mitre-mcp

An MCP server providing comprehensive access to the MITRE ATT&CK knowledge base with full SOC stack integration. Enables LLMs to look up techniques, map alerts to ATT&CK, analyze detection coverage, profile campaigns, generate Navigator layers, and correlate across Wazuh, TheHive, Cortex, and MISP.

Features

• 39 tools for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, Navigator layer export, and SOC integration
• 3 resources for matrix overview, version info, and tactic listing
• 4 prompts for incident mapping, threat hunting, gap analysis, and attribution
• SOC Integration: Wazuh alert mapping, TheHive case management, Cortex analyzer correlation, MISP event/IOC management
• Cross-stack correlation: Search for ATT&CK techniques across all connected platforms simultaneously
• ATT&CK Navigator: Generate layer JSON for heatmaps, group overlays, coverage maps, and diff views
• Campaign support: Full STIX campaign object parsing and attribution
• Offline-capable with local STIX 2.1 data caching
• Auto-updating with configurable refresh intervals
• Enterprise, Mobile, and ICS matrix support

Prerequisites

• Node.js 20 or later
• Internet access for initial ATT&CK data download (cached locally after first run)
• (Optional) Wazuh, TheHive, Cortex, and/or MISP instances for SOC integration

Installation

git clone https://github.com/solomonneas/mitre-mcp.git
cd mitre-mcp
npm install
npm run build

Configuration

Core Settings

Variable	Default	Description
MITRE_DATA_DIR	~/.mitre-mcp/data	Local cache directory for STIX bundles
MITRE_MATRICES	enterprise	Comma-separated matrices: enterprise, mobile, ics
MITRE_UPDATE_INTERVAL	86400	Auto-update check interval in seconds (default 24h)

SOC Integration (all optional)

Variable	Description
WAZUH_URL	Wazuh API URL (e.g., https://wazuh.example.internal:55000)
WAZUH_USERNAME	Wazuh API username (default: wazuh-wui)
WAZUH_PASSWORD	Wazuh API password
WAZUH_VERIFY_SSL	Verify SSL certs (default: true, set false for self-signed)
THEHIVE_URL	TheHive URL (e.g., http://thehive.example.internal:9000)
THEHIVE_API_KEY	TheHive API key
CORTEX_URL	Cortex URL (e.g., http://cortex.example.internal:9001)
CORTEX_API_KEY	Cortex API key
MISP_URL	MISP URL (e.g., https://misp.example.internal)
MISP_API_KEY	MISP API key (authkey)
MISP_VERIFY_SSL	Verify SSL certs (default: true, set false for self-signed)

Usage

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "mitre-attack": {
      "command": "mitre-mcp",
      "env": {
        "MITRE_MATRICES": "enterprise",
        "WAZUH_URL": "https://wazuh.example.internal:55000",
        "WAZUH_USERNAME": "wazuh-wui",
        "WAZUH_PASSWORD": "your-password",
        "WAZUH_VERIFY_SSL": "false",
        "THEHIVE_URL": "http://thehive.example.internal:9000",
        "THEHIVE_API_KEY": "your-api-key",
        "CORTEX_URL": "http://cortex.example.internal:9001",
        "CORTEX_API_KEY": "your-api-key",
        "MISP_URL": "https://misp.example.internal",
        "MISP_API_KEY": "your-api-key",
        "MISP_VERIFY_SSL": "false"
      }
    }
  }
}

Claude Code

claude mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Add --scope user to make it available from any directory instead of only the current project. Add --env flags for any SOC integrations (Wazuh, TheHive, Cortex, MISP) you want to enable.

OpenClaw

If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:

openclaw mcp set mitre-attack '{
  "command": "node",
  "args": ["/absolute/path/to/mitre-mcp/dist/index.js"],
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Or, with the global npm install:

openclaw mcp set mitre-attack '{
  "command": "mitre-mcp",
  "env": {
    "MITRE_MATRICES": "enterprise"
  }
}'

Then restart the OpenClaw gateway so the new server is picked up:

systemctl --user restart openclaw-gateway
openclaw mcp list   # confirm "mitre-attack" is registered

Hermes Agent

Hermes Agent reads MCP config from ~/.hermes/config.yaml under the mcp_servers key. Add an entry:

mcp_servers:
  mitre-attack:
    command: "mitre-mcp"
    env:
      MITRE_MATRICES: "enterprise"

Or, when running from a source checkout instead of the global npm install:

mcp_servers:
  mitre-attack:
    command: "node"
    args: ["/absolute/path/to/mitre-mcp/dist/index.js"]
    env:
      MITRE_MATRICES: "enterprise"

Then reload MCP from inside a Hermes session:

/reload-mcp

Codex CLI

Codex CLI registers MCP servers via codex mcp add:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- mitre-mcp

Or, when running from a source checkout:

codex mcp add mitre-attack \
  --env MITRE_MATRICES=enterprise \
  -- node /absolute/path/to/mitre-mcp/dist/index.js

Codex writes the entry to ~/.codex/config.toml under [mcp_servers.mitre-attack]. Verify with:

codex mcp list

Standalone

npm run start

Development

npm run dev

Tool Reference

Core ATT&CK Tools (19)

Technique Lookup

Tool	Description
mitre_get_technique	Get full details of a technique by ID (T1059, T1059.001)
mitre_search_techniques	Search techniques by keyword, tactic, platform, data source

Tactic Navigation

Tool	Description
mitre_list_tactics	List all tactics in kill-chain order
mitre_get_tactic	Get tactic details with all associated techniques

Threat Group Intelligence

Tool	Description
mitre_get_group	Get group details including techniques and software used
mitre_search_groups	Search groups by keyword or technique usage
mitre_list_groups	List all known threat groups

Software & Malware

Tool	Description
mitre_get_software	Get software details with techniques and associated groups
mitre_search_software	Search software by name, technique, or type (malware/tool)

Mitigation Mapping

Tool	Description
mitre_get_mitigation	Get mitigation details with addressed techniques
mitre_mitigations_for_technique	Get all mitigations for a specific technique
mitre_search_mitigations	Search mitigations by keyword

Detection & Data Sources

Tool	Description
mitre_get_datasource	Get data source details with detectable techniques
mitre_detection_coverage	Analyze detection coverage based on available data sources

Mapping & Correlation

Tool	Description
mitre_map_alert_to_technique	Map security alerts to likely ATT&CK techniques
mitre_technique_overlap	Find technique overlap between groups for attribution
mitre_attack_path	Generate possible attack paths through the kill chain

Data Management

Tool	Description
mitre_update_data	Force update of the local ATT&CK data cache
mitre_data_version	Get current data version and object counts

Campaign Tools (4)

Tool	Description
mitre_campaign_profile	Build a technique profile with group/software/campaign matching
mitre_get_campaign	Get campaign details with techniques, software, and groups
mitre_list_campaigns	List all known ATT&CK campaigns
mitre_search_campaigns	Search campaigns by keyword or technique

Navigator Layer Export (1)

Tool	Description
mitre_navigator_layer	Generate ATT&CK Navigator JSON layers (coverage, group, campaign, diff)

Wazuh Integration (4)

Tool	Description
mitre_wazuh_status	Wazuh manager status, agents, and rule stats
mitre_map_wazuh_alert	Map Wazuh alerts to ATT&CK techniques by rule ID/description/groups
mitre_wazuh_rule_coverage	Analyze Wazuh rules mapped to ATT&CK techniques
mitre_wazuh_alerts	Fetch recent alerts enriched with ATT&CK context

TheHive Integration (3)

Tool	Description
mitre_thehive_enrich	Enrich a TheHive case with ATT&CK techniques and mitigations
mitre_thehive_create_case	Create a case pre-populated with ATT&CK context
mitre_thehive_list_cases	List cases with ATT&CK technique filtering

Cortex Integration (2)

Tool	Description
mitre_cortex_analyzer_coverage	Map Cortex analyzers to ATT&CK data sources
mitre_cortex_run_analyzers	Run analyzers on observables with ATT&CK context

MISP Integration (4)

Tool	Description
mitre_misp_event_to_attack	Map MISP event attributes/galaxies to ATT&CK
mitre_misp_search_indicators	Search MISP IOCs by technique or group
mitre_misp_create_event	Create events pre-tagged with ATT&CK techniques
mitre_misp_list_events	List events with ATT&CK enrichment

