MITRE ATT&CK

v0.3.1Securitystable

A Model Context Protocol (MCP) server that provides tools for working with the MITRE ATT&CK framework using the mitreattack-python library and the official MCP Python SDK.

mitremcpai-integration
Share:
11
Stars
0
Downloads
0
Weekly
0/5

What is MITRE ATT&CK?

MITRE ATT&CK is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to model context protocol (mcp) server that provides tools for working with the mitre att&ck framework using the mitreattack-python library and the official mcp python sdk.

A Model Context Protocol (MCP) server that provides tools for working with the MITRE ATT&CK framework using the mitreattack-python library and the official MCP Python SDK.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A Model Context Protocol (MCP) server that provides tools fo

Use Cases

Query MITRE ATT&CK framework data for threat analysis and security research.
Understand attacker tactics, techniques, and procedures through AI assistants.
Montimage

Maintainer

LicenseMIT
Languagejavascript
Versionv0.3.1
UpdatedMay 19, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

PIP

pip install mitre-mcp

Manual Installation

pip install mitre-mcp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MITRE ATT&CK

MITRE ATT&CK MCP Server provides AI assistants with structured access to the full MITRE ATT&CK knowledge base via the mitreattack-python library. It exposes tools for querying tactics, techniques, threat actor groups, software, and mitigations across Enterprise, Mobile, and ICS domains — enabling threat analysis and security research through natural language.

Prerequisites

  • Python 3.9 or higher with pip available
  • At least 200 MB of free disk space for the ATT&CK bundle cache
  • Internet access for the initial download of ATT&CK data from MITRE's GitHub
  • An MCP-compatible client such as Claude Desktop
1

Install the package

Install mitre-mcp from PyPI. This installs both the server and the mitre-mcp command-line entry point.

pip install mitre-mcp
2

Run the server in HTTP mode (recommended)

Start the server in HTTP mode. On first run it will download the ATT&CK bundles from MITRE's GitHub repository and cache them locally.

mitre-mcp --http
# Or bind to a specific host/port:
mitre-mcp --http --host 0.0.0.0 --port 8080
3

Configure Claude Desktop for HTTP transport

Add the server to your claude_desktop_config.json pointing at the running HTTP endpoint.

{
  "mcpServers": {
    "mitreattack": {
      "url": "http://localhost:8000/mcp"
    }
  }
}
4

Alternative: stdio mode configuration

If you prefer stdio transport (no separate server process needed), configure Claude Desktop to launch the server inline.

{
  "mcpServers": {
    "mitreattack": {
      "command": "mitre-mcp",
      "args": []
    }
  }
}
5

Force a data refresh (optional)

To refresh the cached ATT&CK data before the default 1-day expiry, run the server with the --force-download flag.

mitre-mcp --http --force-download

MITRE ATT&CK Examples

Client configuration

Complete claude_desktop_config.json for MITRE ATT&CK MCP Server using stdio mode.

{
  "mcpServers": {
    "mitreattack": {
      "command": "mitre-mcp",
      "args": [],
      "env": {
        "MITRE_LOG_LEVEL": "WARNING",
        "MITRE_CACHE_EXPIRY_DAYS": "1"
      }
    }
  }
}

Prompts to try

Example security research prompts to use once MITRE ATT&CK MCP Server is connected.

- "List all techniques associated with the Initial Access tactic in the Enterprise ATT&CK domain."
- "What techniques does APT29 use? Show me the IDs and descriptions."
- "Look up technique T1055 (Process Injection) and explain the sub-techniques."
- "What mitigations are available for the Credential Access tactic?"
- "List all software categorized as ransomware in the ATT&CK framework."

Troubleshooting MITRE ATT&CK

Server hangs on startup for a long time

On first run the server downloads ATT&CK bundles (~150 MB total) from MITRE's GitHub. This is expected and only happens once. Subsequent starts use the local cache. Use --force-download only when you explicitly want to refresh.

Insufficient disk space error on startup

The server requires at least MITRE_REQUIRED_SPACE_MB (default 200 MB) free in the cache directory. Free up disk space or change the cache location by setting the MITRE_DATA_DIR environment variable to a path with more space.

get_techniques returns empty results for a known technique ID

Ensure you specify the correct domain (enterprise-attack, mobile-attack, or ics-attack). Technique IDs like T1055 exist in Enterprise but not all domains. Use get_tactics first to confirm the domain structure.

Frequently Asked Questions about MITRE ATT&CK

What is MITRE ATT&CK?

MITRE ATT&CK is a Model Context Protocol (MCP) server that model context protocol (mcp) server that provides tools for working with the mitre att&ck framework using the mitreattack-python library and the official mcp python sdk. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MITRE ATT&CK?

Install via pip with: pip install mitre-mcp. Then configure your AI client to connect to this MCP server.

Which AI clients work with MITRE ATT&CK?

MITRE ATT&CK works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MITRE ATT&CK free to use?

Yes, MITRE ATT&CK is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

MITRE ATT&CK Alternatives — Similar Security Servers

Looking for alternatives to MITRE ATT&CK? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mitre": { "command": "pip", "args": ["install", "mitre-mcp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MITRE ATT&CK?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides