← Lidless  /  SECURITY / SOC  /  mitre-mcp

mitre-mcp

Active

MCP server for the MITRE ATT&CK knowledge base.

GitHub repo → npm: mitre-mcp →

WHAT IT DOES

mitre-mcp is a Model Context Protocol server that gives an AI client comprehensive access to the MITRE ATT&CK knowledge base. Look up techniques and tactics, map alerts to ATT&CK, analyze detection coverage, profile campaigns, and generate ATT&CK Navigator layers.

It exposes 39 tools, 3 resources, and 4 prompts, with optional SOC integration that correlates techniques across Wazuh, TheHive, Cortex, and MISP simultaneously. ATT&CK data is sourced from the official STIX 2.1 bundles (Enterprise, Mobile, and ICS), cached locally, and so works offline after the first download.

State-changing SOC tools default to a dry run: they report the action they would take without touching the platform unless you pass confirm: true or set MITRE_SOC_ALLOW_WRITES=true.

INSTALL

$ npm install -g mitre-mcp # install the binary
$ npx mitre-mcp # or run it directly

Requires Node.js 20+ and internet access for the initial ATT&CK data download (cached after first run). The core ATT&CK tools need no credentials. Add WAZUH_*, THEHIVE_*, CORTEX_*, or MISP_* env vars to light up the SOC integrations.

TOOLS EXPOSED

Core ATT&CK (19)

technique + tactic lookup and search
threat group + software/malware intelligence
mitigation mapping, detection coverage
alert-to-technique mapping, attack paths, data version

Campaigns (4)

campaign profile, get + list campaigns
search campaigns by keyword or technique

Navigator (1)

export ATT&CK Navigator JSON layers: coverage, group, campaign, diff

Wazuh integration (4)

manager status, map alerts to techniques
rule coverage, ATT&CK-enriched alerts

TheHive + Cortex (5)

enrich, create, list TheHive cases with ATT&CK context
Cortex analyzer coverage + run analyzers

MISP + cross-stack (6)

map events, search IOCs, create + list MISP events
SOC connection status, cross-platform correlation

CLIENT CONFIG

A sample mcpServers entry for an MCP client such as Claude Desktop. The server speaks MCP over stdio. SOC integration env vars are optional. 

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-mcp",
      "env": {
        "MITRE_MATRICES": "enterprise"
      }
    }
  }
}