mitre-mcp: MITRE ATT&CK MCP Server

Production-ready Model Context Protocol (MCP) server that exposes the MITRE ATT&CK® framework to LLMs, AI assistants, and automation workflows. Built with the official MCP Python SDK and mitreattack-python library for secure, high-performance access to adversary tactics, techniques, groups, software, and mitigations.

Available in the MCP Registry (search for io.github.luongnv89/mitre-mcp).

Highlights

• LLM-native experience – Seamless integration with Claude, Windsurf, Cursor, and any MCP-compatible client

• Secure-by-default – Validated inputs, TLS verification, disk-space checks, and structured error handling

• High performance – O(1) technique lookups using pre-built indices (80-95% faster than scanning)

• Flexible deployment – stdio for local clients or HTTP server for web-based integrations

Table of Contents

• Features

• Available MCP Tools

• Quick Start

• Web Frontend

• Documentation

• Configuration

• Performance

• Programmatic API

• Development

• Troubleshooting

• FAQ

• License

Features

• Comprehensive MITRE ATT&CK Coverage - All techniques, tactics, groups, software, and mitigations

• Multi-Domain Support - Enterprise, Mobile, and ICS ATT&CK domains

• Intelligent Caching - Automatic caching with configurable expiry (default: 24 hours)

• Performance Optimized - O(1) lookups using pre-built indices (80-95% faster)

• Dual Transport Modes - stdio for local clients, HTTP for web integrations

• CORS-Enabled HTTP Server - Async notifications and cross-origin request support

• Comprehensive Testing - 114 tests with 66% code coverage

• Pre-commit Quality Checks - Automated formatting, linting, type checking, and security scanning

• Input Validation - Secure-by-default with validated inputs and sanitized responses

• Programmatic API - Python and Node.js clients (see API-INTEGRATION.md)

Available MCP Tools

Quick Start

Installation

1. Create and activate a virtual environment:

python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat

2. Install from PyPI:

pip install mitre-mcp

3. Verify installation:

mitre-mcp --help

HTTP Mode (Recommended)

Start the server:

mitre-mcp --http

Expected output:

2025-11-17 22:40:10,991 - mitre_mcp.mitre_mcp_server - INFO - Starting MITRE ATT&CK MCP Server (HTTP mode on localhost:8000)
======================================================================
MCP Client Configuration (Streamable HTTP Transport)
Server URL: http://localhost:8000
MCP Endpoint: http://localhost:8000/mcp

Add this to your MCP client configuration:
{
  "mcpServers": {
    "mitreattack": {
      "url": "http://localhost:8000/mcp"
    }
  }
}
======================================================================

Configure your MCP client:

Add this JSON to your client's configuration file:

{
  "mcpServers": {
    "mitreattack": {
      "url": "http://localhost:8000/mcp"
    }
  }
}

Configuration file locations:

• macOS (Claude Desktop): ~/Library/Application Support/Claude/claude_desktop_config.json

• Windows (Claude Desktop): %APPDATA%\Claude\claude_desktop_config.json

• Linux (Claude Desktop): ~/.config/Claude/claude_desktop_config.json

• VSCode: Configure in your MCP extension settings

Custom host and port:

mitre-mcp --http --host 0.0.0.0 --port 8080

Then use http://your-server-ip:8080/mcp in your client configuration.

Why HTTP mode?

• Multiple clients can connect simultaneously

• Better concurrency and async support

• Easier debugging with HTTP tools

• CORS support for web-based clients

• No path configuration needed

stdio Mode (Alternative)

For local-only clients that require stdio transport:

mitre-mcp

Client configuration:

{
  "mcpServers": {
    "mitreattack": {
      "command": "/absolute/path/to/.venv/bin/python",
      "args": ["-m", "mitre_mcp.mitre_mcp_server"]
    }
  }
}

Note: Use absolute paths. HTTP mode is recommended for most use cases.

Force Data Download

Force a fresh download of MITRE ATT&CK data:

mitre-mcp --http --force-download

Example Screenshots

VSCode Configuration:

Tool Invocation:

Results:

Web Frontend

A modern React-based web interface is available in the frontend/ directory for interactive exploration of MITRE ATT&CK through a chat interface.

Features:

• Clean, minimal design with black/white/gray aesthetic

• Interactive chatbox powered by LangGraphJS

• Pre-built scenario playbooks for common security workflows

• Real-time query processing with the MCP server

Quick Start:

cd frontend
npm install
npm run dev

Then open http://localhost:5173 in your browser.

Prerequisites:

• Node.js 18+ installed

• MCP server running: mitre-mcp --http --port 8000

For more details, see the frontend/README.md documentation.

Documentation

We provide three comprehensive guides tailored to different use cases:

1. Beginner's Guide

Beginner-Playbook.md - For those new to MITRE ATT&CK or cybersecurity

Ideal for:

• Non-technical users

• Security awareness training

• Basic threat intelligence

• General cybersecurity education

2. Advanced Playbook

Playbook.md - For security professionals using MCP clients

Ideal for:

• Security analysts

• Threat hunters

• Incident responders

• Security engineers

Includes 10 ready-to-use scenarios:

• Threat Intelligence

• Detection Engineering

• Threat Hunting

• Red Teaming

• Security Assessment

• Incident Response

• Security Operations

• Security Training

• Vendor Evaluation

• Risk Management

3. API Integration Guide

API-INTEGRATION.md - For developers building automation and custom integrations

Ideal for:

• Backend developers

• Automation engineers

• Data pipeline developers

• Custom tooling projects

Includes:

• Complete Python and Node.js client implementations

• Protocol requirements and examples

• Testing and debugging tools

• Common integration patterns

Configuration

Environment Variables

Set before starting mitre-mcp to customize behavior:

Data Caching

The server automatically caches MITRE ATT&CK data to improve performance:

1. On first run, downloads and stores data in data/ folder

2. On subsequent runs, uses cached data if less than 1 day old

3. Automatically refreshes data older than 1 day

4. Use --force-download to force fresh download

Performance

Benchmarks: macOS 14 / Apple M3 Pro with Python 3.11. Use MITRE_LOG_LEVEL=DEBUG for timing logs.

Programmatic API

For automation, custom integrations, and batch processing, see API-INTEGRATION.md.

Quick example (Python):

from clients.python.mini_mcp_client import MitreMCPClient

async def main():
    client = MitreMCPClient(host="localhost", port=8000)

    # Get all tactics
    tactics = await client.call_tool("get_tactics", {"domain": "enterprise-attack"})

    # Get techniques for a group
    techniques = await client.call_tool(
        "get_techniques_used_by_group",
        {"group_name": "APT29", "domain": "enterprise-attack"}
    )

Available clients:

• Python: clients/python/mini-mcp-client.py with full CLI

• Node.js: clients/nodejs/mini-mcp-client.js with full CLI

See API-INTEGRATION.md for complete documentation.

Development

Clone and Install

git clone https://github.com/montimage/mitre-mcp.git
cd mitre-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

Install Pre-commit Hooks

pre-commit install

This sets up automatic code quality checks before each commit.

Run Tests

pytest                      # Full test suite with coverage
pre-commit run --all-files  # All quality checks

Code Quality Tools

Formatting:

• black - Python code formatter

• isort - Import organizer

• prettier - YAML/JSON/Markdown formatter

Linting & Type Checking:

• flake8 - Python linter

• mypy - Static type checker

• pydocstyle - Docstring checker

Security:

• bandit - Security vulnerability scanner

• File validators - YAML, JSON, TOML, private key detection

Testing:

• pytest - 114 tests before commit

• Installation test - Package verification

• Import verification - Module importability

• CLI test - Entry point validation

Troubleshooting

Download fails with "Insufficient disk space"

• Free at least 200 MB in the data directory or set MITRE_DATA_DIR=/path/to/storage

Data never updates

• Cached bundles refresh automatically after 1 day

• Force refresh: mitre-mcp --force-download or delete data/ folder

Tool calls return errors

• Ensure technique IDs follow T#### or T####.### format

• Keep names/tactics under 100 characters

MCP client cannot discover server

• Verify client configuration points to correct Python path

• Test manually: run mitre-mcp and verify server starts

• For HTTP mode: ensure url field is set correctly

Module not found: mcp.server.fastmcp

• Install MCP SDK: pip install "mcp[cli]" in your virtual environment

FAQ

Does mitre-mcp work offline?

• Yes. Once bundles are cached, the server works offline until cache expires.

Which Python versions are supported?

• Python 3.10 through 3.14 (see pyproject.toml).

How often is data refreshed?

• By default every 24 hours. Adjust MITRE_CACHE_EXPIRY_DAYS or use --force-download.

Is HTTP mode safe for production?

• HTTP mode serves on localhost:8000 by default. Use firewall or reverse proxy if exposing externally.

License

MIT License - See LICENSE file for details.

About Montimage

mitre-mcp is developed and maintained by Montimage, a cybersecurity company specializing in network monitoring, security analysis, and AI-driven threat detection solutions. We develop innovative tools that help organizations protect their digital assets and ensure network security.

For questions or support: luong.nguyen@montimage.eu