MCP Hub
Back to servers

MITRE ATT&CK MCP Server

A comprehensive Model Context Protocol server providing access to the MITRE ATT&CK knowledge base, enabling users to query threat actors, malware, and techniques, and generate ATT&CK Navigator layers.

glama
APIs & ServicesData & AnalyticsDevelopment Tools
Stars
33
Forks
8
Updated
Aug 3, 2025
Validated
Jan 20, 2026
View Source
Claim this server


MITRE ATT&CK MCP Server

A Model-Context Protocol server for the MITRE ATT&CK knowledge base

Key FeaturesInstallationHow To UseUse CasesCredits

Key Features

  • 50+ Tools for MITRE ATT&CK Querying
    • Comprehensive access to the MITRE ATT&CK knowledge base through structured API tools
  • Automatic ATT&CK Navigator Layer Generation
    • Generate visual representations of techniques used by threat actors
  • Threat Actor and Malware Attribution
    • Query relationships between malware, threat actors, and techniques
  • Technique Overlap Analysis
    • Compare techniques used by different threat actors or malware families

Installation

To clone and run this server, you'll need Git, Python, and PipX installed on your computer.

  1. Ensure Git, Python, and PipX have been installed using their official respective installation instructions for Windows/Mac/Linux
  2. Install the MCP Server using PipX
pipx install git+https://github.com/stoyky/mitre-attack-mcp

How To Use

Configure with Claude AI Desktop

  1. Open Claude's MCP server configuration file.

Windows

C:\Users\[YourUsername]\AppData\Roaming\Claude\claude_desktop_config.json
# or
C:\Users\[YourUsername]\AppData\Local\AnthropicClaude\claude_desktop_config.json

Linux / Mac

~/.config/Claude/claude_desktop_config.json
  1. Add the following to that file if it doesn't already exist. If it already exists, merge the two JSON structures accordingly.
{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": [
      ]
    }
  }
}

Note: By default the MCP server stores the mitre-related data in the current users default cache directory. You can specify a custom data directory to use with the following config:

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": [
        "--data-dir",
        "<path-to-data-dir>"
      ]
    }
  }
}

Changelog

  • v1.0.2 - Now installable via PipX on Windows, Mac, and Linux. "data directory" argument is now optional and will use the default cache directory if omitted.
  • v1.0.0 - Initial release
  • V1.0.1 - Improved robustness of layer metadata generation and error handling in layer generation function

Use Cases

  • Query for detailed information about specific malware, tactics, or techniques
  • Discover relationships between threat actors and their tools
  • Generate visual ATT&CK Navigator layers for threat analysis
  • Find campaign overlaps between different threat actors
  • Identify common techniques used by multiple malware families

Please see my blog for more information and examples.

Credits

Created by Remy Jaspers

Reviews

No reviews yet

Sign in to write a review