MITRE Attack

v1.0.0Securitystable

A Model-Context Protocol server for the MITRE ATT&CK knowledge base

attackmcpmitremodel-context-protocol
Share:
41
Stars
0
Downloads
0
Weekly
0/5

What is MITRE Attack?

MITRE Attack is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to model-context protocol server for the mitre att&ck knowledge base

A Model-Context Protocol server for the MITRE ATT&CK knowledge base

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A Model-Context Protocol server for the MITRE ATT&CK knowled

Use Cases

Access the MITRE ATT&CK framework through MCP.
stoyky

Maintainer

LicenseMIT
Languagepython
Versionv1.0.0
UpdatedMay 18, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx mitre-attack

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use MITRE Attack

The MITRE ATT&CK MCP server exposes the full MITRE ATT&CK knowledge base to AI assistants through 50+ structured query tools, enabling security professionals to research threat actors, tactics, techniques, malware, and campaigns through natural language conversations. It can generate ATT&CK Navigator visualization layers, map relationships between adversary groups and their tooling, and compare technique overlap across different threat actors — all without manually browsing the ATT&CK website. It is built in Python and installs via pipx from the GitHub repository.

Prerequisites

  • Python 3.8 or later installed
  • pipx installed for isolated package installation (pip install pipx)
  • Internet access for the initial ATT&CK data download (cached locally after first run)
  • Claude Desktop or another MCP-compatible client
1

Install the MITRE ATT&CK MCP server with pipx

Install the server directly from the GitHub repository using pipx, which creates an isolated virtual environment and makes the command available system-wide.

pipx install git+https://github.com/stoyky/mitre-attack-mcp
2

Verify the installation

Confirm that the mitre-attack-mcp command is available and check the version.

mitre-attack-mcp --help
3

Optionally specify a custom data cache directory

By default, ATT&CK data is cached in a system default location. Use --data-dir to specify a custom path if you want to control where the data files are stored.

mitre-attack-mcp --data-dir /path/to/custom/cache
4

Configure Claude Desktop

Add the server to your Claude Desktop MCP configuration file. The location depends on your operating system.

5

Test with a threat actor query

Open Claude Desktop and ask it to describe a well-known threat actor such as APT29 to confirm the ATT&CK data is loading and the tools are responding correctly.

MITRE Attack Examples

Client configuration

Add this block to your claude_desktop_config.json (macOS/Linux path shown; Windows path is %APPDATA%\Claude\claude_desktop_config.json).

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": []
    }
  }
}

Prompts to try

Use these prompts in Claude Desktop to query the MITRE ATT&CK knowledge base and generate threat intelligence reports.

- "What MITRE ATT&CK techniques does APT29 (Cozy Bear) commonly use?"
- "Generate an ATT&CK Navigator layer for the Lazarus Group threat actor."
- "Which threat actors use the technique T1566 (Phishing)? List them with their associated malware."
- "Compare the technique overlap between APT28 and APT29."
- "What malware families are associated with the FIN7 group, and what tactics do they employ?"
- "Describe the MITRE ATT&CK tactic TA0001 (Initial Access) and list the techniques under it."

Troubleshooting MITRE Attack

pipx install fails with git clone errors

Ensure git is installed and you have internet access. If you are behind a corporate proxy, configure git to use the proxy: git config --global http.proxy http://proxy.example.com:8080. Then retry the pipx install command.

First query is very slow or times out

On first run, the server downloads the full MITRE ATT&CK dataset, which can take a minute or two depending on your connection speed. Subsequent queries use the local cache and are much faster. Be patient on the initial load.

Claude Desktop shows the server as disconnected

Run mitre-attack-mcp --help directly in a terminal to confirm the command works. If it does but Claude Desktop cannot find it, use the full absolute path to the binary in the command field of your MCP config (run which mitre-attack-mcp to find it).

Frequently Asked Questions about MITRE Attack

What is MITRE Attack?

MITRE Attack is a Model Context Protocol (MCP) server that model-context protocol server for the mitre att&ck knowledge base It connects AI assistants to external tools and data sources through a standardized interface.

How do I install MITRE Attack?

Follow the installation instructions on the MITRE Attack GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with MITRE Attack?

MITRE Attack works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is MITRE Attack free to use?

Yes, MITRE Attack is open source and available under the MIT license. You can use it freely in both personal and commercial projects.

MITRE Attack Alternatives — Similar Security Servers

Looking for alternatives to MITRE Attack? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "mitre-attack": { "command": "npx", "args": ["-y", "mitre-attack"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use MITRE Attack?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides