Skip to main content
Glama
stoyky

MITRE ATT&CK MCP Server

by stoyky
OverviewSchemaRelated ServersScoreDiscussions
Python
Local

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault

No arguments

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
get_object_by_attack_id

Get object by ATT&CK ID (case-sensitive)

Args: attack_id: ATT&CK ID to find associated object for stix_type: TheSTIX object type (must be 'attack-pattern', 'malware', 'tool', 'intrusion-set', 'campaign', 'course-of-action', 'x-mitre-matrix', 'x-mitre-tactic', 'x-mitre-data-source', 'x-mitre-data-component', or 'x-mitre-asset') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_object_by_stix_id

Get object by STIX ID (case-sensitive)

Args: stix_id: ATT&CK ID to find associated object for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_objects_by_name

Get objects by name (case-sensitive)

Args: name: Name of the object to search for stix_type: TheSTIX object type (must be 'attack-pattern', 'malware', 'tool', 'intrusion-set', 'campaign', 'course-of-action', 'x-mitre-matrix', 'x-mitre-tactic', 'x-mitre-data-source', 'x-mitre-data-component', or 'x-mitre-asset') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_objects_by_content

Get objects by the content of their description

Args: name: Name of the object to search for object_type: The STIX object type (must be 'attack-pattern', 'malware', 'tool', 'intrusion-set', 'campaign', 'course-of-action', 'x-mitre-matrix', 'x-mitre-tactic', 'x-mitre-data-source', 'x-mitre-data-component', or 'x-mitre-asset') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_stix_type

Get object type by stix ID

Args: stix_id: ATT&CK ID to find associated object type for domain: Domain name ('enterprise', 'mobile', or 'ics')

get_attack_id

Get attack ID for given stix ID

Args: stix_id: STIX ID to find associated ATT&CK ID for domain: Domain name ('enterprise', 'mobile', or 'ics')

get_name

Get name for given stix ID

Args: stix_id: STIX ID to find associated name for domain: Domain name ('enterprise', 'mobile', or 'ics')

get_groups_by_alias

Get MITRE ATT&CK group ID and description by their alias

Args: alias: alias of a MITRE ATT&CK group domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_used_by_group

Get all MITRE ATT&CK techniques used by group by group STIX ID

Args: group_stix_id: Group STIX ID belonging to requested MITRE ATT&CK group domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_software_used_by_group

Get software used by MITRE ATT&CK group STIX id

Args: group_stix_id: Group STIX ID belonging to requested MITRE ATT&CK group domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_campaigns_attributed_to_group

Get all campaigns attributed to group by group STIX ID

Args: group_stix_id: Group STIX ID belonging to requested MITRE ATT&CK group domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_used_by_group_software

Get techniques used by group's software

Args: group_stix_id: Group STIX ID to check what software they use, and what techniques that software uses domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_groups_using_technique

Get groups using a technique by its STIX ID

Args: technique_stix_id: Technique STIX ID to check what groups are associated with it. domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_groups_using_software

Get groups using software by software name

Args: software_stix_id: Software STIX ID to check which groups use the given software domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_groups_attributing_to_campaign

Get groups attributing to campaign

Args: campaign_stix_id: Campaign STIX ID to look up what groups have been attributed to it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_software_by_alias

Get software by it's alias

Args: alias: Software name alias to find in MITRE ATT&CK domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_software_using_technique

Get software using technique

Args: technique_stix_id: Technique STIX ID to search software that uses it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_used_by_software

Get techniques used by software

Args: software_stix_id: Software STIX ID to check what techniques are associated with it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_techniques

Get all techniques in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_subtechniques

Get all subtechniques in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_parent_techniques

Get all parent techniques in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_groups

Get all threat actor groups in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_software

Get all software in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_mitigations

Get all mitigations in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_tactics

Get all tactics in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_matrices

Get all matrices in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_campaigns

Get all campaigns in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_datasources

Get all data sources in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_datacomponents

Get all data components in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_all_assets

Get all assets in the MITRE ATT&CK framework (ICS domain only)

Args: domain: Domain name ('ics') include_description: Whether to include description in the output (default is False)

get_campaigns_using_technique

Get all campaigns in which a technique is used by its STIX ID

Args: technique_stix_id: Technique STIX ID to look up campaigns in which it is used domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_used_by_campaign

Get techniques used by campaign

Args: campaign_stix_id: Campaign STIX ID to check what techniques are used in it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_campaigns_using_software

Get all campaigns that use software

Args: software_stix_id: Software STIX ID to look up campaigns in which it is used domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_software_used_by_campaign

Get software used by campaign

Args: campaign_stix_id: Campaign STIX ID to look up what software has been used in it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_by_platform

Get techniques by the platform provided (Windows, Linux etc.)

