Skip to main content
Glama
imouiche

MITRE ATT&CK MCP Server

by imouiche

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault

No arguments

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": false
}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
get_data_statsA

Return statistics about downloaded MITRE ATT&CK STIX data.

This confirms which domains are present on disk, their file paths, sizes, and ATT&CK release version. It assumes that downloads have already been attempted at server startup.

get_technique_by_idA

" Retrieve a MITRE ATT&CK technique by its external ATT&CK ID (e.g., "T1055", "T1053.005").

This tool searches the specified ATT&CK domain (enterprise, mobile, or ics)
and returns both structured machine-readable data and an optional formatted
human-readable text block. It is useful for user-facing responses as well
as downstream programmatic reasoning.

Args:
    technique_id: The external ATT&CK technique ID (e.g., "T1055").
    domain: ATT&CK domain to search in ("enterprise", "mobile", "ics").
    include_description: If True, returns the full ATT&CK description text.

Returns:
    {
      "found": bool,
      "technique": {
          "id": "<ATT&CK ID>",
          "name": "<technique name>",
          "stix_id": "<STIX object ID>",
          "description": "<full description or null>"
      },
      "formatted": "<human-readable formatted block>",
      "message": "<status message>"
    }
get_object_by_attack_idA
Retrieve any MITRE ATT&CK object by its external ATT&CK ID and STIX type.

This tool supports techniques, intrusion sets (APT groups), malware,
tools, mitigations, campaigns, data sources, data components, and tactics.

Args:
    attack_id: The external ATT&CK ID (e.g., "T1055", "G0016", "S0154", "M1013").
    stix_type: The STIX object type (e.g., "attack-pattern", "intrusion-set").
    domain: ATT&CK domain ("enterprise", "mobile", or "ics").
    include_description: Whether to include the object's description field.

Returns:
    {
      "found": bool,
      "object": {
          "id": "<ATT&CK ID>",
          "name": "<object name>",
          "stix_id": "<STIX object ID>",
          "type": "<stix_type>",
          "description": "<description or null>"
      },
      "formatted": "<human-readable formatted output>",
      "message": "<status>"
    }
get_object_by_stix_idA
Retrieve any MITRE ATT&CK object by its STIX ID (UUID).

STIX IDs are internal identifiers like:
  - attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b

This tool is useful when you already have a STIX ID from another
query or relationship and want to resolve it to the full object.

Args:
    stix_id: STIX object ID (e.g., "attack-pattern--...").
    domain: ATT&CK domain to search in ("enterprise", "mobile", "ics").
    include_description: Whether to include the object's description.

Returns:
    {
      "found": bool,
      "object": {
          "attack_id": "<ATT&CK external ID or null>",
          "name": "<object name>",
          "stix_id": "<STIX ID>",
          "type": "<stix type>",
          "description": "<description or null>"
      },
      "formatted": "<human-readable formatted text>",
      "message": "<status message>"
    }
get_objects_by_nameA
Retrieve MITRE ATT&CK objects by exact name match (case-sensitive).

This tool performs an exact name match for a specific STIX type within
a given ATT&CK domain. It is more strict than generic search methods,
which typically perform partial or keyword matching.

Examples:
    - Technique: get_objects_by_name("Phishing", "attack-pattern")
    - Group: get_objects_by_name("APT29", "intrusion-set")
    - Malware: get_objects_by_name("Cobalt Strike", "malware")

Args:
    name: Exact object name to search for (case-sensitive).
    stix_type: STIX object type (same values as get_object_by_attack_id),
               e.g. "attack-pattern", "intrusion-set", "malware",
               "tool", "course-of-action", etc.
    domain: ATT&CK domain ("enterprise", "mobile", or "ics").
    include_description: Whether to include descriptions in the formatted output
                         and structured result.

Returns:
    {
      "count": <number of matching objects>,
      "objects": [
        {
          "attack_id": "<ATT&CK external ID or null>",
          "name": "<object name>",
          "stix_id": "<STIX ID>",
          "type": "<stix_type>",
          "description": "<description or null>"
        },
        ...
      ],
      "formatted": "<human-readable multi-object formatted text>",
      "message": "<status summary>"
    }
get_objects_by_contentA
Search MITRE ATT&CK objects by matching text inside their description field.

This performs a full-text search over object descriptions. It is useful for:
  • Finding techniques related to specific technologies (e.g., “PowerShell”)
  • Finding groups mentioning a region or country (e.g., “Russia”)
  • Finding mitigations referencing specific defenses (e.g., “multi-factor”)
  • Searching malware or tool descriptions for keywords

Args:
    content: The text to search for (case-insensitive, partial match).
    object_type: STIX object type, such as:
        - "attack-pattern" (techniques)
        - "intrusion-set" (APT groups)
        - "malware"
        - "tool"
        - "course-of-action" (mitigations)
        - "campaign"
        - "x-mitre-data-source"
        - "x-mitre-data-component"
        - etc.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to return descriptions in the structured output.

Returns:
    {
      "count": <number of matches>,
      "objects": [
         {
            "attack_id": "<ATT&CK ID or null>",
            "name": "<object name>",
            "stix_id": "<STIX ID>",
            "type": "<object_type>",
            "description": "<description or null>"
         },
         ...
      ],
      "formatted": "<human-readable formatted list>",
      "message": "<status message>"
    }
get_techniques_by_tacticA
Get all techniques associated with a specific ATT&CK tactic.

This uses the MITRE ATT&CK Navigator-style mapping between tactics and
techniques for a given domain (e.g., "enterprise-attack").

Examples:
    - get_techniques_by_tactic("Initial Access", "enterprise")
    - get_techniques_by_tactic("Execution", "enterprise")
    - get_techniques_by_tactic("Persistence", "enterprise")

Args:
    tactic: Tactic name (e.g., "Initial Access", "Persistence").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include technique descriptions
                         in the structured and formatted output.

Returns:
    {
      "count": <number of techniques>,
      "techniques": [
        {
          "attack_id": "<TXXXX or TXXXX.YYY>",
          "name": "<technique name>",
          "stix_id": "<attack-pattern--...>",
          "description": "<description or null>",
          "tactic": "<tactic name>",
        },
        ...
      ],
      "formatted": "<human-readable technique list>",
      "message": "<status summary>"
    }
search_techniquesA
Search MITRE ATT&CK techniques by keyword in their name or description.

This tool performs a case-insensitive search over all non-revoked,
non-deprecated techniques in the given domain. A technique is matched if
the query string appears in either:
  • the technique name, or
  • the technique description

Examples:
    - search_techniques("PowerShell")
    - search_techniques("credential dumping")
    - search_techniques("initial access", domain="enterprise")

Args:
    query: Text to search for in technique names and descriptions.
    domain: ATT&CK domain ("enterprise", "mobile", or "ics").
    include_description: Whether to include descriptions in the structured
                         result and formatted output.

Returns:
    {
      "count": <number of matches>,
      "techniques": [
        {
          "attack_id": "<TXXXX or TXXXX.YYY>",
          "name": "<technique name>",
          "stix_id": "<attack-pattern--...>",
          "description": "<description or null>",
        },
        ...
      ],
      "formatted": "<human-readable formatted list>",
      "message": "<status summary>"
    }
get_group_by_nameA
Retrieve an intrusion set (APT group) by name or alias (case-insensitive match).

This tool searches ATT&CK intrusion sets by name or alias and returns the first
matching group. Matching is case-insensitive and supports partial matches.

Examples:
    - get_group_by_name("APT29")
    - get_group_by_name("Lazarus")
    - get_group_by_name("Fancy Bear")

Args:
    group_name: The group name or alias to search for (case-insensitive).
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include descriptions in the output.

Returns:
    {
      "found": bool,
      "group": {
          "attack_id": "<GXXXX>",
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--...>",
          "description": "<description or null>"
      },
      "formatted": "<human-readable text>",
      "message": "<status>"
    }
get_stix_typeA
Determine the STIX object type for a given STIX ID.

This is useful when you have a raw STIX UUID (e.g.,
"attack-pattern--xxxx") but need to know whether it corresponds to a
technique, intrusion set, malware, tool, mitigation, data source, etc.

Args:
    stix_id: The STIX UUID identifier to look up.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").

Returns:
    {
        "found": bool,
        "stix_type": "<type string or null>",
        "message": "<status message>"
    }

Examples:
    get_stix_type("attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b")
    → "attack-pattern"
search_groupsA
Search MITRE ATT&CK intrusion sets (APT groups) by name, alias, or
description (case-insensitive).

If the query is empty, all groups in the domain are returned.

Args:
    query: Search keyword (name, alias, or any text in the description).
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include descriptions in the output.

Returns:
    {
      "count": <number of matches>,
      "groups": [
        {
          "attack_id": "GXXXX",
          "name": "...",
          "aliases": [...],
          "stix_id": "...",
          "description": "..." | null
        },
        ...
      ],
      "formatted": "<LLM-friendly block>",
      "message": "<summary>"
    }
get_group_techniquesA
Get all techniques used by a specific APT group (intrusion set).

This tool:
  1) Locates a group by name or alias (case-insensitive, partial match).
  2) Uses MITRE's get_techniques_used_by_group() to retrieve techniques
     related to that group (via 'uses' relationships).

Args:
    group_name: Group name or alias (e.g., "APT29", "Lazarus Group").
    domain: ATT&CK domain ("enterprise", "mobile", or "ics").
    include_description: Whether to include descriptions in the output.

Returns:
    {
      "found": bool,  # whether the group was found
      "group": {
          "attack_id": "GXXXX",
          "name": "...",
          "aliases": [...],
          "stix_id": "intrusion-set--...",
          "description": "..." | null
      } | null,
      "count": <number of techniques>,
      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY",
          "name": "...",
          "stix_id": "attack-pattern--...",
          "description": "..." | null,
          "relationships": [
            {
              "stix_id": "relationship--...",
              "relationship_type": "uses",
              "description": "..." | null,
              "source_ref": "...",
              "target_ref": "..."
            },
            ...
          ]
        },
        ...
      ],
      "formatted": "<human-readable technique list>",
      "message": "<status summary>"
    }
get_softwareA
Get all software (malware and tools) in a given ATT&CK domain.

This returns non-revoked, non-deprecated software objects, including
both malware and tools, as defined by the MITRE ATT&CK dataset.

Args:
    domain: ATT&CK domain to search ("enterprise", "mobile", or "ics").
    include_description: Whether to include descriptions in the output and
                         formatted text.

Returns:
    {
      "count": <number of software objects>,
      "software": [
        {
          "attack_id": "<SXXXX or similar, if present>",
          "name": "<software name>",
          "stix_id": "<STIX ID>",
          "type": "<malware|tool|...>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<human-readable list>",
      "message": "<status summary>"
    }
search_softwareA
Search MITRE ATT&CK software (malware & tools) by keyword in name or
description (case-insensitive).

