MITRE ATT&CK

Provides up-to-date MITRE ATT&CK data via HTTP or stdio MCP transports for fast technique lookups and threat intelligence access.
  • typescript

7

GitHub Stars

typescript

Language

4 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs

You can access MITRE ATT&CK data through a production-ready MCP server that serves comprehensive ATT&CK content to LLMs, AI assistants, and automation workflows. It provides fast, secure lookups, supports local stdio and HTTP transports, and includes intelligent caching to keep data up to date.

How to use

Start by choosing how you want to connect your MCP client. The HTTP mode exposes a web-accessible endpoint for multiple clients, while the stdio mode enables a local, file-system-based workflow. You can perform rapid technique lookups, fetch techniques by tactic, explore threat groups, and retrieve mitigations and software with minimal latency thanks to pre-built indices.

How to install

Prerequisites: you need Python installed and a compatible environment to run the MCP server. You will install the MCP package from PyPI.

python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat
pip install mitre-mcp
mitre-mcp --help

Configuration and usage notes

The server supports two transport modes. Use HTTP mode for web-based integrations and concurrent clients, or stdio mode for local, script-based clients. You can customize data sources, cache expiry, and network timeouts through environment variables listed in the configuration section.

Configuration

Environment variables control data sources, caching, and server behavior. The following variables are used to configure the MCP server:

HTTP mode configuration example

{
  "type": "http",
  "name": "mitreattack_http",
  "url": "http://localhost:8000/mcp",
  "args": []
}

Start the HTTP server with the default port and address, then configure your MCP client to point to the provided URL.

## stdio mode configuration example

{ "type": "stdio", "name": "mitreattack_stdio", "command": "/absolute/path/to/.venv/bin/python", "args": ["-m", "mitre_mcp.mitre_mcp_server"] }


This runs the MCP server locally and accepts commands via standard input and output.

Performance

The MCP server uses pre-built indices to achieve O(1) technique lookups, delivering 80-95% faster response times compared to scanning. Data downloads and caching are optimized with TLS-enabled HTTP pooling and parallel processing to reduce startup time.

Programmatic API and tools

The MCP server exposes a programmatic API for Python and Node.js clients. You can fetch tactics, techniques, groups, and mitigations, and execute compound queries such as discovering techniques used by a specific group or filtering techniques by tactic.

Development and testing notes

Development workflows emphasize code quality and test coverage. Use the project’s pre-commit hooks, run the full test suite, and ensure formatting with the standard Python tools.

Troubleshooting

If the server cannot start, verify that you are using a valid Python environment and that the correct command is used for HTTP or stdio mode. For HTTP mode, ensure the server URL is reachable and that port 8000 is not blocked by a firewall. If data fails to download, you may need to adjust the cache expiry or force a fresh download.

FAQ

Available tools

List all tactical categories and provide domain-specific tactics. Used to discover the organization of ATT&CK content.

List all techniques with optional filtering, enabling you to drill into specific techniques by ID, tactic, domain, or metadata.

Fetch a single technique by its ATT&CK ID (for example, T1055) and return its details.

Retrieve techniques for a given tactic like persistence or execution.

List threat actor groups and their associated details.

Show techniques associated with a specific group or actor, such as APT29.

List malware and tools with optional filtering to identify software used in ATT&CK.

List mitigations and the techniques they address.

Return the techniques mitigated by a specified mitigation.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
MITRE ATT&CK MCP Server - montimage/mitre-mcp | VeilStrat