mitre-mcp

mitre-mcp

Comprehensive MITRE ATT\&CK MCP server with SOC integration for technique lookup, alert mapping, and coverage analysis.

Category
Visit Server

README

<p align="center"> <img src="docs/assets/mitre-mcp-banner.jpg" alt="Watercolor ATT&CK Navigator layer map for mitre-mcp" width="100%" /> </p>

<h1 align="center">mitre-mcp</h1>

<p align="center"> <a href="https://www.npmjs.com/package/mitre-mcp"><img src="https://img.shields.io/npm/v/mitre-mcp?style=flat-square&logo=npm&color=cb3837" alt="npm version" /></a> <a href="https://github.com/solomonneas/mitre-mcp/actions/workflows/ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/solomonneas/mitre-mcp/ci.yml?branch=main&style=flat-square&label=CI&logo=github" alt="CI status" /></a> <a href="https://www.typescriptlang.org/"><img src="https://img.shields.io/badge/TypeScript-6.0-3178c6?style=flat-square&logo=typescript&logoColor=white" alt="TypeScript 6.0" /></a> <a href="https://nodejs.org/"><img src="https://img.shields.io/badge/Node.js-20%2B-339933?style=flat-square&logo=node.js&logoColor=white" alt="Node.js 20+" /></a> <a href="https://modelcontextprotocol.io/"><img src="https://img.shields.io/badge/MCP%20SDK-1.29-6f42c1?style=flat-square" alt="MCP SDK 1.29" /></a> <a href="https://attack.mitre.org/"><img src="https://img.shields.io/badge/MITRE-ATT%26CK-d04437?style=flat-square" alt="MITRE ATT&CK" /></a> <a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-yellow?style=flat-square" alt="MIT license" /></a> </p>

An MCP server providing comprehensive access to the MITRE ATT&CK knowledge base with full SOC stack integration. Enables LLMs to look up techniques, map alerts to ATT&CK, analyze detection coverage, profile campaigns, generate Navigator layers, and correlate across Wazuh, TheHive, Cortex, and MISP.

Features

  • 39 tools for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, Navigator layer export, and SOC integration
  • 3 resources for matrix overview, version info, and tactic listing
  • 4 prompts for incident mapping, threat hunting, gap analysis, and attribution
  • SOC Integration: Wazuh alert mapping, TheHive case management, Cortex analyzer correlation, MISP event/IOC management
  • Cross-stack correlation: Search for ATT&CK techniques across all connected platforms simultaneously
  • ATT&CK Navigator: Generate layer JSON for heatmaps, group overlays, coverage maps, and diff views
  • Campaign support: Full STIX campaign object parsing and attribution
  • Offline-capable with local STIX 2.1 data caching
  • Auto-updating with configurable refresh intervals
  • Enterprise, Mobile, and ICS matrix support

Prerequisites

  • Node.js 20 or later
  • Internet access for initial ATT&CK data download (cached locally after first run)
  • (Optional) Wazuh, TheHive, Cortex, and/or MISP instances for SOC integration

Installation

git clone https://github.com/solomonneas/mitre-mcp.git
cd mitre-mcp
npm install
npm run build

Configuration

Core Settings

Variable Default Description
MITRE_DATA_DIR ~/.mitre-mcp/data Local cache directory for STIX bundles
MITRE_MATRICES enterprise Comma-separated matrices: enterprise, mobile, ics
MITRE_UPDATE_INTERVAL 86400 Auto-update check interval in seconds (default 24h)

SOC Integration (all optional)

Variable Description
WAZUH_URL Wazuh API URL (e.g., https://wazuh.example.internal:55000)
WAZUH_USERNAME Wazuh API username (default: wazuh-wui)
WAZUH_PASSWORD Wazuh API password
WAZUH_VERIFY_SSL Verify SSL certs (default: true, set false for self-signed)
THEHIVE_URL TheHive URL (e.g., http://thehive.example.internal:9000)
THEHIVE_API_KEY TheHive API key
CORTEX_URL Cortex URL (e.g., http://cortex.example.internal:9001)
CORTEX_API_KEY Cortex API key
MISP_URL MISP URL (e.g., https://misp.example.internal)
MISP_API_KEY MISP API key (authkey)
MISP_VERIFY_SSL Verify SSL certs (default: true, set false for self-signed)

Usage

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-mcp",
      "env": {
        "MITRE_MATRICES": "enterprise",
        "WAZUH_URL": "https://wazuh.example.internal:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_VERIFY_SSL": "false",
        "THEHIVE_URL": "http://thehive.example.internal:9000",
        "THEHIVE_API_KEY": "your-api-key",
        "CORTEX_URL": "http://cortex.example.internal:9001",
        "CORTEX_API_KEY": "your-api-key",
        "MISP_URL": "https://misp.example.internal",
        "MISP_API_KEY": "your-api-key",
        "MISP_VERIFY_SSL": "false"
      }
    }
  }
}

Claude Code

claude mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Add --scope user to make it available from any directory instead of only the current project. Add --env flags for any SOC integrations (Wazuh, TheHive, Cortex, MISP) you want to enable.

OpenClaw

If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:

openclaw mcp set mitre-attack '{
  "command": "node",
  "args": ["/absolute/path/to/mitre-mcp/dist/index.js"],
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Or, with the global npm install:

openclaw mcp set mitre-attack '{
  "command": "mitre-mcp",
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "mitre-attack" is registered

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  mitre-attack:
    command: "mitre-mcp"
    env:
      MITRE_MATRICES: "enterprise"

Or, when running from a source checkout instead of the global npm install:

mcp_servers:
  mitre-attack:
    command: "node"
    args: ["/absolute/path/to/mitre-mcp/dist/index.js"]
    env:
      MITRE_MATRICES: "enterprise"

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Or, when running from a source checkout:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- node /absolute/path/to/mitre-mcp/dist/index.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.mitre-attack]. Verify with:

codex mcp list

Standalone

npm run start

Development

npm run dev

Tool Reference

Core ATT&CK Tools (19)

Technique Lookup

Tool Description
mitre_get_technique Get full details of a technique by ID (T1059, T1059.001)
mitre_search_techniques Search techniques by keyword, tactic, platform, data source

Tactic Navigation

Tool Description
mitre_list_tactics List all tactics in kill-chain order
mitre_get_tactic Get tactic details with all associated techniques

Threat Group Intelligence

Tool Description
mitre_get_group Get group details including techniques and software used
mitre_search_groups Search groups by keyword or technique usage
mitre_list_groups List all known threat groups

Software & Malware

Tool Description
mitre_get_software Get software details with techniques and associated groups
mitre_search_software Search software by name, technique, or type (malware/tool)

Mitigation Mapping

Tool Description
mitre_get_mitigation Get mitigation details with addressed techniques
mitre_mitigations_for_technique Get all mitigations for a specific technique
mitre_search_mitigations Search mitigations by keyword

Detection & Data Sources

Tool Description
mitre_get_datasource Get data source details with detectable techniques
mitre_detection_coverage Analyze detection coverage based on available data sources

Mapping & Correlation

Tool Description
mitre_map_alert_to_technique Map security alerts to likely ATT&CK techniques
mitre_technique_overlap Find technique overlap between groups for attribution
mitre_attack_path Generate possible attack paths through the kill chain

Data Management

Tool Description
mitre_update_data Force update of the local ATT&CK data cache
mitre_data_version Get current data version and object counts

Campaign Tools (4)

Tool Description
mitre_campaign_profile Build a technique profile with group/software/campaign matching
mitre_get_campaign Get campaign details with techniques, software, and groups
mitre_list_campaigns List all known ATT&CK campaigns
mitre_search_campaigns Search campaigns by keyword or technique

Navigator Layer Export (1)

Tool Description
mitre_navigator_layer Generate ATT&CK Navigator JSON layers (coverage, group, campaign, diff)

Wazuh Integration (4)

Tool Description
mitre_wazuh_status Wazuh manager status, agents, and rule stats
mitre_map_wazuh_alert Map Wazuh alerts to ATT&CK techniques by rule ID/description/groups
mitre_wazuh_rule_coverage Analyze Wazuh rules mapped to ATT&CK techniques
mitre_wazuh_alerts Fetch recent alerts enriched with ATT&CK context

TheHive Integration (3)

Tool Description
mitre_thehive_enrich Enrich a TheHive case with ATT&CK techniques and mitigations
mitre_thehive_create_case Create a case pre-populated with ATT&CK context
mitre_thehive_list_cases List cases with ATT&CK technique filtering

Cortex Integration (2)

Tool Description
mitre_cortex_analyzer_coverage Map Cortex analyzers to ATT&CK data sources
mitre_cortex_run_analyzers Run analyzers on observables with ATT&CK context

MISP Integration (4)

Tool Description
mitre_misp_event_to_attack Map MISP event attributes/galaxies to ATT&CK
mitre_misp_search_indicators Search MISP IOCs by technique or group
mitre_misp_create_event Create events pre-tagged with ATT&CK techniques
mitre_misp_list_events List events with ATT&CK enrichment

Cross-Stack Correlation (2)

Tool Description
mitre_soc_status Connection status for all SOC integrations
mitre_cross_correlate Search for techniques across Wazuh, TheHive, and MISP simultaneously

Resource Reference

URI Description
mitre://matrix/enterprise Full Enterprise ATT&CK matrix (tactics x techniques)
mitre://version Current data version and statistics
mitre://tactics All tactics in kill-chain order

Prompt Reference

Prompt Description
map-incident-to-attack Map incident observables to ATT&CK techniques
threat-hunt-plan Generate a threat hunting plan
gap-analysis Perform detection gap analysis
attribution-analysis Assist with threat attribution

Examples

Check SOC integration status

Use mitre_soc_status to check which SOC platforms are connected.

Map a Wazuh alert to ATT&CK

Use mitre_map_wazuh_alert with ruleId 5710 and ruleGroups ["sshd", "authentication_failed"]
to find matching ATT&CK techniques.

Create an ATT&CK-enriched TheHive case

Use mitre_thehive_create_case with title "Suspected APT28 Activity",
techniques ["T1059.001", "T1566.001", "T1078"] and severity 3
to create a case with ATT&CK context, mitigations, and investigation tasks.

Generate a Navigator coverage layer

Use mitre_navigator_layer with mode "coverage" and
dataSources ["Process", "Network Traffic", "File"]
to generate a heatmap of detection coverage.

Cross-correlate across the SOC stack

Use mitre_cross_correlate with techniques ["T1059.001", "T1566.001"]
to search for related alerts in Wazuh, cases in TheHive, and events in MISP.

Map a MISP event to ATT&CK

Use mitre_misp_event_to_attack with eventId "1"
to extract ATT&CK techniques from MISP galaxies and attributes.

Compare two threat groups

Use mitre_navigator_layer with mode "diff" and
compareGroupIds ["G0007", "G0016"]
to generate a visual comparison of APT28 vs APT29 techniques.

Testing

npm test            # Run all tests
npm run test:watch  # Watch mode
npm run lint        # Type check

Project Structure

mitre-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config (core + SOC)
    types.ts              # STIX/ATT&CK type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    data/
      loader.ts           # STIX bundle downloader and cache manager
      parser.ts           # STIX 2.1 JSON parser (incl. campaigns)
      index.ts            # Indexed, queryable ATT&CK data store
    tools/
      techniques.ts       # Technique lookup and search
      tactics.ts          # Tactic navigation
      groups.ts           # Threat group intelligence
      software.ts         # Software/malware lookup
      mitigations.ts      # Mitigation mapping
      datasources.ts      # Data source and detection coverage
      mapping.ts          # Alert-to-technique mapping and correlation
      campaigns.ts        # Campaign analysis and attribution
      navigator.ts        # ATT&CK Navigator layer generation
      management.ts       # Data update management
    soc/
      client.ts           # HTTP clients for Wazuh, TheHive, Cortex, MISP
      wazuh.ts            # Wazuh alert mapping and rule coverage
      thehive.ts          # TheHive case enrichment and creation
      cortex.ts           # Cortex analyzer coverage mapping
      misp.ts             # MISP event/IOC management
      correlation.ts      # Cross-stack ATT&CK correlation
      index.ts            # SOC module barrel export
  tests/
    parser.test.ts        # STIX parser tests
    tools.test.ts         # Data store query tests
    mapping.test.ts       # Mapping and correlation tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

Data Sources

ATT&CK data is sourced from the official MITRE STIX 2.1 bundles:

  • Enterprise ATT&CK: Windows, Linux, macOS, Cloud, Network, Containers
  • Mobile ATT&CK: Android and iOS
  • ICS ATT&CK: Industrial control systems

Data is downloaded on first run and cached locally. Set MITRE_UPDATE_INTERVAL to control how often the server checks for updates.

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured