mitre-mcp: MITRE ATT&CK MCP Server by Montimage - MCP Server

mitre-mcp: MITRE ATT&CK MCP Server

Production-ready Model Context Protocol (MCP) server that exposes the MITRE ATT&CK framework to LLMs, MCP clients, and automation workflows using the mitreattack-python library and the official MCP Python SDK.

Available in the MCP Registry (search for io.github.luongnv89/mitre-mcp) for easy discoverability. Install via PyPI (see Quick Start).

Highlights

LLM-native experience – ships with MCP tools, resources, and inspector support for Claude, Windsurf, Cursor, and any client that speaks MCP.
Secure-by-default – validated inputs, TLS verification, disk-space checks, and structured error handling prevent common misuse.
Fast responses – enterprise technique lookups leverage O(1) indices (80–95% faster) and cached STIX bundles to minimize latency.
Flexible transports – run over stdio for local co-pilots or enable the built-in HTTP/JSON-RPC server with a single flag.

Introduction
Quick Start
MCP Server & LLM Support
Available MCP Tools
Features
Available Playbooks
Usage via MCP Client
HTTP Server Mode
Data Caching
Performance Benchmarks
Configuration Reference
Usage via API (Python)
Resources
MCP Server Configuration
Development
Troubleshooting
FAQ
License
About Montimage

Introduction

About Montimage

Montimage is a cybersecurity company specializing in network monitoring, security analysis, and AI-driven threat detection solutions. We develop innovative tools that help organizations protect their digital assets and ensure the security of their networks. The mitre-mcp server is part of our suite of security tools designed to enhance threat intelligence capabilities.

MITRE ATT&CK Framework

The MITRE ATT&CK® framework is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It provides a common language for describing cyber adversary behavior and helps security professionals understand attack methodologies, improve defensive capabilities, and assess organizational risk.

Key components of the framework include:

Techniques: Specific methods used by adversaries to achieve tactical goals
Tactics: Categories representing the adversary's tactical goals during an attack
Groups: Known threat actors and their associated techniques
Software: Malware and tools used by threat actors
Mitigations: Security measures to counter specific techniques

Objective of the MCP Server

The mitre-mcp server bridges the gap between the MITRE ATT&CK knowledge base and AI-driven workflows by providing a Model Context Protocol (MCP) interface. This enables Large Language Models (LLMs) and other AI systems to directly query and utilize MITRE ATT&CK data for threat intelligence, security analysis, and defensive planning.

Key objectives include:

Providing seamless access to MITRE ATT&CK data for AI assistants and LLMs
Enabling real-time threat intelligence lookups during security conversations
Supporting security professionals in understanding attack techniques and appropriate mitigations
Facilitating threat modeling and security analysis workflows

MCP Server & LLM Support

mitre-mcp is designed for seamless integration with Model Context Protocol (MCP) compatible clients (e.g., Claude, Windsurf, Cursor) for real-time MITRE ATT&CK framework lookups in LLM workflows.

Available MCP Tools

Tool Name	Description
`get_techniques`	Get all techniques from the MITRE ATT&CK framework. Supports filtering by domain and includes options for subtechniques and handling revoked/deprecated items.
`get_tactics`	Get all tactics from the MITRE ATT&CK framework. Returns tactical categories that techniques are organized into.
`get_groups`	Get all threat groups from the MITRE ATT&CK framework. These are known threat actors and APT groups.
`get_software`	Get all software from the MITRE ATT&CK framework. Can filter by software type (malware, tool) and domain.
`get_techniques_by_tactic`	Get techniques associated with a specific tactic (e.g., 'defense-evasion', 'persistence').
`get_techniques_used_by_group`	Get techniques used by a specific threat group (e.g., 'APT29', 'Lazarus Group').
`get_mitigations`	Get all mitigations from the MITRE ATT&CK framework. These are security measures to counter techniques.
`get_techniques_mitigated_by_mitigation`	Get techniques that can be mitigated by a specific mitigation strategy.
`get_technique_by_id`	Look up a specific technique by its MITRE ATT&CK ID (e.g., 'T1055' for Process Injection).

Features

Comprehensive MITRE ATT&CK Coverage - Access to all techniques, tactics, groups, software, and mitigations
Multi-Domain Support - Enterprise, Mobile, and ICS ATT&CK domains
Intelligent Caching - Automatic caching with configurable expiry (default: 24 hours)
Performance Optimized - O(1) lookups using pre-built indices (80-95% faster)
Dual Transport Modes - stdio for local clients, HTTP for web-based integrations
CORS-Enabled HTTP Server - Support for async notifications and cross-origin requests
Comprehensive Testing - 114 tests with 66% code coverage
Pre-commit Quality Checks - Automated formatting, linting, type checking, and security scanning
Input Validation - Secure-by-default with validated inputs and sanitized responses
Python API - Easy integration into Python applications
CLI Interface - Command-line tool for direct usage

Quick Start

Installation

Install from PyPI and bring the MCP server online in minutes:

Create and activate a virtual environment (recommended):

python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat

Install the package:

pip install mitre-mcp

After installing mitre-mcp, you should be able to execute the following command:

mitre-mcp --help

Expected output

(.venv) root@5ded11443fe0:/test_mitre_mcp# mitre-mcp --help
MITRE ATT&CK MCP Server
Usage: mitre-mcp [options]

Options:
  --http               Run as HTTP server with streamable HTTP transport
  --host HOST          Host to bind to (default: localhost, only with --http)
  --port PORT          Port to bind to (default: 8000, only with --http)
  --force-download     Force download of MITRE ATT&CK data even if it's recent
  -h, --help           Show this help message and exit

Start the MCP server with stdio transport (for direct integration with clients):

mitre-mcp

Expected result

(.venv) root@5ded11443fe0:/test_mitre_mcp# mitre-mcp
2025-11-17 22:37:37,087 - mitre_mcp.mitre_mcp_server - INFO - Starting MITRE ATT&CK MCP Server (stdio mode)
2025-11-17 22:37:37,087 - mitre_mcp.mitre_mcp_server - INFO - Press Ctrl+C to stop the server
2025-11-17 22:37:37,091 - mitre_mcp.mitre_mcp_server - INFO - Using data directory: /test_mitre_mcp/.venv/lib/python3.10/site-packages/mitre_mcp/data
2025-11-17 22:37:37,091 - mitre_mcp.mitre_mcp_server - WARNING - Invalid or missing metadata file: [Errno 2] No such file or directory: '/test_mitre_mcp/.venv/lib/python3.10/site-packages/mitre_mcp/data/metadata.json'
2025-11-17 22:37:37,091 - mitre_mcp.mitre_mcp_server - INFO - Disk space check passed: 16458.0MB available (200MB required)
2025-11-17 22:37:37,091 - mitre_mcp.mitre_mcp_server - INFO - Downloading MITRE ATT&CK data in parallel...
2025-11-17 22:37:37,131 - mitre_mcp.mitre_mcp_server - INFO - Downloading Enterprise ATT&CK data...
2025-11-17 22:37:37,132 - mitre_mcp.mitre_mcp_server - INFO - Downloading Mobile ATT&CK data...
2025-11-17 22:37:37,132 - mitre_mcp.mitre_mcp_server - INFO - Downloading Ics ATT&CK data...
2025-11-17 22:37:37,272 - httpx - INFO - HTTP Request: GET https://raw.githubusercontent.com/mitre/cti/master/mobile-attack/mobile-attack.json "HTTP/1.1 200 OK"
2025-11-17 22:37:37,279 - httpx - INFO - HTTP Request: GET https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json "HTTP/1.1 200 OK"
2025-11-17 22:37:37,281 - httpx - INFO - HTTP Request: GET https://raw.githubusercontent.com/mitre/cti/master/ics-attack/ics-attack.json "HTTP/1.1 200 OK"
2025-11-17 22:37:37,348 - mitre_mcp.mitre_mcp_server - INFO - Validated ics STIX bundle: 1825 objects
2025-11-17 22:37:37,381 - mitre_mcp.mitre_mcp_server - INFO - Downloaded ics: 1825 objects
2025-11-17 22:37:37,401 - mitre_mcp.mitre_mcp_server - INFO - Validated mobile STIX bundle: 2535 objects
2025-11-17 22:37:37,447 - mitre_mcp.mitre_mcp_server - INFO - Downloaded mobile: 2535 objects
2025-11-17 22:37:37,853 - mitre_mcp.mitre_mcp_server - INFO - Validated enterprise STIX bundle: 24771 objects
2025-11-17 22:37:38,291 - mitre_mcp.mitre_mcp_server - INFO - Downloaded enterprise: 24771 objects
2025-11-17 22:37:38,302 - mitre_mcp.mitre_mcp_server - INFO - MITRE ATT&CK data downloaded successfully.
2025-11-17 22:37:38,302 - mitre_mcp.mitre_mcp_server - INFO - Initializing MITRE ATT&CK data...
2025-11-17 22:37:41,898 - mitre_mcp.mitre_mcp_server - INFO - MITRE ATT&CK data initialized successfully.
2025-11-17 22:37:41,898 - mitre_mcp.mitre_mcp_server - INFO - Building lookup indices...
2025-11-17 22:37:41,924 - mitre_mcp.mitre_mcp_server - INFO - Built group index: 580 entries for 187 groups
2025-11-17 22:37:41,949 - mitre_mcp.mitre_mcp_server - INFO - Built mitigation index: 268 entries for 268 mitigations
2025-11-17 22:37:41,975 - mitre_mcp.mitre_mcp_server - INFO - Built technique index: 835 entries for 835 techniques
2025-11-17 22:37:41,976 - mitre_mcp.mitre_mcp_server - INFO - Lookup indices built successfully.
2025-11-17 22:37:41,976 - mitre_mcp.mitre_mcp_server - INFO -
======================================================================
MITRE ATT&CK MCP Server is ready (stdio mode)

Add this to your MCP client configuration:
{
  "mcpServers": {
    "mitreattack": {
      "command": "/test_mitre_mcp/.venv/bin/python3",
      "args": [
        "-m",
        "mitre_mcp.mitre_mcp_server"
      ]
    }
  }
}
======================================================================

======================================================================
MITRE ATT&CK MCP Server is ready (stdio mode)

Add this to your MCP client configuration:
{
  "mcpServers": {
    "mitreattack": {
      "command": "/test_mitre_mcp/.venv/bin/python3",
      "args": [
        "-m",
        "mitre_mcp.mitre_mcp_server"
      ]
    }
  }
}
======================================================================

Add to a MCP Client

At the end of the log, you should see the real configuration, just copy - paste into your favorite mcp client. For example for the above server:

{
  "mcpServers": {
    "mitreattack": {
      "command": "/test_mitre_mcp/.venv/bin/python3",
      "args": ["-m", "mitre_mcp.mitre_mcp_server"]
    }
  }
}

Or start the MCP server as an HTTP server:

mitre-mcp --http

Expected result

(.venv) root@5ded11443fe0:/test_mitre_mcp# mitre-mcp --http --host 0.0.0.0 --port 8088
2025-11-17 22:40:10,991 - mitre_mcp.mitre_mcp_server - INFO - Starting MITRE ATT&CK MCP Server (HTTP mode on 0.0.0.0:8088)
2025-11-17 22:40:10,991 - mitre_mcp.mitre_mcp_server - INFO - Press Ctrl+C to stop the server

======================================================================
MCP Client Configuration (Streamable HTTP Transport)
Server URL: http://0.0.0.0:8088
MCP Endpoint: http://0.0.0.0:8088/mcp

Add this to your MCP client configuration:
{
  "mcpServers": {
    "mitreattack": {
      "url": "http://0.0.0.0:8088/mcp"
    }
  }
}
======================================================================

2025-11-17 22:40:10,992 - mitre_mcp.mitre_mcp_server - INFO - CORS middleware enabled for async notifications
INFO:     Started server process [3172]
INFO:     Waiting for application startup.
2025-11-17 22:40:11,005 - mcp.server.streamable_http_manager - INFO - StreamableHTTP session manager started
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:8088 (Press CTRL+C to quit)

Add to a MCP Client

At the end of the log, you should see the real configuration, just copy - paste into your favorite mcp client. For example for the above server:

"mitreattack": {
      "url": "http://0.0.0.0:8088/mcp"
    }

Note that the address 0.0.0.0 should be the public address of the machine in which you start the server.

Screenshots of adding mitre-mcp in VSCode

Configure mcp server

Configure

Make a query and see the Github Copilot request to call tools from mitre-mcp

Tool call

The LLM show the final result with the information collected from mitre-mcp

Result

Use the --force-download option to force a fresh download of MITRE ATT&CK data:

mitre-mcp --force-download

Available Playbooks

We provide two playbooks to help you get started with mitre-mcp, tailored to different experience levels:

1. Beginner's Guide

For those new to MITRE ATT&CK or cybersecurity, check out our . This guide uses simple language and practical examples to help you understand and use MITRE ATT&CK concepts.

Ideal for:

Non-technical users
Security awareness training
Basic threat intelligence
General cybersecurity education

2. Advanced Playbook

For security professionals and technical users, our provides in-depth examples and command-line usage for leveraging mitre-mcp's full capabilities.

Ideal for:

Security analysts
Threat hunters
Incident responders
Security engineers

Usage via MCP Client

To run mitre-mcp as an MCP server for AI-driven clients (e.g., Claude, Windsurf, Cursor):

Create a virtual environment:

python3 -m venv .venv

Activate the virtual environment:

source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat

Install mitre-mcp:

pip install mitre-mcp

Configure your MCP client (e.g., Claude, Windsurf, Cursor) with:

{
  "mcpServers": {
    "mitreattack": {
      "command": "/absolute/path/to/.venv/bin/python",
      "args": ["-m", "mitre_mcp_server"]
    }
  }
}

Important:

Use the absolute path to the Python executable in your virtual environment.
For Windows, the path might look like: C:\path\to\.venv\Scripts\python.exe

The mitre-mcp tools should now be available in your MCP client.

HTTP Server Mode

When running in HTTP mode with mitre-mcp --http, the server provides:

MCP Endpoint at http://localhost:8000/mcp for streamable HTTP transport
CORS Support - Enabled by default for async notifications and cross-origin requests
Configurable Host/Port - Use --host and --port flags to customize binding

Starting the HTTP server:

# Default (localhost:8000)
mitre-mcp --http

# Custom host and port
mitre-mcp --http --host 127.0.0.1 --port 8080

MCP Client Configuration:

{
  "mcpServers": {
    "mitreattack": {
      "url": "http://localhost:8000/mcp"
    }
  }
}

HTTP mode is useful for:

Integration with web-based MCP clients
Async notifications support
Multiple clients connecting to the same server instance
Network-based integrations where stdio isn't practical
Development and debugging with proper CORS support

Data Caching

The server automatically caches MITRE ATT&CK data in a data/ folder to improve performance and reduce unnecessary downloads. The caching behavior works as follows:

On first run, the server downloads the latest MITRE ATT&CK data and stores it in the data/ folder
On subsequent runs, the server checks if the cached data is less than 1 day old
- If the data is recent (less than 1 day old), it uses the cached data
- If the data is older than 1 day, it automatically downloads fresh data
You can force a fresh download regardless of the cache age using the --force-download option

Performance Benchmarks

Scenario	Observed Improvement	Notes
Enterprise technique lookup	80–95% faster	Uses pre-built O(1) indices for groups, mitigations, and techniques during server startup.
ATT&CK data downloads	20–40% faster	HTTP connection pooling reuses TLS sessions across requests; configurable timeout prevents hangs.
Warm cache startup	<2s cold start	Cached bundles younger than 24h are reused, so LLM prompts can query the framework almost instantly.

Benchmarks were collected on macOS 14 / Apple M3 Pro with Python 3.11. Performance varies with disk speed and network conditions; rerun with MITRE_LOG_LEVEL=DEBUG to view timing logs.

Configuration Reference

Set any of the following environment variables before starting mitre-mcp to customize behavior (see mitre_mcp/config.py for validation logic):

Variable	Default	Purpose
`MITRE_ENTERPRISE_URL`, `MITRE_MOBILE_URL`, `MITRE_ICS_URL`	Official MITRE CTI GitHub URLs	Override ATT&CK bundle locations or point to an internal mirror.
`MITRE_DATA_DIR`	`mitre_mcp/data`	Store cached bundles in a custom directory (useful for shared volumes or read-only installs).
`MITRE_DOWNLOAD_TIMEOUT`	`30`	HTTP timeout in seconds for bundle downloads.
`MITRE_CACHE_EXPIRY_DAYS`	`1`	Maximum age before cached data is refreshed.
`MITRE_REQUIRED_SPACE_MB`	`200`	Disk space threshold checked before downloading data.
`MITRE_DEFAULT_PAGE_SIZE` / `MITRE_MAX_PAGE_SIZE`	`20` / `1000`	Default and maximum number of records returned by list-style tools.
`MITRE_MAX_DESC_LENGTH`	`500`	Trimmed description length in formatted responses.
`MITRE_LOG_LEVEL`	`INFO`	Logging verbosity (`DEBUG`, `INFO`, `WARNING`, etc.).

Usage via API (Python)

Create and activate a virtual environment (recommended):

python3 -m venv .venv
source .venv/bin/activate  # On Windows: .venv\Scripts\activate.bat

Install in your project:

pip install mitre-mcp

Import and use the MCP client:

from mcp.client.client import Client
from mcp.client.transports import StdioTransport

async with Client(transport=StdioTransport("mitre-mcp")) as client:
    # Get all tactics
    tactics = await client.call_tool("get_tactics", {
        "domain": "enterprise-attack"
    })

    # Get techniques used by a specific group
    group_techniques = await client.call_tool("get_techniques_used_by_group", {
        "group_name": "APT29",
        "domain": "enterprise-attack"
    })

    # Access a resource
    server_info = await client.read_resource("mitre-attack://info")

Resources

The server provides the following resources:

mitre-attack://info

Get information about the MITRE ATT&CK MCP server, including available domains and tools.

MCP Server Configuration

You can add this MCP server to any MCP client by including it in the client's configuration.

First, install the package from PyPI:

pip install mitre-mcp

Then add to your MCP client configuration:

{
  "mcpServers": {
    "mitreattack": {
      "command": "/absolute/path/to/.venv/bin/python",
      "args": ["-m", "mitre_mcp_server"]
    }
  }
}

Important:

Use the absolute path to the Python executable in your virtual environment.
For Windows, the path might look like: C:\path\to\.venv\Scripts\python.exe

Claude Desktop Integration

To integrate with Claude Desktop, add the server to your Claude Desktop configuration file located at:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude Desktop\config.json
Linux: ~/.config/Claude Desktop/config.json

macOS automation script

Run the helper script to provision a dedicated virtualenv and update the Claude config automatically:

python scripts/install_claude_mitre_mcp.py

What it does:

Creates (or reuses) a virtualenv at ~/.mitre-mcp-claude
Installs the current repository in editable mode inside that environment
Installs/validates the official MCP SDK (mcp[cli]) so mcp.server.fastmcp is always available
Adds an mcpServers.mitreattack entry pointing at that interpreter in ~/Library/Application Support/Claude/claude_desktop_config.json

Optional flags:

--venv /custom/path – override the virtualenv location
--config /custom/config.json – override the Claude config path

After the script finishes, restart Claude Desktop and start the MCP server from that environment (~/.mitre-mcp-claude/bin/mitre-mcp --force-download the first time to warm the cache).