Args:
    query: Keyword to search for in software names and descriptions.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include descriptions in the response.

Returns:
    {
      "count": <number of matches>,
      "software": [
        {
          "attack_id": "<SXXXX or similar>",
          "name": "...",
          "stix_id": "...",
          "type": "<tool|malware|...>",
          "description": "..." | null
        },
        ...
      ],
      "formatted": "<nicely formatted block>",
      "message": "<status summary>"
    }
get_attack_idA
Convert a STIX UUID into its human-readable ATT&CK ID.

This tool resolves internal STIX identifiers such as:
    attack-pattern--UUID
    malware--UUID
    intrusion-set--UUID
    tool--UUID
    course-of-action--UUID

into ATT&CK IDs such as:
    T1566      (Technique)
    T1055.002  (Sub-technique)
    G0016      (Group)
    S0154      (Software)
    M1013      (Mitigation)

Args:
    stix_id: Full STIX UUID identifier.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").

Returns:
    {
      "found": bool,
      "attack_id": "<ATT&CK ID or null>",
      "message": "<status message>"
    }
get_nameA
Resolve the human-readable object name for a given STIX ID.

This converts internal STIX UUIDs such as:
    attack-pattern--UUID
    intrusion-set--UUID
    malware--UUID
    tool--UUID
    course-of-action--UUID

into ATT&CK object names such as:
    "Phishing"
    "APT29"
    "Cobalt Strike"
    "Valid Accounts"

Args:
    stix_id: STIX UUID of the object.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").

Returns:
    {
      "found": bool,
      "name": "<object name or null>",
      "message": "<status message>"
    }
get_technique_tacticsA
Get the ATT&CK tactic names associated with a given technique.

This tool:
  1) Looks up a technique by its external ATT&CK ID (e.g., "T1055").
  2) Extracts its kill chain phases (tactics) from the STIX object.
  3) Returns human-readable tactic names (e.g., "Initial Access"),
     along with the raw phase names and kill chain names.

Args:
    technique_id: External ATT&CK technique ID (e.g., "T1055", "T1055.002").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").

Returns:
    {
      "found": bool,
      "technique": {
          "id": "<ATT&CK ID>",
          "name": "<technique name or null>",
          "stix_id": "<attack-pattern--... or null>",
      } | null,
      "tactics": [
        {
          "tactic": "<Human readable, e.g., 'Initial Access'>",
          "phase_name": "<raw phase name, e.g., 'initial-access'>",
          "kill_chain_name": "<kill chain name, e.g., 'mitre-attack'>"
        },
        ...
      ],
      "message": "<status message>"
    }
get_statsA
Get basic statistics about the loaded ATT&CK data for a given domain.

This returns counts of key object types (techniques, groups, software,
tactics, mitigations), excluding revoked/deprecated entries.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").

Returns:
    {
      "domain": "<domain>",
      "stats": {
          "techniques": <int>,
          "groups": <int>,
          "software": <int>,
          "tactics": <int>,
          "mitigations": <int>
      },
      "message": "<status message>"
    }
get_groups_by_aliasA
Get APT groups (intrusion sets) matching a given alias.

Many groups have multiple aliases—e.g., APT29 is also known as:
"Cozy Bear", "NOBELIUM", "Midnight Blizzard", etc.

This tool returns all groups whose alias list contains the given alias
(case-insensitive exact match, per MITRE's own alias indexing).

Args:
    alias: Alias to search for (e.g., "Cozy Bear", "NOBELIUM").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include group descriptions.

Returns:
    {
      "count": <number>,
      "groups": [
        {
          "attack_id": "GXXXX",
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<formatted list>",
      "message": "<status summary>"
    }
get_techniques_used_by_groupA
Get all techniques used by a specific APT group, identified by its STIX ID.

This is similar to `get_group_techniques`, but instead of a group name or
alias it takes the group's STIX UUID (e.g. "intrusion-set--..."), which is
useful when you already have the STIX ID from another query or relationship.

Args:
    group_stix_id: STIX ID of the group (intrusion-set--UUID).
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include technique descriptions.

Returns:
    {
      "group": {
          "attack_id": "GXXXX" | null,
          "name": "<group name or null>",
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>"
      } | null,
      "count": <number of techniques>,
      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>"
            },
            ...
          ]
        },
        ...
      ],
      "formatted": "<human-readable technique list>",
      "message": "<status summary>"
    }
get_software_used_by_groupA
Get all software (malware and tools) used by a specific APT group,
identified by its STIX ID.

This uses MITRE's `get_software_used_by_group` to follow 'uses'
relationships from an intrusion set (group) to software objects.

Args:
    group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include software descriptions.

Returns:
    {
      "group": {
          "attack_id": "GXXXX" | null,
          "name": "<group name or null>",
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>"
      } | null,
      "count": <number of software objects>,
      "software": [
        {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name>",
          "stix_id": "<STIX ID>",
          "type": "<malware|tool|...>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],
      "formatted": "<human-readable list of software>",
      "message": "<status summary>"
    }
get_campaigns_attributed_to_groupA
Get all campaigns attributed to a specific intrusion set (APT group),
identified by its STIX ID.

Campaigns represent specific operations or intrusion events attributed
to a threat group.

Args:
    group_stix_id: STIX UUID of the group (e.g., "intrusion-set--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include campaign descriptions.

Returns:
    {
      "group": {
          "attack_id": "GXXXX" | null,
          "name": "<group name or null>",
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>"
      } | null,

      "count": <number of campaigns>,

      "campaigns": [
        {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>"
        },
        ...
      ],

      "formatted": "<formatted human-readable block>",
      "message": "<status summary>"
    }
get_campaigns_by_aliasA
Get campaigns by their alias.

Campaigns frequently have multiple names assigned by different vendors
or research teams. This function resolves those aliases.

Args:
    alias: Campaign alias or alternate name (case-insensitive)
    domain: ATT&CK domain ("enterprise", "ics", etc.)
    include_description: Include campaign descriptions in output

Returns:
    {
      "alias": "<requested name>",
      "count": int,
      "campaigns": [
        {
          "name": "...",
          "stix_id": "<campaign--UUID>",
          "attack_id": "Cxxxx" | null,
          "description": "..." | null
        },
        ...
      ],
      "formatted": "<multi-line readable text>",
      "message": "<summary>"
    }
get_techniques_used_by_group_softwareA
Get techniques used by the software that a group uses (Group → Software → Techniques).

This provides an indirect view of a group's capabilities by following:
    Group (intrusion set) → Software (malware/tools) → Techniques

Args:
    group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include technique descriptions.

Returns:
    {
      "group": {
          "attack_id": "GXXXX" | null,
          "name": "<group name or null>",
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of techniques>,

      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of techniques>",
      "message": "<status summary>"
    }
get_groups_using_techniqueA
Get all APT groups (intrusion sets) that use a specific technique.

This is a reverse lookup: Technique → Groups.
It follows 'uses' relationships from a technique STIX ID to intrusion sets.

Args:
    technique_stix_id: STIX ID of the technique
                       (e.g., "attack-pattern--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include group descriptions.

Returns:
    {
      "technique": {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name or null>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of groups>,

      "groups": [
        {
          "attack_id": "GXXXX" | null,
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of groups>",
      "message": "<status summary>"
    }
get_groups_using_softwareA
Get all APT groups (intrusion sets) that use a specific software/malware.

This is a reverse lookup: Software → Groups.
It follows 'uses' relationships from a software STIX ID (tool/malware)
to intrusion sets.

Args:
    software_stix_id: STIX ID of the software object
                      (e.g., "malware--UUID", "tool--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include group descriptions.

Returns:
    {
      "software": {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name or null>",
          "stix_id": "<software STIX ID>",
          "type": "<tool|malware|...> or null",
          "description": "<text or null>",
      } | null,

      "count": <number of groups>,

      "groups": [
        {
          "attack_id": "GXXXX" | null,
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of groups>",
      "message": "<status summary>"
    }
get_groups_attributing_to_campaignA
Get all APT groups (intrusion sets) attributed to a specific campaign.

This is a reverse lookup: Campaign → Groups.
It follows attribution relationships from a campaign STIX ID to
intrusion sets (groups).

Args:
    campaign_stix_id: STIX ID of the campaign (e.g., "campaign--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include group descriptions.

Returns:
    {
      "campaign": {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name or null>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>"
      } | null,

      "count": <number of groups>,

      "groups": [
        {
          "attack_id": "GXXXX" | null,
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "<type>",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of groups>",
      "message": "<status summary>"
    }
get_software_by_aliasA
Find software/malware by alias (e.g., 'Beacon', 'Mimilib').

Many malware/tools have multiple alternative names. This tool searches
the software catalog for alias matches.

Args:
    alias: Alias to search for.
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include description fields.

Returns:
    {
      "alias": "<alias>",
      "count": <number of matches>,
      "software": [
        {
          "attack_id": "<SXXXX or MXXXX or None>",
          "name": "<software name>",
          "aliases": [...],
          "stix_id": "<malware--UUID or tool--UUID>",
          "type": "<malware|tool|...>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<human readable output>",
      "message": "<status summary>"
    }
get_software_using_techniqueA
Get all software (malware/tools) that use a specific technique.

This is a reverse lookup: Technique → Software.
It follows 'uses' relationships from a technique STIX ID to software
(malware and tools) that implement or leverage that technique.

Args:
    technique_stix_id: STIX ID of the technique
                       (e.g., "attack-pattern--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include software descriptions.

Returns:
    {
      "technique": {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name or null>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of software objects>,

      "software": [
        {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name>",
          "stix_id": "<software STIX ID>",
          "type": "<malware|tool|...>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of software>",
      "message": "<status summary>"
    }
get_techniques_used_by_softwareA
Get all techniques used by specific software/malware.

This shows what ATT&CK techniques a given software (tool/malware) is
capable of performing.

Args:
    software_stix_id: STIX ID of the software object
                      (e.g., "malware--UUID", "tool--UUID").
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    include_description: Whether to include technique descriptions.

Returns:
    {
      "software": {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name or null>",
          "stix_id": "<software STIX ID>",
          "type": "<malware|tool|...> or null",
          "description": "<text or null>",
      } | null,

      "count": <number of techniques>,

      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "uses",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of techniques>",
      "message": "<status summary>"
    }
get_all_techniquesA
Get all ATT&CK techniques for a given domain.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated techniques.
    include_description: Whether to include technique descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of techniques>,
      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY",
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "tactics": [ "<tactic 1>", "<tactic 2>", ... ]
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_subtechniquesA
Get all subtechniques in a given ATT&CK domain.

Subtechniques are more specific versions of parent techniques,
e.g., T1566.001 and T1566.002 are subtechniques of T1566.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated subtechniques.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of subtechniques>,
      "subtechniques": [
        {
          "attack_id": "<TXXXX.YYY>",
          "name": "<subtechnique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "tactics": ["<Tactic 1>", "<Tactic 2>", ...],
          "parent_attack_id": "<TXXXX>",
          "parent_name": "<parent technique name>",
          "parent_stix_id": "<attack-pattern--UUID>"
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_parent_techniquesA
Get all parent techniques (exclude subtechniques) in a given domain.

Parent techniques are the main techniques without a dot in their ATT&CK ID,
e.g., T1566, T1055 (not T1566.001).

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated techniques.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of parent techniques>,
      "parent_techniques": [
        {
          "attack_id": "<TXXXX>",
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "tactics": ["<Tactic 1>", "<Tactic 2>", ...]
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_groupsA
Get all APT groups (intrusion sets) in a domain.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated groups.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of groups>,
      "groups": [
        {
          "attack_id": "GXXXX",
          "name": "<group name>",
          "aliases": [...],
          "stix_id": "<intrusion-set--UUID>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<optional human-readable listing>",
      "message": "<summary>"
    }
get_all_softwareA
Get all software (malware and tools) in a domain.

This is effectively an alias for the MITRE helper get_software(), but it
returns structured results suitable for LLMs and clients.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated software.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of software objects>,
      "software": [
        {
          "attack_id": "<SXXXX or similar> | null",
          "name": "<software name>",
          "aliases": [...],
          "stix_id": "<malware--UUID or tool--UUID>",
          "type": "<malware|tool|...>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<optional human-readable listing>",
      "message": "<summary>"
    }
get_all_mitigationsA
Get all mitigations (defensive countermeasures) in a domain.

Mitigations are security controls or practices that can reduce the
effectiveness of adversary techniques (e.g., M1013, M1017).

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated mitigations.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of mitigations>,
      "mitigations": [
        {
          "attack_id": "MXXXX" | null,
          "name": "<mitigation name>",
          "stix_id": "<course-of-action--UUID>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_tacticsA
Get all ATT&CK tactics for a domain.

Tactics represent the adversary's tactical goals (e.g., Initial Access,
Defense Evasion, Persistence).

Args:
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
    include_description: Whether to include tactic descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number>,
      "tactics": [
         {
           "attack_id": "<TAxxxx>" | null,
           "name": "...",
           "stix_id": "x-mitre-tactic--UUID",
           "description": "...",
         }
      ],
      "formatted": "<optional human-readable text>",
      "message": "<summary>"
    }
get_all_matricesA
Get all ATT&CK matrices in a domain.

Matrices are the top-level organizational structures in ATT&CK.
Each domain typically has one or more matrices
(e.g., Enterprise ATT&CK matrix).

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated matrices.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of matrices>,
      "matrices": [
        {
          "attack_id": "<matrix ID or None>",
          "name": "<matrix name>",
          "stix_id": "<x-mitre-matrix--UUID>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_campaignsA
Get all ATT&CK campaigns in a domain.

Campaigns represent specific intrusion events or long-running operations 
attributed to threat actors (e.g., SolarWinds, Operation Ghost).

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics")
    remove_revoked_deprecated: Whether to exclude revoked/deprecated entries
    include_description: Include campaign descriptions in the output

Returns:
    {
      "domain": "<domain>",
      "count": <int>,
      "campaigns": [
         {
            "attack_id": "<Cxxxx or None>",
            "name": "<campaign name>",
            "stix_id": "campaign--UUID",
            "description": "<text or null>"
         },
         ...
      ],
      "formatted": "<nicely formatted output>",
      "message": "<summary>"
    }
get_all_datasourcesA
Get all ATT&CK data sources in a domain.

Data sources represent *what* kind of telemetry you collect
(e.g., Process Monitoring, Network Traffic, File Monitoring).

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated data sources.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of data sources>,
      "datasources": [
        {
          "name": "<data source name>",
          "stix_id": "<x-mitre-data-source--UUID>",
          "description": "<text or null>",
          "platforms": ["<Windows>", "<Linux>", ...]  # if available
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_datacomponentsA
Get all ATT&CK data components in a domain.

Data components are specific aspects of a data source that can be monitored.
For example, the "Process" data source has components like
"Process Creation", "Process Termination", etc.

Args:
    domain: ATT&CK domain ("enterprise", "mobile", "ics").
    remove_revoked_deprecated: Whether to exclude revoked/deprecated entries.
    include_description: Whether to include descriptions.

Returns:
    {
      "domain": "<domain>",
      "count": <number of data components>,
      "datacomponents": [
        {
          "name": "<data component name>",
          "stix_id": "<x-mitre-data-component--UUID>",
          "description": "<text or null>",
          "data_source_stix_id": "<x-mitre-data-source--UUID or null>",
          "data_source_name": "<parent data source name or null>",
          "data_source_attack_id": "<data source ATT&CK ID or null>"
        },
        ...
      ],
      "formatted": "<optional human-readable output>",
      "message": "<summary>"
    }
get_all_assetsA
Get all ATT&CK assets in a domain (primarily ICS).

Assets represent industrial control system components 
(PLC, HMI, Engineering Workstation, Control Server, etc.)

