mitre-mcp
io.github.luongnv89/mitre-mcp
MCP server exposing the MITRE ATT&CK framework via the official MCP Python SDK.
Documentation
mitre-mcp: MITRE ATT&CK MCP Server
Production-ready Model Context Protocol (MCP) server that exposes the MITRE ATT&CK® framework to LLMs, AI assistants, and automation workflows. Built with the official MCP Python SDK and mitreattack-python library for secure, high-performance access to adversary tactics, techniques, groups, software, and mitigations.
Available in the MCP Registry (search for io.github.luongnv89/mitre-mcp).
Highlights
- LLM-native experience – Seamless integration with Claude, Windsurf, Cursor, and any MCP-compatible client
- Secure-by-default – Validated inputs, TLS verification, disk-space checks, and structured error handling
- High performance – O(1) technique lookups using pre-built indices (80-95% faster than scanning)
- Flexible deployment – stdio for local clients or HTTP server for web-based integrations
Table of Contents
- Features
- Available MCP Tools
- Quick Start
- Web Frontend
- Documentation
- Configuration
- Performance
- Programmatic API
- Development
- Troubleshooting
- FAQ
- License
Features
- Comprehensive MITRE ATT&CK Coverage - All techniques, tactics, groups, software, and mitigations
- Multi-Domain Support - Enterprise, Mobile, and ICS ATT&CK domains
- Intelligent Caching - Automatic caching with configurable expiry (default: 24 hours)
- Performance Optimized - O(1) lookups using pre-built indices (80-95% faster)
- Dual Transport Modes - stdio for local clients, HTTP for web integrations
- CORS-Enabled HTTP Server - Async notifications and cross-origin request support
- Comprehensive Testing - 114 tests with 66% code coverage
- Pre-commit Quality Checks - Automated formatting, linting, type checking, and security scanning
- Input Validation - Secure-by-default with validated inputs and sanitized responses
- Programmatic API - Python and Node.js clients (see API-INTEGRATION.md)
Available MCP Tools
| Tool Name | Description |
|---|---|
get_techniques | List all techniques with filtering options |
get_technique_by_id | Look up specific technique by ID (e.g., T1055) |
get_techniques_by_tactic | Get techniques for a specific tactic (e.g., persistence) |
get_tactics | List all tactical categories |
get_groups | List all threat actor groups |
get_techniques_used_by_group | Get techniques used by a specific group (e.g., APT29) |
get_software | List malware and tools with filtering |
get_mitigations | List all security mitigations |
get_techniques_mitigated_by_mitigation | Get techniques addressed by a specific mitigation |
Quick Start
Installation
- Create and activate a virtual environment:
python3 -m venv .venv
source .venv/bin/activate # On Windows: .venv\Scripts\activate.bat
- Install from PyPI:
pip install mitre-mcp
- Verify installation:
mitre-mcp --help
HTTP Mode (Recommended)
Start the server:
mitre-mcp --http
Expected output:
2025-11-17 22:40:10,991 - mitre_mcp.mitre_mcp_server - INFO - Starting MITRE ATT&CK MCP Server (HTTP mode on localhost:8000)
======================================================================
MCP Client Configuration (Streamable HTTP Transport)
Server URL: http://localhost:8000
MCP Endpoint: http://localhost:8000/mcp
Add this to your MCP client configuration:
{
"mcpServers": {
"mitreattack": {
"url": "http://localhost:8000/mcp"
}
}
}
======================================================================
Configure your MCP client:
Add this JSON to your client's configuration file:
{
"mcpServers": {
"mitreattack": {
"url": "http://localhost:8000/mcp"
}
}
}
Configuration file locations:
- macOS (Claude Desktop):
~/Library/Application Support/Claude/claude_desktop_config.json - Windows (Claude Desktop):
%APPDATA%\Claude\claude_desktop_config.json - Linux (Claude Desktop):
~/.config/Claude/claude_desktop_config.json - VSCode: Configure in your MCP extension settings
Custom host and port:
mitre-mcp --http --host 0.0.0.0 --port 8080
Then use http://your-server-ip:8080/mcp in your client configuration.
