- Home
- MCP servers
- MITRE ATT&CK
MITRE ATT&CK
- typescript
7
GitHub Stars
typescript
Language
4 months ago
First Indexed
2 months ago
Catalog Refreshed
Documentation & install
Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.
You can access MITRE ATT&CK data through a production-ready MCP server that serves comprehensive ATT&CK content to LLMs, AI assistants, and automation workflows. It provides fast, secure lookups, supports local stdio and HTTP transports, and includes intelligent caching to keep data up to date.
How to use
Start by choosing how you want to connect your MCP client. The HTTP mode exposes a web-accessible endpoint for multiple clients, while the stdio mode enables a local, file-system-based workflow. You can perform rapid technique lookups, fetch techniques by tactic, explore threat groups, and retrieve mitigations and software with minimal latency thanks to pre-built indices.
How to install
Prerequisites: you need Python installed and a compatible environment to run the MCP server. You will install the MCP package from PyPI.
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate.bat
pip install mitre-mcp
mitre-mcp --help
Configuration and usage notes
The server supports two transport modes. Use HTTP mode for web-based integrations and concurrent clients, or stdio mode for local, script-based clients. You can customize data sources, cache expiry, and network timeouts through environment variables listed in the configuration section.
Configuration
Environment variables control data sources, caching, and server behavior. The following variables are used to configure the MCP server:
HTTP mode configuration example
{
"type": "http",
"name": "mitreattack_http",
"url": "http://localhost:8000/mcp",
"args": []
}
Start the HTTP server with the default port and address, then configure your MCP client to point to the provided URL.
## stdio mode configuration example
{ "type": "stdio", "name": "mitreattack_stdio", "command": "/absolute/path/to/.venv/bin/python", "args": ["-m", "mitre_mcp.mitre_mcp_server"] }
This runs the MCP server locally and accepts commands via standard input and output.
Performance
The MCP server uses pre-built indices to achieve O(1) technique lookups, delivering 80-95% faster response times compared to scanning. Data downloads and caching are optimized with TLS-enabled HTTP pooling and parallel processing to reduce startup time.
Programmatic API and tools
The MCP server exposes a programmatic API for Python and Node.js clients. You can fetch tactics, techniques, groups, and mitigations, and execute compound queries such as discovering techniques used by a specific group or filtering techniques by tactic.
Development and testing notes
Development workflows emphasize code quality and test coverage. Use the project’s pre-commit hooks, run the full test suite, and ensure formatting with the standard Python tools.
Troubleshooting
If the server cannot start, verify that you are using a valid Python environment and that the correct command is used for HTTP or stdio mode. For HTTP mode, ensure the server URL is reachable and that port 8000 is not blocked by a firewall. If data fails to download, you may need to adjust the cache expiry or force a fresh download.
FAQ
Available tools
List all tactical categories and provide domain-specific tactics. Used to discover the organization of ATT&CK content.
List all techniques with optional filtering, enabling you to drill into specific techniques by ID, tactic, domain, or metadata.
Fetch a single technique by its ATT&CK ID (for example, T1055) and return its details.
Retrieve techniques for a given tactic like persistence or execution.
List threat actor groups and their associated details.
Show techniques associated with a specific group or actor, such as APT29.
List malware and tools with optional filtering to identify software used in ATT&CK.
List mitigations and the techniques they address.
Return the techniques mitigated by a specified mitigation.