Args:
    domain: ATT&CK domain ("ics" recommended)
    remove_revoked_deprecated: Exclude revoked/deprecated entries
    include_description: Include asset descriptions

Returns:
    {
      "domain": "<domain>",
      "count": <number>,
      "assets": [
        {
          "name": "...",
          "stix_id": "x-mitre-asset--UUID",
          "description": "...",
          "attack_id": "<Axxxx or None>"
        }
      ],
      "formatted": "<human-readable output>",
      "message": "<summary>"
    }
get_assets_targeted_by_techniqueA
Get all ICS assets targeted by a specific technique.

Assets represent industrial control system components such as
PLCs, RTUs, Engineering Workstations, HMIs, Control Servers, etc.

Args:
    technique_stix_id: Technique STIX UUID identifier
    domain: ATT&CK domain ('ics' strongly recommended)
    include_description: Include asset descriptions, if available

Returns:
    {
      "technique": {
          "attack_id": "Txxxx",
          "name": "...",
          "stix_id": "<attack-pattern--UUID>"
      },
      "count": int,
      "assets": [
        {
          "name": "...",
          "stix_id": "<x-mitre-asset--UUID>",
          "description": "<optional text>",
          "asset_type": "<ICS component type>",
        },
        ...
      ],
      "formatted": "<multi-line readable text>",
      "message": "<summary>"
    }
get_techniques_targeting_assetA
Get all techniques that target a specific ICS asset.

Shows which adversary techniques can affect a given industrial
control system component.

Args:
    asset_stix_id: STIX ID of the ICS asset
    domain: Domain (default: 'ics')
    include_description: Whether to include descriptions in formatted output

Returns:
    {
        "found": bool,
        "count": int,
        "techniques": [
            {
                "id": "<ATT&CK ID>",
                "name": "...",
                "stix_id": "...",
                "description": "..." | None
            },
            ...
        ],
        "formatted": "<optional pretty text>",
        "message": "..."
    }
get_campaigns_using_techniqueA
Get all campaigns that use a specific technique.

This is a reverse lookup: Technique → Campaigns.

Args:
    technique_stix_id: Technique STIX UUID identifier
                       (e.g., 'attack-pattern--UUID').
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include campaign descriptions.

Returns:
    {
      "technique": {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name or null>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of campaigns>,

      "campaigns": [
        {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "<type>",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of campaigns>",
      "message": "<status summary>"
    }
get_techniques_used_by_campaignA
Get all techniques used in a specific campaign.

Args:
    campaign_stix_id: Campaign STIX UUID identifier
                      (e.g., 'campaign--UUID').
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include technique descriptions.

Returns:
    {
      "campaign": {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name or null>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of techniques>,

      "techniques": [
        {
          "attack_id": "TXXXX or TXXXX.YYY" | null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
          "tactics": ["<Tactic 1>", "<Tactic 2>", ...],
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "<type>",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of techniques>",
      "message": "<status summary>"
    }
get_campaigns_using_softwareA
Get all campaigns that use specific software/malware.

This is a reverse lookup: Software → Campaigns.

Args:
    software_stix_id: Software STIX UUID identifier (e.g., 'malware--UUID', 'tool--UUID').
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include campaign descriptions.

Returns:
    {
      "software": {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name or null>",
          "stix_id": "<software STIX ID>",
          "type": "<malware|tool|...> or null",
          "description": "<text or null>",
      } | null,

      "count": <number of campaigns>,

      "campaigns": [
        {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "<type>",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of campaigns>",
      "message": "<status summary>"
    }
get_software_used_by_campaignA
Get all software/malware used in a specific campaign.

Args:
    campaign_stix_id: Campaign STIX UUID identifier (e.g., 'campaign--UUID').
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include software descriptions.

Returns:
    {
      "campaign": {
          "attack_id": "CXXXX" | null,
          "name": "<campaign name or null>",
          "stix_id": "<campaign--UUID>",
          "description": "<text or null>",
      } | null,

      "count": <number of software objects>,

      "software": [
        {
          "attack_id": "SXXXX or similar" | null,
          "name": "<software name>",
          "stix_id": "<malware--UUID or tool--UUID>",
          "type": "<malware|tool|...> or null",
          "aliases": ["...", "..."],
          "description": "<text or null>",
          "relationships": [
            {
              "stix_id": "<relationship--UUID>",
              "relationship_type": "<type>",
              "description": "<relationship description or null>",
              "source_ref": "<source STIX ID>",
              "target_ref": "<target STIX ID>",
            },
            ...
          ]
        },
        ...
      ],

      "formatted": "<human-readable list of software>",
      "message": "<status summary>"
    }
get_techniques_by_platformA
Get all ATT&CK techniques that apply to a specific platform.

Args:
    platform: Platform name (e.g., 'Windows', 'Linux', 'macOS', 
              'Cloud', 'Azure AD', 'Network', etc.)
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include technique descriptions.

Returns:
    {
      "platform": "<platform>",
      "count": <number>,
      "techniques": [
        {
          "attack_id": "Txxxx" or "Txxxx.xxx" or null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>"
        },
        ...
      ],
      "formatted": "<optional formatted string>",
      "message": "<summary>"
    }
get_parent_technique_of_subtechniqueA
Get the parent technique of a subtechnique.

Args:
    technique_stix_id: STIX UUID of the subtechnique.
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include the parent's description.

Returns:
    {
      "subtechnique_stix_id": "...",
      "subtechnique_attack_id": "Txxxx.xxx" or null,
      "parent": {
          "attack_id": "Txxxx",
          "name": "...",
          "stix_id": "attack-pattern--UUID",
          "description": "..." | null
      } or null,
      "formatted": "<human readable description>",
      "message": "<summary>"
    }
get_subtechniques_of_techniqueA
Get all subtechniques of a parent technique.

Args:
    technique_stix_id: STIX UUID of the parent technique.
    domain: ATT&CK domain.
    include_description: Whether to include subtechnique descriptions.

Returns:
    {
      "parent": {
          "stix_id": "...",
          "attack_id": "...",
          "name": "..."
      },
      "count": int,
      "subtechniques": [
          {
              "attack_id": "...",
              "name": "...",
              "stix_id": "...",
              "description": "..." | null
          },
          ...
      ],
      "formatted": "<multi-line string>",
      "message": "<summary>"
    }
get_techniques_mitigated_by_mitigationA
Get all techniques mitigated by a specific mitigation (by STIX ID).

Args:
    mitigation_stix_id: STIX UUID of the mitigation (e.g., course-of-action--UUID).
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Include technique descriptions in the output.

Returns:
    {
      "found": bool,
      "mitigation": {
          "attack_id": "...",
          "name": "...",
          "stix_id": "course-of-action--..."
      } | null,
      "count": int,
      "techniques": [
          {
              "attack_id": "Txxxx",
              "name": "...",
              "stix_id": "...",
              "description": "...",
          },
          ...
      ],
      "formatted": "<multi-line text>",
      "message": "<summary>"
    }
get_mitigations_mitigating_techniqueA
Get all mitigations that address a specific technique.

Helper returns: list[RelationshipEntry[Mitigation]]
So each item is a wrapper that contains a Mitigation object (usually in `.object`).
We must unwrap before extracting fields.

Returns (same schema as before):
  {
    "found": bool,
    "technique": {...} | null,
    "count": int,
    "mitigations": [...],
    "formatted": str,
    "message": str
  }
get_datacomponents_detecting_techniqueB
Get all data components that can detect a specific technique.

Primary mode:
  - Use mitreattack-python relationship traversal (if present)

Fallback mode (when relationship traversal yields 0):
  - Read technique.x_mitre_data_sources (strings)
  - Resolve data source objects by name
  - Return data components whose x_mitre_data_source_ref points to those data sources
  - If the string includes a component name (e.g., "Process: Process Creation"),
    filter to that component when possible.

Returns the same structure as before, plus a debug block.
get_techniques_detected_by_datacomponentA
Get all techniques that can be detected by a specific data component.

Shows which adversary techniques can be identified by monitoring
this specific aspect of telemetry.

Args:
    datacomponent_stix_id: Data component STIX UUID identifier
                           (e.g., 'x-mitre-data-component--UUID').
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Whether to include technique descriptions.

Returns:
    {
      "datacomponent": {
          "name": "<data component name or null>",
          "stix_id": "<x-mitre-data-component--UUID>",
          "description": "<text or null>",
          "data_source_stix_id": "<x-mitre-data-source--UUID or null>",
          "data_source_name": "<data source name or null>",
          "data_source_attack_id": "<data source ATT&CK ID or null>",
      } | null,

      "count": <number of techniques>,

      "techniques": [
        {
          "attack_id": "Txxxx or Txxxx.xxx" | null,
          "name": "<technique name>",
          "stix_id": "<attack-pattern--UUID>",
          "description": "<text or null>",
        },
        ...
      ],

      "formatted": "<human-readable list of techniques>",
      "message": "<status summary>"
    }
get_procedure_examples_by_techniqueB
Get procedure examples showing how threat groups used a specific technique.

Procedure examples describe real incident behavior tied to this technique.

Args:
    technique_stix_id: STIX UUID of the technique
    domain: ATT&CK domain
    include_description: Include descriptions of the examples if available

Returns:
    {
      "technique": {
          "attack_id": "Txxxx",
          "name": "...",
          "stix_id": "attack-pattern--UUID"
      },
      "count": N,
      "examples": [
          {
            "relationship_id": "relationship--UUID",
            "source_group_attack_id": "Gxxxx",
            "source_group_name": "...",
            "description": "...",
            "stix_id": "relationship--UUID"
          },
          ...
      ],
      "formatted": "<multi-line readable text>",
      "message": "<summary>"
    }
get_procedure_examples_by_tacticA
Get all procedure examples for techniques in a specific tactic.

Shows real-world examples of how threat groups use techniques that fall
under a given tactic (e.g., Initial Access, Persistence).

Args:
    tactic: Tactic name (e.g., "Initial Access", "Persistence").
            Case-insensitive; should match ATT&CK tactic names.
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
    include_description: Include example descriptions when available.

Returns:
    {
      "tactic": {
          "name": "<tactic name>",
          "attack_id": "TAxxxx" | null,
          "stix_id": "x-mitre-tactic--UUID" | null,
      },
      "count": int,
      "examples": [
        {
          "relationship_id": "relationship--UUID",
          "description": "<procedure text or null>",
          "group": {
            "attack_id": "Gxxxx" | null,
            "name": "<group name or null>",
            "stix_id": "intrusion-set--UUID" | null,
          },
          "technique": {
            "attack_id": "Txxxx or Txxxx.xxx" | null,
            "name": "<technique name or null>",
            "stix_id": "attack-pattern--UUID" | null,
          },
        },
        ...
      ],
      "formatted": "<multi-line human-readable text>",
      "message": "<summary>"
    }
get_objects_by_typeA
Get all objects of a specific STIX type.

