Skip to main content

MITRE ATT&CK python library

Project description


This repository contains a library of Python-based tools and utilities for working with ATT&CK content.



To use this package, simply install the mitreattack-python library:

pip install mitreattack-python


Some simple examples are provided here to get you started on using this library. More detailed information about the specific usage of the modules in this package, with examples, can be found in the individual README files for each module.

module name description documentation
navlayers Provides a means by which to import, export, and manipulate ATT&CK Navigator layers. These layers can be read in from the filesystem or python dictionaries, combined and edited, and then exported to excel or SVG images as users desire. Further documentation for the navlayers module can be found here.
attackToExcel Provides functionalities for exporting the ATT&CK dataset into Excel Spreadsheets. It also provides programmatic access to the dataset as Pandas DataFrames to enable data analysis using that library. Further documentation for the attackToExcel module can be found here.

Usage Examples


from mitreattack.navlayers import Layer

example_layer4_dict = {
    "name": "layer v4.1 example",
    "versions" : {
        "attack": "8",
        "layer" : "4.1",
        "navigator": "4.1"
    "domain": "enterprise-attack"

layerA = Layer()                                  # Create a new layer object
layerA.from_dict(example_layer4_dict)             # Load layer data into existing layer object
print(layerA.to_dict())                           # Retrieve the loaded layer's data as a dictionary, and print it
from mitreattack.navlayers import Layer, ToSvg

lay = Layer()
lay.from_file("path/to/layer/example.json")           # import a layer from the filesystem

t = ToSvg(domain=lay.layer.domain, source='taxii')    # Use taxii server to get data for template
t.to_svg(layer=lay, filepath="example.svg")           # render the layer to an SVG file

Further documentation for the navlayers module can be found here.


import mitreattack.attackToExcel.attackToExcel as attackToExcel

attackToExcel.export("enterprise-attack", "v8.1", "/path/to/export/folder") # generate spreadsheets representing enterprise-attack v8.1
import mitreattack.attackToExcel.attackToExcel as attackToExcel
import mitreattack.attackToExcel.stixToDf as stixToDf

# download and parse ATT&CK STIX data
attackdata = attackToExcel.get_stix_data("enterprise-attack")
# get Pandas DataFrames for techniques, associated relationships, and citations
techniques_data = stixToDf.techniquesToDf(attackdata, "enterprise-attack") 

# show T1102 and sub-techniques of T1102
techniques_df = techniques_data["techniques"]

Further documentation for the attackToExcel module can be found here.

Command Line Tools

Two command line tools have been included in this package as part of the navlayers and attackToExcel modules. This can be run immediately after installing the package, using the syntax described below.


This command line tool allows users to convert a navigator layer file to either an svg image or excel file using the functionality provided by the navlayers module. Details about the SVG configuration json mentioned below can be found in the SVGConfig entry within the navlayers module documentation.

C:\Users\attack>layerExporter_cli -h
usage: layerExporter_cli [-h] -m {svg,excel} [-s {taxii,local}]
                         [--local LOCAL] -o OUTPUT [OUTPUT ...]
                         [-l LOAD_SETTINGS] [-d WIDTH HEIGHT]
                         input [input ...]

Export an ATT&CK Navigator layer as a svg image or excel file

positional arguments:
  input                 Path(s) to the file to export

optional arguments:
  -h, --help            show this help message and exit
  -m {svg,excel}, --mode {svg,excel}
                        The form to export the layers in
  -s {taxii,local}, --source {taxii,local}
                        What source to utilize when building the matrix
  --local LOCAL         Path to the local resource if --source=local
  -o OUTPUT [OUTPUT ...], --output OUTPUT [OUTPUT ...]
                        Path(s) to the exported svg/xlsx file
  -l LOAD_SETTINGS, --load_settings LOAD_SETTINGS
                        [SVG Only] Path to a SVG configuration json to use
                        when rendering
                        [SVG Only] X and Y size values (in inches) for SVG
                        export (use -l for other settings)

C:\Users\attack>layerExporter_cli -m svg -s taxii -l settings/config.json -o output/svg1.json output/svg2.json files/layer1.json files/layer2.json       

This command line tool allows users to generate excel spreadsheets representing the ATT&CK dataset.

C:\Users\attack>attackToExcel_cli -h
usage: attackToExcel_cli [-h]
                         [-domain {enterprise-attack,mobile-attack,ics-attack}]
                         [-version VERSION] [-output OUTPUT]

Download ATT&CK data from MITRE/CTI and convert it to excel spreadsheets

optional arguments:
  -h, --help            show this help message and exit
  -domain {enterprise-attack,mobile-attack,ics-attack}
                        which domain of ATT&CK to convert
  -version VERSION      which version of ATT&CK to convert. If omitted, builds
                        the latest version
  -output OUTPUT        output directory. If omitted writes to a subfolder of
                        the current directory depending on the domain and

C:\Users\attack>attackToExcel_cli -domain ics-attack -version v8.1 -output exported_data

Related MITRE Work


Cyber Threat Intelligence repository of the ATT&CK catalog expressed in STIX 2.0 JSON. This repository also contains our USAGE document which includes additional examples of accessing and parsing our dataset in Python.


ATT&CK® is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle, and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.


Structured Threat Information Expression (STIXâ„¢) is a language and serialization format used to exchange cyber threat intelligence (CTI).

STIX enables organizations to share CTI with one another in a consistent and machine-readable manner, allowing security communities to better understand what computer-based attacks they are most likely to see and to anticipate and/or respond to those attacks faster and more effectively.

STIX is designed to improve many capabilities, such as collaborative threat analysis, automated threat exchange, automated detection and response, and more.

ATT&CK scripts

One-off scripts and code examples you can use as inspiration for how to work with ATT&CK programmatically. Many of the functionalities found in the mitreattack-python package were originally posted on attack-scripts.


Copyright 2021 The MITRE Corporation

Approved for Public Release; Distribution Unlimited. Case Number 19-0486.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

This project makes use of ATT&CK®

ATT&CK Terms of Use

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mitreattack-python-1.2.0.tar.gz (464.4 kB view hashes)

Uploaded Source

Built Distribution

mitreattack_python-1.2.0-py3-none-any.whl (479.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page