Why HTTP mode?
- Multiple clients can connect simultaneously
- Better concurrency and async support
- Easier debugging with HTTP tools
- CORS support for web-based clients
- No path configuration needed
stdio Mode (Alternative)
For local-only clients that require stdio transport:
mitre-mcp
Client configuration:
{
"mcpServers": {
"mitreattack": {
"command": "/absolute/path/to/.venv/bin/python",
"args": ["-m", "mitre_mcp.mitre_mcp_server"]
}
}
}
Note: Use absolute paths. HTTP mode is recommended for most use cases.
Force Data Download
Force a fresh download of MITRE ATT&CK data:
mitre-mcp --http --force-download
Example Screenshots
VSCode Configuration:
Tool Invocation:
Results:
Web Frontend
A modern React-based web interface is available in the frontend/ directory for interactive exploration of MITRE ATT&CK through a chat interface.
Features:
- Clean, minimal design with black/white/gray aesthetic
- Interactive chatbox powered by LangGraphJS
- Pre-built scenario playbooks for common security workflows
- Real-time query processing with the MCP server
Quick Start:
cd frontend
npm install
npm run dev
Then open http://localhost:5173 in your browser.
Prerequisites:
- Node.js 18+ installed
- MCP server running:
mitre-mcp --http --port 8000
For more details, see the frontend/README.md documentation.
Documentation
We provide three comprehensive guides tailored to different use cases:
1. Beginner's Guide
Beginner-Playbook.md - For those new to MITRE ATT&CK or cybersecurity
Ideal for:
- Non-technical users
- Security awareness training
- Basic threat intelligence
- General cybersecurity education
2. Advanced Playbook
Playbook.md - For security professionals using MCP clients
Ideal for:
- Security analysts
- Threat hunters
- Incident responders
- Security engineers
Includes 10 ready-to-use scenarios:
- Threat Intelligence
- Detection Engineering
- Threat Hunting
- Red Teaming
- Security Assessment
- Incident Response
- Security Operations
- Security Training
- Vendor Evaluation
- Risk Management
3. API Integration Guide
API-INTEGRATION.md - For developers building automation and custom integrations
Ideal for:
- Backend developers
- Automation engineers
- Data pipeline developers
- Custom tooling projects
Includes:
- Complete Python and Node.js client implementations
- Protocol requirements and examples
- Testing and debugging tools
- Common integration patterns
Configuration
Environment Variables
Set before starting mitre-mcp to customize behavior:
| Variable | Default | Purpose |
|---|---|---|
MITRE_ENTERPRISE_URL, MITRE_MOBILE_URL, MITRE_ICS_URL | Official MITRE CTI GitHub URLs | Override ATT&CK bundle locations or point to internal mirror |
MITRE_DATA_DIR | mitre_mcp/data | Store cached bundles in custom directory |
MITRE_DOWNLOAD_TIMEOUT | 30 | HTTP timeout in seconds for bundle downloads |
MITRE_CACHE_EXPIRY_DAYS | 1 | Maximum age before cached data is refreshed |
MITRE_REQUIRED_SPACE_MB | 200 | Disk space threshold checked before downloading |
MITRE_DEFAULT_PAGE_SIZE / MITRE_MAX_PAGE_SIZE | 20 / 1000 | Default and maximum records returned by list tools |
MITRE_MAX_DESC_LENGTH | 500 | Trimmed description length in responses |
MITRE_LOG_LEVEL | INFO | Logging verbosity (DEBUG, INFO, WARNING, etc.) |
MITRE_CORS_ORIGINS | * | CORS allowed origins for HTTP mode (* = all, or comma-separated list of domains) |
Data Caching
The server automatically caches MITRE ATT&CK data to improve performance:
- On first run, downloads and stores data in
data/folder - On subsequent runs, uses cached data if less than 1 day old
- Automatically refreshes data older than 1 day
- Use
--force-downloadto force fresh download
Performance
| Scenario | Improvement | Notes |
|---|---|---|
| Enterprise technique lookup | 80-95% faster | Pre-built O(1) indices for groups, mitigations, and techniques |
| ATT&CK data downloads | 20-40% faster | HTTP connection pooling with TLS session reuse |
| Warm cache startup | <2s | Cached bundles reused for instant LLM queries |
Benchmarks: macOS 14 / Apple M3 Pro with Python 3.11. Use MITRE_LOG_LEVEL=DEBUG for timing logs.
