MITRE ATT&CK MCP Server for working with the MITRE ATT&CK framework
Project description
mitre-mcp: MITRE ATT&CK MCP Server
A Model Context Protocol (MCP) server that provides tools for working with the MITRE ATT&CK framework using the mitreattack-python library and the official MCP Python SDK.
Introduction
About Montimage
Montimage is a cybersecurity company specializing in network monitoring, security analysis, and AI-driven threat detection solutions. We develop innovative tools that help organizations protect their digital assets and ensure the security of their networks. The mitre-mcp server is part of our suite of security tools designed to enhance threat intelligence capabilities.
MITRE ATT&CK Framework
The MITRE ATT&CK® framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing cyber adversary behavior and helps security professionals understand attack methodologies, improve defensive capabilities, and assess organizational risk.
Key components of the framework include:
- Techniques: Specific methods used by adversaries to achieve tactical goals
- Tactics: Categories representing the adversary's tactical goals during an attack
- Groups: Known threat actors and their associated techniques
- Software: Malware and tools used by threat actors
- Mitigations: Security measures to counter specific techniques
Objective of the MCP Server
The mitre-mcp server bridges the gap between the MITRE ATT&CK knowledge base and AI-driven workflows by providing a Model Context Protocol (MCP) interface. This enables Large Language Models (LLMs) and other AI systems to directly query and utilize MITRE ATT&CK data for threat intelligence, security analysis, and defensive planning.
Key objectives include:
- Providing seamless access to MITRE ATT&CK data for AI assistants and LLMs
- Enabling real-time threat intelligence lookups during security conversations
- Supporting security professionals in understanding attack techniques and appropriate mitigations
- Facilitating threat modeling and security analysis workflows
MCP Server & LLM Support
mitre-mcp is designed for seamless integration with Model Context Protocol (MCP) compatible clients (e.g., Claude, Windsurf, Cursor) for real-time MITRE ATT&CK framework lookups in LLM workflows.
Available MCP Tools
| Tool Name | Description |
|---|---|
get_techniques |
Get all techniques from the MITRE ATT&CK framework. Supports filtering by domain and includes options for subtechniques and handling revoked/deprecated items. |
get_tactics |
Get all tactics from the MITRE ATT&CK framework. Returns tactical categories that techniques are organized into. |
get_groups |
Get all threat groups from the MITRE ATT&CK framework. These are known threat actors and APT groups. |
get_software |
Get all software from the MITRE ATT&CK framework. Can filter by software type (malware, tool) and domain. |
get_techniques_by_tactic |
Get techniques associated with a specific tactic (e.g., 'defense-evasion', 'persistence'). |
get_techniques_used_by_group |
Get techniques used by a specific threat group (e.g., 'APT29', 'Lazarus Group'). |
get_mitigations |
Get all mitigations from the MITRE ATT&CK framework. These are security measures to counter techniques. |
get_techniques_mitigated_by_mitigation |
Get techniques that can be mitigated by a specific mitigation strategy. |
get_technique_by_id |
Look up a specific technique by its MITRE ATT&CK ID (e.g., 'T1055' for Process Injection). |
Features
- Comprehensive access to MITRE ATT&CK framework data including techniques, tactics, groups, and software
- Support for all MITRE ATT&CK domains: Enterprise, Mobile, and ICS
- Automatic caching of MITRE ATT&CK data to improve performance
- Python API for easy integration into your applications
- Built-in MCP server support for LLM/AI integrations
- Command-line interface for direct usage
Installation
pip install mitre-mcp
Usage via CLI
- Create and activate a virtual environment (recommended):
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate.bat
- Install the package:
pip install mitre-mcp
- Start the MCP server with stdio transport (for direct integration with clients):
mitre-mcp
- Or start the MCP server as an HTTP server:
mitre-mcp --http
- Use the
--force-downloadoption to force a fresh download of MITRE ATT&CK data:
mitre-mcp --force-download
Usage via MCP Client
To run mitre-mcp as an MCP server for AI-driven clients (e.g., Claude, Windsurf, Cursor):
- Create a virtual environment:
python3 -m venv .venv
- Activate the virtual environment:
source .venv/bin/activate # On Windows: .venv\Scripts\activate.bat
- Install mitre-mcp:
pip install mitre-mcp
- Configure your MCP client (e.g., Claude, Windsurf, Cursor) with:
{
"mcpServers": {
"mitreattack": {
"command": "/absolute/path/to/.venv/bin/python",
"args": ["-m", "mitre_mcp_server"]
}
}
}
Important:
- Use the absolute path to the Python executable in your virtual environment.