This is a generic method to retrieve ATT&CK/CTI objects by STIX type.
It complements more specific tools such as get_all_techniques(),
get_all_groups(), etc.

Common STIX types include:
  - 'attack-pattern'          (techniques)
  - 'malware'                 (malware)
  - 'tool'                    (tools)
  - 'intrusion-set'           (APT groups)
  - 'campaign'                (campaigns)
  - 'course-of-action'        (mitigations)
  - 'x-mitre-matrix'          (matrices)
  - 'x-mitre-tactic'          (tactics)
  - 'x-mitre-data-source'     (data sources)
  - 'x-mitre-data-component'  (data components)
  - 'x-mitre-asset'           (ICS assets)

Args:
    stix_type: STIX object type to fetch.
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics', ...).
    remove_revoked_deprecated: Exclude revoked/deprecated objects.
    include_description: Include object descriptions in output.

Returns:
    {
      "stix_type": "<type>",
      "domain": "<domain>",
      "count": int,
      "objects": [
        {
          "name": "...",
          "stix_id": "<stix-id>",
          "attack_id": "<T/G/S/M/C/... or null>",
          "description": "<text or null>",
        },
        ...
      ],
      "formatted": "<multi-line readable text>",
      "message": "<summary>"
    }
get_tactics_by_matrixA
Get all ATT&CK tactics belonging to a specific matrix.

Args:
    matrix_stix_id: STIX ID of the matrix (e.g., x-mitre-matrix--UUID)
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
    include_description: Whether to include tactic descriptions

Returns:
    {
      "found": bool,
      "count": int,
      "tactics": [
        {
          "name": "...",
          "stix_id": "...",
          "description": "...",
          "attack_id": "TAxxxx" or null
        }
      ],
      "formatted": "<multiline string>",
      "message": "..."
    }
get_tactics_by_techniqueA
Get all tactics associated with a specific ATT&CK technique.

Techniques can belong to one or more tactics (kill chain phases).

Args:
    technique_stix_id: Technique STIX UUID identifier (attack-pattern--UUID)
    domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
    include_description: Whether to include tactic descriptions

Returns:
    {
      "found": bool,
      "count": int,
      "tactics": [
        {
          "name": "...",
          "stix_id": "...",
          "attack_id": "TAxxxx" or null,
          "description": "...",
        }
      ],
      "formatted": "<multiline formatted output>",
      "message": "..."
    }
get_objects_created_afterA
Get all ATT&CK objects created after a specific timestamp.

Useful for detecting new additions to the framework.
Timestamp must be ISO8601 format, e.g., '2024-01-01T00:00:00Z'.

Returns:
    {
        "found": bool,
        "count": int,
        "objects": [
            {
                "id": "<ATT&CK ID or None>",
                "name": "...",
                "stix_id": "...",
                "type": "<stix-type>",
                "description": "..." | None
            },
            ...
        ],
        "formatted": "<pretty text>",
        "message": "..."
    }
get_objects_modified_afterA
Get all ATT&CK objects modified after a specific timestamp.

Useful for tracking updates and changes to the ATT&CK framework.
Timestamp must be ISO8601 format, e.g., '2024-01-01T00:00:00Z'.

Returns:
    {
        "found": bool,
        "count": int,
        "objects": [
            {
                "id": "<ATT&CK ID or None>",
                "name": "...",
                "stix_id": "...",
                "type": "<stix-type>",
                "description": "..." | None
            },
            ...
        ],
        "formatted": "<pretty text>",
        "message": "..."
    }
get_revoked_techniquesC
Get all revoked techniques for a domain.

Revoked techniques are no longer valid in the framework, often because
they were merged or replaced.

Returns:
    {
        "found": bool,
        "count": int,
        "techniques": [...],
        "formatted": "<pretty output>",
        "message": "..."
    }
generate_layerA
Generate an ATT&CK Navigator layer for visualization.

This wraps mitreattack.navlayers.UsageLayerGenerator and produces a
JSON layer highlighting techniques associated with a given ATT&CK ID.

Only the following ATT&CK ID prefixes are supported:
  - Gxxxx : groups (intrusion sets)
  - Mxxxx : mitigations (course-of-action)
  - Sxxxx : software (tool/malware)
  - Dxxxx : data components

Technique IDs (Txxxx / Txxxx.xxx) are NOT supported here.

Args:
    attack_id: ATT&CK ID (Gxxxx, Mxxxx, Sxxxx, or Dxxxx)
    score: Score to assign to all matched techniques in the layer
    domain: ATT&CK domain (e.g., "enterprise", "mobile", "ics")

Returns:
    {
      "success": bool,
      "attack_id": "<G/M/S/D ID>",
      "domain": "<domain>",
      "count": int,              # number of techniques in layer
      "layer": { ... } | null,   # ATT&CK Navigator layer JSON
      "message": "<summary or error>"
    }
get_layer_metadataA
Return a standard ATT&CK Navigator layer metadata template.

This provides default layer properties (version info, gradient settings,
layout, filters, etc.) adapted to a specific ATT&CK domain.

Useful for clients that want to build custom layers programmatically
without starting from scratch.

Args:
    domain: One of "enterprise", "mobile", "ics". Defaults to "enterprise".

Returns:
    {
      "success": bool,
      "domain": "<domain>",
      "metadata": { ... },  # Navigator layer metadata
      "message": "<summary>"
    }

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/imouiche/complete-mitre-attack-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server