mitre-mcp
Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| MISP_URL | No | MISP URL (e.g., https://misp.example.internal) | |
| WAZUH_URL | No | Wazuh API URL (e.g., https://wazuh.example.internal:55000) | |
| CORTEX_URL | No | Cortex URL (e.g., http://cortex.example.internal:9001) | |
| THEHIVE_URL | No | TheHive URL (e.g., http://thehive.example.internal:9000) | |
| MISP_API_KEY | No | MISP API key | |
| CORTEX_API_KEY | No | Cortex API key | |
| MITRE_DATA_DIR | No | Local cache directory for STIX bundles | ~/.mitre-mcp/data |
| MITRE_MATRICES | No | Comma-separated matrices: enterprise, mobile, ics | enterprise |
| WAZUH_PASSWORD | No | Wazuh API password | |
| WAZUH_USERNAME | No | Wazuh API username | |
| MISP_VERIFY_SSL | No | Verify SSL certs for MISP | true |
| THEHIVE_API_KEY | No | TheHive API key | |
| WAZUH_VERIFY_SSL | No | Verify SSL certs for Wazuh | true |
| MITRE_UPDATE_INTERVAL | No | Auto-update check interval in seconds | 86400 |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {
"listChanged": true
} |
| prompts | {
"listChanged": true
} |
| resources | {
"listChanged": true
} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| mitre_get_techniqueA | Get full details of a specific ATT&CK technique by its ID (e.g., T1059, T1059.001) |
| mitre_search_techniquesB | Search ATT&CK techniques by keyword, tactic, platform, or data source |
| mitre_list_tacticsB | List all ATT&CK tactics in kill-chain order |
| mitre_get_tacticB | Get details and all techniques under a specific tactic |
| mitre_get_groupA | Get details on a known threat group/APT including techniques and software used |
| mitre_search_groupsB | Search threat groups by keyword or by technique usage |
| mitre_list_groupsA | List all known threat groups with names, aliases, and brief descriptions |
| mitre_get_softwareA | Get details on a known software, malware, or tool including techniques and associated groups |
| mitre_search_softwareB | Search software/malware by name, keyword, technique, or type |
| mitre_get_mitigationB | Get details on a mitigation and all techniques it addresses |
| mitre_mitigations_for_techniqueB | Get all mitigations applicable to a specific technique |
| mitre_search_mitigationsC | Search mitigations by keyword |
| mitre_get_datasourceC | Get details on a data source and its components with detectable techniques |
| mitre_detection_coverageB | Analyze detection coverage based on available data sources in your environment |
| mitre_map_alert_to_techniqueA | Map a security alert or observable to likely ATT&CK techniques with confidence scoring |
| mitre_technique_overlapC | Find technique overlap between threat groups for attribution assistance |
| mitre_attack_pathC | Generate possible attack paths through the kill chain starting from a technique |
| mitre_campaign_profileB | Build a technique profile from observed techniques for campaign analysis and attribution |
| mitre_get_campaignB | Get details on a known ATT&CK campaign including techniques, software, and attributed groups |
| mitre_list_campaignsA | List all known ATT&CK campaigns with names, dates, and brief descriptions |
| mitre_search_campaignsB | Search campaigns by keyword or by technique usage |
| mitre_navigator_layerB | Generate an ATT&CK Navigator layer JSON for visualization. Supports coverage heatmaps, group technique overlays, campaign views, and custom technique highlighting. |
| mitre_update_dataA | Force an update of the local ATT&CK data cache by re-downloading STIX bundles |
| mitre_data_versionA | Get current ATT&CK data version, freshness, and object counts |
| mitre_soc_statusA | Get connection status for all configured SOC integrations (Wazuh, TheHive, Cortex, MISP) |
| mitre_cross_correlateB | Cross-correlate ATT&CK techniques across Wazuh alerts, TheHive cases, and MISP events to find related activity |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
| map-incident-to-attack | Map an incident's observables to ATT&CK techniques, identify tactics, and suggest mitigations |
| threat-hunt-plan | Generate a threat hunting plan based on ATT&CK framework and available data sources |
| gap-analysis | Perform a detection gap analysis using ATT&CK coverage mapping |
| attribution-analysis | Assist with threat attribution based on observed techniques and contextual factors |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
| matrix-enterprise | Full ATT&CK Enterprise matrix (tactics x techniques) |
| version | Current ATT&CK data version and statistics |
| tactics | All tactics in kill-chain order |
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/lidless-labs/mitre-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server