Args: platform: Platform (Windows, Linux etc.) to find associated techniques for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_parent_technique_of_subtechnique

Get parent technique of subtechnique

Args: technique_stix_id: Subtechnique STIX ID to check what its parent technique is domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_subtechniques_of_technique

Get subtechniques of technique

Args: technique_stix_id: Technique STIX ID to check what its subtechniques are domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_by_tactic

Get all techniques of the given tactic

Args: tactic: Tactic name to lookup techniques for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_mitigated_by_mitigation

Get techniques mitigated by mitigation

Args: mitigation_stix_id: Mitigation STIX ID to check what techniques are mitigated by it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_mitigations_mitigating_technique

Get mitigations mitigating technique

Args: technique_stix_id: Technique STIX ID to what mitigations are mitigating this technique domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_datacomponents_detecting_technique

Get datacomponents that detect the given technique

Args: technique_stix_id: Technique STIX ID to check what datacomponents detect it domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_detected_by_datacomponent

Get techniques detected by a datacomponent

Args: datacomponent_stix_id: Datacomponent STIX ID to check what techniques it detects domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_procedure_examples_by_technique

Get procedure examples by technique STIX ID (shows how groups use a technique)

Args: technique_stix_id: Technique STIX ID to check how they are used and in what procedure domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_assets_targeted_by_technique

Get assets targeted by technique STIX ID (shows how assets are targeted by technique), only pertains to ICS domain

Args: technique_stix_id: Technique STIX ID to check what assets are targeted by it domain: Domain name ('ics') include_description: Whether to include description in the output (default is False)

get_campaigns_by_alias

Get campaigns by their alias

Args: alias: Alias to find associated campaigns for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_objects_by_type

Get objects by STIX type

Args: stix_type: TheSTIX object type (must be 'attack-pattern', 'malware', 'tool', 'intrusion-set', 'campaign', 'course-of-action', 'x-mitre-matrix', 'x-mitre-tactic', 'x-mitre-data-source', 'x-mitre-data-component', or 'x-mitre-asset') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_tactics_by_matrix

Get tactics by matrix

Args: matrix_stix_id: Matrix STIX ID to find associated tactics for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_tactics_by_technique

Get tactics associated with a technique

Args: technique_stix_id: Technique STIX ID to find associated tactics for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_procedure_examples_by_tactic

Get procedure examples by tactic (shows how groups use techniques in this tactic)

Args: tactic: Tactic name to check procedure examples for domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_techniques_targeting_asset

Get techniques targeting a specific asset (ICS domain only)

Args: asset_stix_id: Asset STIX ID to find techniques targeting it domain: Domain name ('ics') include_description: Whether to include description in the output (default is False)

get_objects_created_after

Get objects created after a specific timestamp

Args: timestamp: ISO format timestamp string (e.g., '2020-01-01T00:00:00Z') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_objects_modified_after

Get objects modified after a specific timestamp

Args: timestamp: ISO format timestamp string (e.g., '2020-01-01T00:00:00Z') domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

get_revoked_techniques

Get all revoked techniques in the MITRE ATT&CK framework

Args: domain: Domain name ('enterprise', 'mobile', or 'ics') include_description: Whether to include description in the output (default is False)

generate_layer

Generate an ATT&CK navigator layer in JSON format based on a matching ATT&CK ID value

Args: attack_id: ATT&CK ID to generate ATT&CK navigator layer for. Valid match values are single ATT&CK ID's for group (GXXX), mitigation (MXXX), software (SXXX), and data component objects (DXXX) within the selected ATT&CK data. NEVER directly input a technique (TXXX). If an invalid match happens, or if multiple ATT&CK ID's are provided, present the user with an error message. score: Score to assign to each technique in the layer domain: Domain name ('enterprise', 'mobile', or 'ics')

get_layer_metadata

Always call this tool whenever a prompt requires the generation of a MITRE ATT&CK Navigator Layer, such as the generate_layer tool. Always insert this metadata in the generated layer.

Args: domain (str, optional): The ATT&CK domain ('enterprise', 'mobile', or 'ics'). Defaults to 'enterprise'.

Returns: str: JSON string containing the appropriate layer metadata

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/stoyky/mitre-attack-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server