MITRE ATT&CK

v1.0.0Securitystable

Provides comprehensive access to the MITRE ATT\\&CK knowledge base with 50+ tools for querying threat actors, malware, and techniques, including automatic ATT\\&CK Navigator layer generation for threat analysis and visualization.

attackmcpmitremodel-context-protocol
Share:
41
Stars
0
Downloads
0
Weekly
0/5

What is MITRE ATT&CK?

MITRE ATT&CK is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to provides comprehensive access to the mitre att\\&ck knowledge base with 50+ tools for querying threat actors, malware, and techniques, including automatic att\\&ck navigator layer generation for threa...

Provides comprehensive access to the MITRE ATT\\&CK knowledge base with 50+ tools for querying threat actors, malware, and techniques, including automatic ATT\\&CK Navigator layer generation for threat analysis and visualization.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Provides comprehensive access to the MITRE ATT\\\\&CK knowledg

Use Cases

Query threat actors and malware in MITRE ATT&CK knowledge base.
Generate ATT&CK Navigator layers for threat visualization.
Analyze techniques and tactics for security research.
stoyky

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedMay 18, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mitre-att-ck-mcp-server

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MITRE ATT&CK

The MITRE ATT&CK MCP Server provides comprehensive programmatic access to the MITRE ATT&CK knowledge base through more than 50 structured query tools, enabling security analysts and threat intelligence teams to query threat actors, malware families, techniques, and tactics directly from an AI assistant. It automatically downloads and caches the ATT&CK STIX data locally, supports all ATT&CK matrices (Enterprise, Mobile, ICS), and can generate ATT&CK Navigator layer JSON files for visualizing threat actor technique coverage. Analysts use it to accelerate threat research, map observed TTPs to ATT&CK, perform technique overlap analysis between adversary groups, and produce visualization layers without manually navigating the ATT&CK website.

Prerequisites

  • Python 3.10 or later with pipx installed
  • Internet access to download the MITRE ATT&CK STIX data on first run (cached locally afterward)
  • An MCP-compatible client such as Claude Desktop
  • Optional: a custom data directory path if you want to control where ATT&CK data is cached
1

Install the MITRE ATT&CK MCP server

Install directly from GitHub using pipx. This makes the mitre-attack-mcp command available globally.

pipx install git+https://github.com/stoyky/mitre-attack-mcp
2

Verify installation

Confirm the command is available and check its version or help output.

mitre-attack-mcp --help
3

Configure Claude Desktop

Add the server to your claude_desktop_config.json. The optional --data-dir argument specifies where ATT&CK STIX data is downloaded and cached.

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": ["--data-dir", "/path/to/attack-data-cache"]
    }
  }
}
4

Restart Claude Desktop

Fully quit and reopen Claude Desktop. On first launch, the server will download the MITRE ATT&CK STIX dataset — this may take a moment. Subsequent launches use the local cache.

5

Run your first ATT&CK query

Ask Claude about a threat actor, technique, or malware family. The server queries the locally cached ATT&CK data and returns structured results.

MITRE ATT&CK Examples

Client configuration

claude_desktop_config.json entry for the MITRE ATT&CK MCP Server with an optional data cache directory.

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": ["--data-dir", "/path/to/attack-data-cache"]
    }
  }
}

Prompts to try

Example threat intelligence queries using the 50+ ATT&CK tools exposed by the server.

- "What techniques does APT29 use, and which sub-techniques are unique to them?"
- "List all malware families associated with the Lazarus Group"
- "Generate an ATT&CK Navigator layer for the Scattered Spider threat actor"
- "Find all techniques under the Credential Access tactic in the Enterprise matrix"
- "Which threat actors share the most technique overlap with APT41?"
- "What is the ATT&CK technique for pass-the-hash attacks and how is it detected?"

Troubleshooting MITRE ATT&CK

First launch takes a long time or fails with download errors

The server downloads the MITRE ATT&CK STIX data from the internet on first run. Ensure you have internet connectivity. If the download fails, retry — or manually place the STIX JSON files in your --data-dir and restart the server.

'mitre-attack-mcp' command not found after pipx install

Run 'pipx ensurepath' to add the pipx bin directory to your PATH, then open a new terminal. Alternatively, find the binary at ~/.local/bin/mitre-attack-mcp and use the full path in your MCP config.

Queries return outdated ATT&CK data

Delete the contents of your --data-dir (or the default cache location) and restart Claude Desktop. The server will re-download the latest ATT&CK STIX release from MITRE on next startup.

Frequently Asked Questions about MITRE ATT&CK

What is MITRE ATT&CK?

MITRE ATT&CK is a Model Context Protocol (MCP) server that provides comprehensive access to the mitre att\\&ck knowledge base with 50+ tools for querying threat actors, malware, and techniques, including automatic att\\&ck navigator layer generation for threat analysis and visualization. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MITRE ATT&CK?

Follow the installation instructions on the MITRE ATT&CK GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MITRE ATT&CK?

MITRE ATT&CK works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MITRE ATT&CK free to use?

Yes, MITRE ATT&CK is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

MITRE ATT&CK Alternatives — Similar Security Servers

Looking for alternatives to MITRE ATT&CK? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mitre-att-ck-mcp-server": { "command": "npx", "args": ["-y", "mitre-att-ck-mcp-server"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MITRE ATT&CK?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides