Graph traversal: Efficient relationship queries.
Concurrent: Handles multiple simultaneous requests.

Requirements

Python: 3.12 or higher
Node.js: 16+ (for NPM installation)
Disk Space: ~150MB (includes dependencies + data)
Memory: ~200MB RAM when running

🚀 Roadmap & Vision

This project is the first component of a larger vision to build comprehensive agentic security automation by integrating multiple security knowledge bases and frameworks.

Current Status

✅ MITRE ATT&CK - Threat intelligence & adversary TTPs (v18.1)

Planned Integrations

🔜 CVE/NVD - Vulnerability intelligence and exploit mapping
🔜 MITRE D3FEND - Defensive countermeasure knowledge graph
🔜 Sigma Rules - Detection rule translation and management
🔜 CAPEC - Common Attack Pattern Enumeration
🔜 CWE - Software weakness enumeration
🔜 Agentic Pentesting - Multi-agent autonomous security testing

Ultimate Goal

Enable AI agents to autonomously:

🎯 Map attack surfaces and identify vulnerabilities.
🛡️ Recommend defensive countermeasures.
🔍 Generate detection rules and validate coverage.
🤖 Orchestrate multi-stage security assessments.
📊 Reason about complete attack-defense lifecycles.

Get Involved

We welcome contributions from:

🎓 Students working on thesis projects (cybersecurity, AI, agentic systems).
🔬 Researchers in AI security, threat intelligence, or agent frameworks.
💻 Developers passionate about security automation.
🏢 Organizations interested in research partnerships or commercial applications.

Areas of Interest:

Integrating additional security frameworks (CVE, D3FEND, Sigma).
Building agentic workflows for pentesting and red teaming.
Developing detection rule generation pipelines.
Creating threat intelligence reasoning systems.
Improving MCP tooling and documentation.

📬 Interested? Open an issue, start a discussion, or reach out directly!

Join the Discussion →

🤝 Contributing

Found a bug? Have a feature request? Want to contribute to the roadmap?

All contributions welcome!

Development Setup

git clone https://github.com/imouiche/complete-mitre-attack-mcp-server.git
cd complete-mitre-attack-mcp-server
uv sync
# uv run pytest (test/ folder not yet released)
uv run python -m mitre_mcp_server.server

📄 License

Apache License 2.0

See LICENSE for full details.

👨‍💻 About the Author

Inoussa Mouiche, Ph.D.
AI/ML Researcher | Cybersecurity | Agentic AI Systems | Software Engineering

🎓 University of Windsor - WASP Lab
🔬 Research Focus: Threat Intelligence Automation, Machine Learning, Multi-Agent Security Systems, LLM-Powered Security Operations

📫 Connect

🐙 GitHub: @imouiche
📧 Email: mouiche@uwindsor.ca
💼 LinkedIn: Inoussa Mouiche, Ph.D.
📚 Google Scholar: Publications

🎓 Award Nomination

Gold Medal: The Governor General's Academic Medal

💼 Open to opportunities in:

AI/ML Engineering & Research
Cybersecurity & Threat Intelligence
Agentic AI Development
Security Automation & Orchestration
Academic & Industry Collaborations

🙏 Acknowledgments

Built on MITRE ATT&CK® - the industry standard for adversary tactics and techniques.
Powered by mitreattack-python - official MITRE library.
Implements Model Context Protocol - Anthropic's standard for AI-tool integration.
Inspired by the amazing MCP developer community including R. Jasper, and more...

MITRE ATT&CK® is a registered trademark of The MITRE Corporation.

⭐ Star this repo if you find it useful!

Interested in collaborating on agentic engineering systems? Let's connect!

Made with ❤️ for the cybersecurity and AI communities

⬆ Back to Top