Programmatic API
For automation, custom integrations, and batch processing, see API-INTEGRATION.md.
Quick example (Python):
from clients.python.mini_mcp_client import MitreMCPClient
async def main():
client = MitreMCPClient(host="localhost", port=8000)
# Get all tactics
tactics = await client.call_tool("get_tactics", {"domain": "enterprise-attack"})
# Get techniques for a group
techniques = await client.call_tool(
"get_techniques_used_by_group",
{"group_name": "APT29", "domain": "enterprise-attack"}
)
Available clients:
- Python:
clients/python/mini-mcp-client.pywith full CLI - Node.js:
clients/nodejs/mini-mcp-client.jswith full CLI
See API-INTEGRATION.md for complete documentation.
Development
Clone and Install
git clone https://github.com/montimage/mitre-mcp.git
cd mitre-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"
Install Pre-commit Hooks
pre-commit install
This sets up automatic code quality checks before each commit.
Run Tests
pytest # Full test suite with coverage
pre-commit run --all-files # All quality checks
Code Quality Tools
Formatting:
- black - Python code formatter
- isort - Import organizer
- prettier - YAML/JSON/Markdown formatter
Linting & Type Checking:
- flake8 - Python linter
- mypy - Static type checker
- pydocstyle - Docstring checker
Security:
- bandit - Security vulnerability scanner
- File validators - YAML, JSON, TOML, private key detection
Testing:
- pytest - 114 tests before commit
- Installation test - Package verification
- Import verification - Module importability
- CLI test - Entry point validation
Troubleshooting
Download fails with "Insufficient disk space"
- Free at least 200 MB in the data directory or set
MITRE_DATA_DIR=/path/to/storage
Data never updates
- Cached bundles refresh automatically after 1 day
- Force refresh:
mitre-mcp --force-downloador deletedata/folder
Tool calls return errors
- Ensure technique IDs follow
T####orT####.###format - Keep names/tactics under 100 characters
MCP client cannot discover server
- Verify client configuration points to correct Python path
- Test manually: run
mitre-mcpand verify server starts - For HTTP mode: ensure
urlfield is set correctly
Module not found: mcp.server.fastmcp
- Install MCP SDK:
pip install "mcp[cli]"in your virtual environment
FAQ
Does mitre-mcp work offline?
- Yes. Once bundles are cached, the server works offline until cache expires.
Which Python versions are supported?
- Python 3.10 through 3.14 (see
pyproject.toml).
How often is data refreshed?
- By default every 24 hours. Adjust
MITRE_CACHE_EXPIRY_DAYSor use--force-download.
Is HTTP mode safe for production?
- HTTP mode serves on localhost:8000 by default. Use firewall or reverse proxy if exposing externally.
License
MIT License - See LICENSE file for details.
About Montimage
mitre-mcp is developed and maintained by Montimage, a cybersecurity company specializing in network monitoring, security analysis, and AI-driven threat detection solutions. We develop innovative tools that help organizations protect their digital assets and ensure network security.
For questions or support: luong.nguyen@montimage.eu
mitre-mcppip install mitre-mcp