mitre-attack

The MITRE ATT&CK MCP Server provides programmatic access to the MITRE ATT&CK knowledge base through a Model-Context Protocol (MCP) interface. It exposes a set of tools for querying techniques, threats, and object relationships, generating visual ATT&CK Navigator layers, and exploring attribution between threat actors, malware, and techniques. Typical usage involves starting the MCP server via the configured command and then issuing MCP requests to retrieve structured knowledge base data, perform overlap analyses, and produce navigation-ready layer metadata for threat analysis workflows. The server is designed to integrate with MCP clients such as Claude AI, enabling seamless querying and data retrieval within conversational or automation pipelines. You can also leverage its built-in capability to generate ATT&CK Navigator layers to visualize technique usage across actors or campaigns.

To connect, configure your MCP client (e.g., Claude) to point at the mitre-attack MCP server as shown in the example configuration. Once configured, you can query for malware, actors, and techniques, retrieve relationships, and request visualizations. The server supports querying detailed information about specific techniques or threat actors, discovering relationships between tools and actors, and generating cross-actor or cross-movie campaign overlays for analysis. If you need a data directory for caching or custom storage, the server accepts a --data-dir option that you can supply via your MCP client configuration.

Prerequisites:

• Git
• Python 3.x
• PipX

Installation steps:

1. Install the MCP server via PipX directly from GitHub:

pipx install git+https://github.com/stoyky/mitre-attack-mcp

2. Verify installation by listing installed PipX packages or running the command in a dry-run mode if supported by the project:

pipx list

3. (Optional) Configure a data directory for persistent storage and caches by providing the --data-dir option in your MCP client configuration:

# Example client config snippet for Claude or MCP client:
{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-attack-mcp",
      "args": ["--data-dir", "<path-to-data-dir>"]
    }
  }
}

4. After installation, start the MCP server if required by your setup (some clients may start it automatically):

# If the installed package provides a direct launcher, you can run it as documented by the project.
mitre-attack-mcp --help

Notes and tips:

• By default, the MITRE ATT&CK MCP server stores data in the current user's default cache directory. Use the --data-dir option to specify a custom location.
• If you are integrating with Claude AI Desktop, update the claude_desktop_config.json to include the mitre-attack MCP server under mcpServers with command mitre-attack-mcp.
• The server supports querying detailed information, relationship mappings, and generating ATT&CK Navigator layers for visualization.
• Ensure your environment has network access if the underlying MITRE ATT&CK data is fetched remotely or when the server accesses external APIs.
• If you encounter issues with layer generation, verify that the server has the required permissions to write to the data directory and that the data-dir path is accessible across the system.