{"id":49250450,"url":"https://github.com/solomonneas/mitre-mcp","last_synced_at":"2026-04-25T00:02:47.327Z","repository":{"id":339103302,"uuid":"1151940419","full_name":"solomonneas/mitre-mcp","owner":"solomonneas","description":"MCP server for MITRE ATT\u0026CK knowledge base. Map alerts to techniques, profile threat groups, analyze detection gaps, and enrich SOC workflows with adversary intelligence.","archived":false,"fork":false,"pushed_at":"2026-04-20T22:55:36.000Z","size":118,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-21T00:29:55.398Z","etag":null,"topics":["ai-agents","att-ck","cybersecurity","mcp","mitre-attack","model-context-protocol","threat-modeling"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/solomonneas.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"solomonneas","ko_fi":"solomonneas","buy_me_a_coffee":"solomonneas"}},"created_at":"2026-02-07T05:31:41.000Z","updated_at":"2026-04-20T22:55:39.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/solomonneas/mitre-mcp","commit_stats":null,"previous_names":["solomonneas/mitre-mcp"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/solomonneas/mitre-mcp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmitre-mcp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmitre-mcp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmitre-mcp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmitre-mcp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/solomonneas","download_url":"https://codeload.github.com/solomonneas/mitre-mcp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/solomonneas%2Fmitre-mcp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32245154,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-24T13:21:15.438Z","status":"ssl_error","status_checked_at":"2026-04-24T13:21:15.005Z","response_time":64,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","att-ck","cybersecurity","mcp","mitre-attack","model-context-protocol","threat-modeling"],"created_at":"2026-04-25T00:02:45.091Z","updated_at":"2026-04-25T00:02:47.314Z","avatar_url":"https://github.com/solomonneas.png","language":"TypeScript","funding_links":["https://github.com/sponsors/solomonneas","https://ko-fi.com/solomonneas","https://buymeacoffee.com/solomonneas"],"categories":[],"sub_categories":[],"readme":"# MITRE ATT\u0026CK MCP Server\n\n[![TypeScript 6](https://img.shields.io/badge/TypeScript-6-blue)](https://www.typescriptlang.org/)\n[![Node.js 20+](https://img.shields.io/badge/Node.js-20%2B-green)](https://nodejs.org/)\n[![MCP 1.x](https://img.shields.io/badge/MCP-1.x-purple)](https://modelcontextprotocol.io/)\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow)](LICENSE)\n\nAn MCP server providing comprehensive access to the MITRE ATT\u0026CK knowledge base with full SOC stack integration. Enables LLMs to look up techniques, map alerts to ATT\u0026CK, analyze detection coverage, profile campaigns, generate Navigator layers, and correlate across Wazuh, TheHive, Cortex, and MISP.\n\n## Features\n\n- **39 tools** for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, Navigator layer export, and SOC integration\n- **3 resources** for matrix overview, version info, and tactic listing\n- **4 prompts** for incident mapping, threat hunting, gap analysis, and attribution\n- **SOC Integration**: Wazuh alert mapping, TheHive case management, Cortex analyzer correlation, MISP event/IOC management\n- **Cross-stack correlation**: Search for ATT\u0026CK techniques across all connected platforms simultaneously\n- **ATT\u0026CK Navigator**: Generate layer JSON for heatmaps, group overlays, coverage maps, and diff views\n- **Campaign support**: Full STIX campaign object parsing and attribution\n- **Offline-capable** with local STIX 2.1 data caching\n- **Auto-updating** with configurable refresh intervals\n- **Enterprise, Mobile, and ICS** matrix support\n\n## Prerequisites\n\n- Node.js 20 or later\n- Internet access for initial ATT\u0026CK data download (cached locally after first run)\n- (Optional) Wazuh, TheHive, Cortex, and/or MISP instances for SOC integration\n\n## Installation\n\n```bash\ngit clone https://github.com/solomonneas/mitre-mcp.git\ncd mitre-mcp\nnpm install\nnpm run build\n```\n\n## Configuration\n\n### Core Settings\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `MITRE_DATA_DIR` | `~/.mitre-mcp/data` | Local cache directory for STIX bundles |\n| `MITRE_MATRICES` | `enterprise` | Comma-separated matrices: `enterprise`, `mobile`, `ics` |\n| `MITRE_UPDATE_INTERVAL` | `86400` | Auto-update check interval in seconds (default 24h) |\n\n### SOC Integration (all optional)\n\n| Variable | Description |\n|----------|-------------|\n| `WAZUH_URL` | Wazuh API URL (e.g., `https://wazuh.example.internal:55000`) |\n| `WAZUH_USERNAME` | Wazuh API username (default: `wazuh-wui`) |\n| `WAZUH_PASSWORD` | Wazuh API password |\n| `WAZUH_VERIFY_SSL` | Verify SSL certs (default: `true`, set `false` for self-signed) |\n| `THEHIVE_URL` | TheHive URL (e.g., `http://thehive.example.internal:9000`) |\n| `THEHIVE_API_KEY` | TheHive API key |\n| `CORTEX_URL` | Cortex URL (e.g., `http://cortex.example.internal:9001`) |\n| `CORTEX_API_KEY` | Cortex API key |\n| `MISP_URL` | MISP URL (e.g., `https://misp.example.internal`) |\n| `MISP_API_KEY` | MISP API key (authkey) |\n| `MISP_VERIFY_SSL` | Verify SSL certs (default: `true`, set `false` for self-signed) |\n\n## Usage\n\n### Claude Desktop\n\nAdd to `~/Library/Application Support/Claude/claude_desktop_config.json` (macOS) or `%APPDATA%\\Claude\\claude_desktop_config.json` (Windows):\n\n```json\n{\n  \"mcpServers\": {\n    \"mitre-attack\": {\n      \"command\": \"mitre-mcp\",\n      \"env\": {\n        \"MITRE_MATRICES\": \"enterprise\",\n        \"WAZUH_URL\": \"https://wazuh.example.internal:55000\",\n        \"WAZUH_USERNAME\": \"wazuh-wui\",\n        \"WAZUH_PASSWORD\": \"your-password\",\n        \"WAZUH_VERIFY_SSL\": \"false\",\n        \"THEHIVE_URL\": \"http://thehive.example.internal:9000\",\n        \"THEHIVE_API_KEY\": \"your-api-key\",\n        \"CORTEX_URL\": \"http://cortex.example.internal:9001\",\n        \"CORTEX_API_KEY\": \"your-api-key\",\n        \"MISP_URL\": \"https://misp.example.internal\",\n        \"MISP_API_KEY\": \"your-api-key\",\n        \"MISP_VERIFY_SSL\": \"false\"\n      }\n    }\n  }\n}\n```\n\n### Claude Code\n\n```bash\nclaude mcp add mitre-attack \\\n  --env MITRE_MATRICES=enterprise \\\n  -- mitre-mcp\n```\n\nAdd `--scope user` to make it available from any directory instead of only the current project. Add `--env` flags for any SOC integrations (Wazuh, TheHive, Cortex, MISP) you want to enable.\n\n### OpenClaw\n\nIf you're running from a source checkout instead of the npm-installed binary, point `command`/`args` at the built `dist/index.js`:\n\n```bash\nopenclaw mcp set mitre-attack '{\n  \"command\": \"node\",\n  \"args\": [\"/absolute/path/to/mitre-mcp/dist/index.js\"],\n  \"env\": {\n    \"MITRE_MATRICES\": \"enterprise\"\n  }\n}'\n```\n\nOr, with the global npm install:\n\n```bash\nopenclaw mcp set mitre-attack '{\n  \"command\": \"mitre-mcp\",\n  \"env\": {\n    \"MITRE_MATRICES\": \"enterprise\"\n  }\n}'\n```\n\nThen restart the OpenClaw gateway so the new server is picked up:\n\n```bash\nsystemctl --user restart openclaw-gateway\nopenclaw mcp list   # confirm \"mitre-attack\" is registered\n```\n\n### Hermes Agent\n\n[Hermes Agent](https://github.com/NousResearch/hermes-agent) reads MCP config from `~/.hermes/config.yaml` under the `mcp_servers` key. Add an entry:\n\n```yaml\nmcp_servers:\n  mitre-attack:\n    command: \"mitre-mcp\"\n    env:\n      MITRE_MATRICES: \"enterprise\"\n```\n\nOr, when running from a source checkout instead of the global npm install:\n\n```yaml\nmcp_servers:\n  mitre-attack:\n    command: \"node\"\n    args: [\"/absolute/path/to/mitre-mcp/dist/index.js\"]\n    env:\n      MITRE_MATRICES: \"enterprise\"\n```\n\nThen reload MCP from inside a Hermes session:\n\n```\n/reload-mcp\n```\n\n### Codex CLI\n\n[Codex CLI](https://github.com/openai/codex) registers MCP servers via `codex mcp add`:\n\n```bash\ncodex mcp add mitre-attack \\\n  --env MITRE_MATRICES=enterprise \\\n  -- mitre-mcp\n```\n\nOr, when running from a source checkout:\n\n```bash\ncodex mcp add mitre-attack \\\n  --env MITRE_MATRICES=enterprise \\\n  -- node /absolute/path/to/mitre-mcp/dist/index.js\n```\n\nCodex writes the entry to `~/.codex/config.toml` under `[mcp_servers.mitre-attack]`. Verify with:\n\n```bash\ncodex mcp list\n```\n\n### Standalone\n\n```bash\nnpm run start\n```\n\n### Development\n\n```bash\nnpm run dev\n```\n\n## Tool Reference\n\n### Core ATT\u0026CK Tools (19)\n\n#### Technique Lookup\n\n| Tool | Description |\n|------|-------------|\n| `mitre_get_technique` | Get full details of a technique by ID (T1059, T1059.001) |\n| `mitre_search_techniques` | Search techniques by keyword, tactic, platform, data source |\n\n#### Tactic Navigation\n\n| Tool | Description |\n|------|-------------|\n| `mitre_list_tactics` | List all tactics in kill-chain order |\n| `mitre_get_tactic` | Get tactic details with all associated techniques |\n\n#### Threat Group Intelligence\n\n| Tool | Description |\n|------|-------------|\n| `mitre_get_group` | Get group details including techniques and software used |\n| `mitre_search_groups` | Search groups by keyword or technique usage |\n| `mitre_list_groups` | List all known threat groups |\n\n#### Software \u0026 Malware\n\n| Tool | Description |\n|------|-------------|\n| `mitre_get_software` | Get software details with techniques and associated groups |\n| `mitre_search_software` | Search software by name, technique, or type (malware/tool) |\n\n#### Mitigation Mapping\n\n| Tool | Description |\n|------|-------------|\n| `mitre_get_mitigation` | Get mitigation details with addressed techniques |\n| `mitre_mitigations_for_technique` | Get all mitigations for a specific technique |\n| `mitre_search_mitigations` | Search mitigations by keyword |\n\n#### Detection \u0026 Data Sources\n\n| Tool | Description |\n|------|-------------|\n| `mitre_get_datasource` | Get data source details with detectable techniques |\n| `mitre_detection_coverage` | Analyze detection coverage based on available data sources |\n\n#### Mapping \u0026 Correlation\n\n| Tool | Description |\n|------|-------------|\n| `mitre_map_alert_to_technique` | Map security alerts to likely ATT\u0026CK techniques |\n| `mitre_technique_overlap` | Find technique overlap between groups for attribution |\n| `mitre_attack_path` | Generate possible attack paths through the kill chain |\n\n#### Data Management\n\n| Tool | Description |\n|------|-------------|\n| `mitre_update_data` | Force update of the local ATT\u0026CK data cache |\n| `mitre_data_version` | Get current data version and object counts |\n\n### Campaign Tools (4)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_campaign_profile` | Build a technique profile with group/software/campaign matching |\n| `mitre_get_campaign` | Get campaign details with techniques, software, and groups |\n| `mitre_list_campaigns` | List all known ATT\u0026CK campaigns |\n| `mitre_search_campaigns` | Search campaigns by keyword or technique |\n\n### Navigator Layer Export (1)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_navigator_layer` | Generate ATT\u0026CK Navigator JSON layers (coverage, group, campaign, diff) |\n\n### Wazuh Integration (4)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_wazuh_status` | Wazuh manager status, agents, and rule stats |\n| `mitre_map_wazuh_alert` | Map Wazuh alerts to ATT\u0026CK techniques by rule ID/description/groups |\n| `mitre_wazuh_rule_coverage` | Analyze Wazuh rules mapped to ATT\u0026CK techniques |\n| `mitre_wazuh_alerts` | Fetch recent alerts enriched with ATT\u0026CK context |\n\n### TheHive Integration (3)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_thehive_enrich` | Enrich a TheHive case with ATT\u0026CK techniques and mitigations |\n| `mitre_thehive_create_case` | Create a case pre-populated with ATT\u0026CK context |\n| `mitre_thehive_list_cases` | List cases with ATT\u0026CK technique filtering |\n\n### Cortex Integration (2)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_cortex_analyzer_coverage` | Map Cortex analyzers to ATT\u0026CK data sources |\n| `mitre_cortex_run_analyzers` | Run analyzers on observables with ATT\u0026CK context |\n\n### MISP Integration (4)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_misp_event_to_attack` | Map MISP event attributes/galaxies to ATT\u0026CK |\n| `mitre_misp_search_indicators` | Search MISP IOCs by technique or group |\n| `mitre_misp_create_event` | Create events pre-tagged with ATT\u0026CK techniques |\n| `mitre_misp_list_events` | List events with ATT\u0026CK enrichment |\n\n### Cross-Stack Correlation (2)\n\n| Tool | Description |\n|------|-------------|\n| `mitre_soc_status` | Connection status for all SOC integrations |\n| `mitre_cross_correlate` | Search for techniques across Wazuh, TheHive, and MISP simultaneously |\n\n## Resource Reference\n\n| URI | Description |\n|-----|-------------|\n| `mitre://matrix/enterprise` | Full Enterprise ATT\u0026CK matrix (tactics x techniques) |\n| `mitre://version` | Current data version and statistics |\n| `mitre://tactics` | All tactics in kill-chain order |\n\n## Prompt Reference\n\n| Prompt | Description |\n|--------|-------------|\n| `map-incident-to-attack` | Map incident observables to ATT\u0026CK techniques |\n| `threat-hunt-plan` | Generate a threat hunting plan |\n| `gap-analysis` | Perform detection gap analysis |\n| `attribution-analysis` | Assist with threat attribution |\n\n## Examples\n\n### Check SOC integration status\n\n```\nUse mitre_soc_status to check which SOC platforms are connected.\n```\n\n### Map a Wazuh alert to ATT\u0026CK\n\n```\nUse mitre_map_wazuh_alert with ruleId 5710 and ruleGroups [\"sshd\", \"authentication_failed\"]\nto find matching ATT\u0026CK techniques.\n```\n\n### Create an ATT\u0026CK-enriched TheHive case\n\n```\nUse mitre_thehive_create_case with title \"Suspected APT28 Activity\",\ntechniques [\"T1059.001\", \"T1566.001\", \"T1078\"] and severity 3\nto create a case with ATT\u0026CK context, mitigations, and investigation tasks.\n```\n\n### Generate a Navigator coverage layer\n\n```\nUse mitre_navigator_layer with mode \"coverage\" and\ndataSources [\"Process\", \"Network Traffic\", \"File\"]\nto generate a heatmap of detection coverage.\n```\n\n### Cross-correlate across the SOC stack\n\n```\nUse mitre_cross_correlate with techniques [\"T1059.001\", \"T1566.001\"]\nto search for related alerts in Wazuh, cases in TheHive, and events in MISP.\n```\n\n### Map a MISP event to ATT\u0026CK\n\n```\nUse mitre_misp_event_to_attack with eventId \"1\"\nto extract ATT\u0026CK techniques from MISP galaxies and attributes.\n```\n\n### Compare two threat groups\n\n```\nUse mitre_navigator_layer with mode \"diff\" and\ncompareGroupIds [\"G0007\", \"G0016\"]\nto generate a visual comparison of APT28 vs APT29 techniques.\n```\n\n## Testing\n\n```bash\nnpm test            # Run all tests\nnpm run test:watch  # Watch mode\nnpm run lint        # Type check\n```\n\n## Project Structure\n\n```\nmitre-mcp/\n  src/\n    index.ts              # MCP server entry point\n    config.ts             # Environment config (core + SOC)\n    types.ts              # STIX/ATT\u0026CK type definitions\n    resources.ts          # MCP resources\n    prompts.ts            # MCP prompts\n    data/\n      loader.ts           # STIX bundle downloader and cache manager\n      parser.ts           # STIX 2.1 JSON parser (incl. campaigns)\n      index.ts            # Indexed, queryable ATT\u0026CK data store\n    tools/\n      techniques.ts       # Technique lookup and search\n      tactics.ts          # Tactic navigation\n      groups.ts           # Threat group intelligence\n      software.ts         # Software/malware lookup\n      mitigations.ts      # Mitigation mapping\n      datasources.ts      # Data source and detection coverage\n      mapping.ts          # Alert-to-technique mapping and correlation\n      campaigns.ts        # Campaign analysis and attribution\n      navigator.ts        # ATT\u0026CK Navigator layer generation\n      management.ts       # Data update management\n    soc/\n      client.ts           # HTTP clients for Wazuh, TheHive, Cortex, MISP\n      wazuh.ts            # Wazuh alert mapping and rule coverage\n      thehive.ts          # TheHive case enrichment and creation\n      cortex.ts           # Cortex analyzer coverage mapping\n      misp.ts             # MISP event/IOC management\n      correlation.ts      # Cross-stack ATT\u0026CK correlation\n      index.ts            # SOC module barrel export\n  tests/\n    parser.test.ts        # STIX parser tests\n    tools.test.ts         # Data store query tests\n    mapping.test.ts       # Mapping and correlation tests\n  package.json\n  tsconfig.json\n  tsup.config.ts\n  vitest.config.ts\n  README.md\n```\n\n## Data Sources\n\nATT\u0026CK data is sourced from the official MITRE STIX 2.1 bundles:\n\n- **Enterprise ATT\u0026CK**: Windows, Linux, macOS, Cloud, Network, Containers\n- **Mobile ATT\u0026CK**: Android and iOS\n- **ICS ATT\u0026CK**: Industrial control systems\n\nData is downloaded on first run and cached locally. Set `MITRE_UPDATE_INTERVAL` to control how often the server checks for updates.\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fmitre-mcp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsolomonneas%2Fmitre-mcp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsolomonneas%2Fmitre-mcp/lists"}