Cross-Stack Correlation (2)

Tool	Description
mitre_soc_status	Connection status for all SOC integrations
mitre_cross_correlate	Search for techniques across Wazuh, TheHive, and MISP simultaneously

Resource Reference

URI	Description
mitre://matrix/enterprise	Full Enterprise ATT&CK matrix (tactics x techniques)
mitre://version	Current data version and statistics
mitre://tactics	All tactics in kill-chain order

Prompt Reference

Prompt	Description
map-incident-to-attack	Map incident observables to ATT&CK techniques
threat-hunt-plan	Generate a threat hunting plan
gap-analysis	Perform detection gap analysis
attribution-analysis	Assist with threat attribution

Examples

Check SOC integration status

Use mitre_soc_status to check which SOC platforms are connected.

Map a Wazuh alert to ATT&CK

Use mitre_map_wazuh_alert with ruleId 5710 and ruleGroups ["sshd", "authentication_failed"]
to find matching ATT&CK techniques.

Create an ATT&CK-enriched TheHive case

Use mitre_thehive_create_case with title "Suspected APT28 Activity",
techniques ["T1059.001", "T1566.001", "T1078"] and severity 3
to create a case with ATT&CK context, mitigations, and investigation tasks.

Generate a Navigator coverage layer

Use mitre_navigator_layer with mode "coverage" and
dataSources ["Process", "Network Traffic", "File"]
to generate a heatmap of detection coverage.

Cross-correlate across the SOC stack

Use mitre_cross_correlate with techniques ["T1059.001", "T1566.001"]
to search for related alerts in Wazuh, cases in TheHive, and events in MISP.

Map a MISP event to ATT&CK

Use mitre_misp_event_to_attack with eventId "1"
to extract ATT&CK techniques from MISP galaxies and attributes.

Compare two threat groups

Use mitre_navigator_layer with mode "diff" and
compareGroupIds ["G0007", "G0016"]
to generate a visual comparison of APT28 vs APT29 techniques.

Testing

npm test            # Run all tests
npm run test:watch  # Watch mode
npm run lint        # Type check

Project Structure

mitre-mcp/
  src/
    index.ts              # MCP server entry point
    config.ts             # Environment config (core + SOC)
    types.ts              # STIX/ATT&CK type definitions
    resources.ts          # MCP resources
    prompts.ts            # MCP prompts
    data/
      loader.ts           # STIX bundle downloader and cache manager
      parser.ts           # STIX 2.1 JSON parser (incl. campaigns)
      index.ts            # Indexed, queryable ATT&CK data store
    tools/
      techniques.ts       # Technique lookup and search
      tactics.ts          # Tactic navigation
      groups.ts           # Threat group intelligence
      software.ts         # Software/malware lookup
      mitigations.ts      # Mitigation mapping
      datasources.ts      # Data source and detection coverage
      mapping.ts          # Alert-to-technique mapping and correlation
      campaigns.ts        # Campaign analysis and attribution
      navigator.ts        # ATT&CK Navigator layer generation
      management.ts       # Data update management
    soc/
      client.ts           # HTTP clients for Wazuh, TheHive, Cortex, MISP
      wazuh.ts            # Wazuh alert mapping and rule coverage
      thehive.ts          # TheHive case enrichment and creation
      cortex.ts           # Cortex analyzer coverage mapping
      misp.ts             # MISP event/IOC management
      correlation.ts      # Cross-stack ATT&CK correlation
      index.ts            # SOC module barrel export
  tests/
    parser.test.ts        # STIX parser tests
    tools.test.ts         # Data store query tests
    mapping.test.ts       # Mapping and correlation tests
  package.json
  tsconfig.json
  tsup.config.ts
  vitest.config.ts
  README.md

Data Sources

ATT&CK data is sourced from the official MITRE STIX 2.1 bundles:

• Enterprise ATT&CK: Windows, Linux, macOS, Cloud, Network, Containers
• Mobile ATT&CK: Android and iOS
• ICS ATT&CK: Industrial control systems

Data is downloaded on first run and cached locally. Set MITRE_UPDATE_INTERVAL to control how often the server checks for updates.

License

MIT