- For Windows, the path might look like:
C:\path\to\.venv\Scripts\python.exe
The mitre-mcp tools should now be available in your MCP client.
HTTP Server Mode
When running in HTTP mode with mitre-mcp --http, the server provides:
- A JSON-RPC endpoint at
http://localhost:8000/jsonrpcfor MCP protocol communication - The MCP Inspector UI at the root URL (
http://localhost:8000/)
The HTTP mode is useful for:
- Debugging with the MCP Inspector UI
- Integration with web-based clients
- Allowing multiple clients to connect to the same server instance
- Network-based integrations where stdio isn't practical
Data Caching
The server automatically caches MITRE ATT&CK data in a data/ folder to improve performance and reduce unnecessary downloads. The caching behavior works as follows:
- On first run, the server downloads the latest MITRE ATT&CK data and stores it in the
data/folder - On subsequent runs, the server checks if the cached data is less than 1 day old
- If the data is recent (less than 1 day old), it uses the cached data
- If the data is older than 1 day, it automatically downloads fresh data
- You can force a fresh download regardless of the cache age using the
--force-downloadoption
Usage via API (Python)
- Create and activate a virtual environment (recommended):
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate.bat
- Install in your project:
pip install mitre-mcp
- Import and use the MCP client:
from mcp.client.client import Client
from mcp.client.transports import StdioTransport
async with Client(transport=StdioTransport("mitre-mcp")) as client:
# Get all tactics
tactics = await client.call_tool("get_tactics", {
"domain": "enterprise-attack"
})
# Get techniques used by a specific group
group_techniques = await client.call_tool("get_techniques_used_by_group", {
"group_name": "APT29",
"domain": "enterprise-attack"
})
# Access a resource
server_info = await client.read_resource("mitre-attack://info")
Resources
The server provides the following resources:
mitre-attack://info
Get information about the MITRE ATT&CK MCP server, including available domains and tools.
MCP Server Configuration
You can add this MCP server to any MCP client by including it in the client's configuration:
{
"mcpServers": {
"mitreattack": {
"command": "/absolute/path/to/.venv/bin/python",
"args": ["-m", "mitre_mcp_server"]
}
}
}
Important:
- Use the absolute path to the Python executable in your virtual environment.
- For Windows, the path might look like:
C:\path\to\.venv\Scripts\python.exe
Claude Desktop Integration
To integrate with Claude Desktop, add the server to your Claude Desktop configuration file located at:
- macOS:
~/Library/Application Support/Claude Desktop/config.json - Windows:
%APPDATA%\Claude Desktop\config.json - Linux:
~/.config/Claude Desktop/config.json
Development
Clone the repository and install in development mode:
git clone https://github.com/montimage/mitre-mcp.git
cd mitre-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e .
License
MIT
About Montimage
mitre-mcp is developed and maintained by Montimage, a company specializing in cybersecurity and network monitoring solutions. Montimage provides innovative security tools and services to help organizations protect their digital assets and ensure the security of their networks.
For questions or support, please contact us at contact@montimage.eu.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mitre_mcp-0.1.0.tar.gz.
File metadata
- Download URL: mitre_mcp-0.1.0.tar.gz
- Upload date:
- Size: 12.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d31ce5bf419a51d89ca6fcaa3f0a90030ea12ebd5c365cb0133f1196ddbb549d
|
|
| MD5 |
8d5a0977740fffbafa719e8a1962b6c0
|
|
| BLAKE2b-256 |
47302509148d0caebc508caab94872dc38011356fd6f55b663ca9626b9594723
|
File details
Details for the file mitre_mcp-0.1.0-py3-none-any.whl.
File metadata
- Download URL: mitre_mcp-0.1.0-py3-none-any.whl
- Upload date:
- Size: 9.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5977f51189bc55b391dc75fd67a1637417233c0eb64702b7b181096acf1b6b5e
|
|
| MD5 |
395a143dbc82105520023512d68beb16
|
|
| BLAKE2b-256 |
4d3002d21b3f2007a04999feab60748b8350f20c00989b31dcba5ca23fb7e05e
|