Development

Clone the repository and install in development mode:

git clone https://github.com/montimage/mitre-mcp.git
cd mitre-mcp
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"

Install & Test from Source

Follow this workflow when you need to modify the codebase and validate the changes locally:

Clone and create a clean environment

git clone https://github.com/montimage/mitre-mcp.git
cd mitre-mcp
python -m venv .venv
source .venv/bin/activate  # Windows: .venv\Scripts\activate.bat

Install dependencies in editable mode
```
pip install -e ".[dev]"
```
This pulls in mitre-mcp plus developer tooling (pytest, coverage, lint, etc.).
Install pre-commit hooks
```
pre-commit install
```
This sets up automatic code quality checks that run before each commit.
Run the server from source
```
mitre-mcp --force-download
```
Confirm the prompt prints cache/download logs, then connect your MCP client to this working tree (the console script points at your editable install).

Modify the source files under mitre_mcp/ (or add tests in tests/), then rerun:

pytest                      # full test suite with coverage
pre-commit run --all-files  # run all quality checks

Iterate quickly by leaving the virtualenv active; every edit is picked up immediately because of the editable install (-e). When satisfied, run pip install -e . again to ensure entry points are updated and commit your changes.

Code Quality Tools

The project uses pre-commit hooks for automated code quality checks:

Formatting:

black - Python code formatter
isort - Import statement organizer
prettier - YAML/JSON/Markdown formatter

Linting & Type Checking:

flake8 - Python linter with plugins (bugbear, comprehensions, simplify)
mypy - Static type checker
pyupgrade - Automatic Python syntax upgrades
pydocstyle - Docstring style checker

Security & Validation:

bandit - Security vulnerability scanner
File validators - YAML, JSON, TOML, detect private keys, etc.

Testing:

pytest - Automatically runs all 114 tests before commit
Installation test - Verifies package can be installed
Import verification - Ensures all modules are importable
CLI test - Validates command-line entry point

Run quality checks manually:

pre-commit run --all-files  # Run all hooks
pre-commit run pytest       # Run only tests
black mitre_mcp/           # Format code
pytest tests/              # Run test suite

Troubleshooting

Download fails with "Insufficient disk space" – Free at least MITRE_REQUIRED_SPACE_MB (default 200 MB) in the data directory or move the cache by setting MITRE_DATA_DIR=/path/to/storage.
Data never updates – Cached bundles older than MITRE_CACHE_EXPIRY_DAYS refresh automatically, but you can run mitre-mcp --force-download or delete the data/ folder to fetch a clean copy immediately.
Tool calls return {"error": ...} – Ensure technique IDs follow the T#### or T####.### format and that names/tactics are under 100 characters; the validator sanitizes other inputs for safety.
MCP client cannot discover the server – Confirm the client configuration points to your venv’s Python, then run mitre-mcp manually and call read_resource("mitre-attack://info") to verify connectivity before re-enabling automations.
Claude log shows ModuleNotFoundError: mcp.server.fastmcp – Run the helper script again or execute pip install "mcp[cli]" inside the environment referenced by Claude (e.g., ~/.mitre-mcp-claude/bin/python -m pip install "mcp[cli]") so the MCP SDK is available.

FAQ

Does mitre-mcp work offline? Yes. Once the bundles are cached locally, the server can answer queries without an internet connection until the cache expires.
Which Python versions are supported? Python 3.10 through 3.14 (see pyproject.toml). Older versions are not tested and might miss async dependencies.
How often is data refreshed? By default every 24 hours. Adjust MITRE_CACHE_EXPIRY_DAYS or manually refresh with --force-download.
Is HTTP mode safe for production? HTTP mode serves JSON-RPC over localhost:8000 by default. Keep it behind a firewall or reverse proxy if exposing it beyond your workstation.

License

MIT

About Montimage

mitre-mcp is developed and maintained by Montimage, a company specializing in cybersecurity and network monitoring solutions. Montimage provides innovative security tools and services to help organizations protect their digital assets and ensure the security of their networks.

For questions or support, please contact us at luong.nguyen@montimage.eu.

Montimage/mitre-mcp