You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An MCP server providing comprehensive access to the MITRE ATT&CK knowledge base with full SOC stack integration. Enables LLMs to look up techniques, map alerts to ATT&CK, analyze detection coverage, profile campaigns, generate Navigator layers, and correlate across Wazuh, TheHive, Cortex, and MISP.
Features
39 tools for technique lookup, tactic navigation, group intelligence, software analysis, mitigation mapping, detection coverage, alert mapping, campaign profiling, Navigator layer export, and SOC integration
3 resources for matrix overview, version info, and tactic listing
4 prompts for incident mapping, threat hunting, gap analysis, and attribution
claude mcp add mitre-attack \
--env MITRE_MATRICES=enterprise \
-- mitre-mcp
Add --scope user to make it available from any directory instead of only the current project. Add --env flags for any SOC integrations (Wazuh, TheHive, Cortex, MISP) you want to enable.
OpenClaw
If you're running from a source checkout instead of the npm-installed binary, point command/args at the built dist/index.js:
Map Wazuh alerts to ATT&CK techniques by rule ID/description/groups
mitre_wazuh_rule_coverage
Analyze Wazuh rules mapped to ATT&CK techniques
mitre_wazuh_alerts
Fetch recent alerts enriched with ATT&CK context
TheHive Integration (3)
Tool
Description
mitre_thehive_enrich
Enrich a TheHive case with ATT&CK techniques and mitigations
mitre_thehive_create_case
Create a case pre-populated with ATT&CK context
mitre_thehive_list_cases
List cases with ATT&CK technique filtering
Cortex Integration (2)
Tool
Description
mitre_cortex_analyzer_coverage
Map Cortex analyzers to ATT&CK data sources
mitre_cortex_run_analyzers
Run analyzers on observables with ATT&CK context
MISP Integration (4)
Tool
Description
mitre_misp_event_to_attack
Map MISP event attributes/galaxies to ATT&CK
mitre_misp_search_indicators
Search MISP IOCs by technique or group
mitre_misp_create_event
Create events pre-tagged with ATT&CK techniques
mitre_misp_list_events
List events with ATT&CK enrichment
Cross-Stack Correlation (2)
Tool
Description
mitre_soc_status
Connection status for all SOC integrations
mitre_cross_correlate
Search for techniques across Wazuh, TheHive, and MISP simultaneously
Resource Reference
URI
Description
mitre://matrix/enterprise
Full Enterprise ATT&CK matrix (tactics x techniques)
mitre://version
Current data version and statistics
mitre://tactics
All tactics in kill-chain order
Prompt Reference
Prompt
Description
map-incident-to-attack
Map incident observables to ATT&CK techniques
threat-hunt-plan
Generate a threat hunting plan
gap-analysis
Perform detection gap analysis
attribution-analysis
Assist with threat attribution
Examples
Check SOC integration status
Use mitre_soc_status to check which SOC platforms are connected.
Map a Wazuh alert to ATT&CK
Use mitre_map_wazuh_alert with ruleId 5710 and ruleGroups ["sshd", "authentication_failed"]
to find matching ATT&CK techniques.
Create an ATT&CK-enriched TheHive case
Use mitre_thehive_create_case with title "Suspected APT28 Activity",
techniques ["T1059.001", "T1566.001", "T1078"] and severity 3
to create a case with ATT&CK context, mitigations, and investigation tasks.
Generate a Navigator coverage layer
Use mitre_navigator_layer with mode "coverage" and
dataSources ["Process", "Network Traffic", "File"]
to generate a heatmap of detection coverage.
Cross-correlate across the SOC stack
Use mitre_cross_correlate with techniques ["T1059.001", "T1566.001"]
to search for related alerts in Wazuh, cases in TheHive, and events in MISP.
Map a MISP event to ATT&CK
Use mitre_misp_event_to_attack with eventId "1"
to extract ATT&CK techniques from MISP galaxies and attributes.
Compare two threat groups
Use mitre_navigator_layer with mode "diff" and
compareGroupIds ["G0007", "G0016"]
to generate a visual comparison of APT28 vs APT29 techniques.
Testing
npm test# Run all tests
npm run test:watch # Watch mode
npm run lint # Type check
Project Structure
mitre-mcp/
src/
index.ts # MCP server entry point
config.ts # Environment config (core + SOC)
types.ts # STIX/ATT&CK type definitions
resources.ts # MCP resources
prompts.ts # MCP prompts
data/
loader.ts # STIX bundle downloader and cache manager
parser.ts # STIX 2.1 JSON parser (incl. campaigns)
index.ts # Indexed, queryable ATT&CK data store
tools/
techniques.ts # Technique lookup and search
tactics.ts # Tactic navigation
groups.ts # Threat group intelligence
software.ts # Software/malware lookup
mitigations.ts # Mitigation mapping
datasources.ts # Data source and detection coverage
mapping.ts # Alert-to-technique mapping and correlation
campaigns.ts # Campaign analysis and attribution
navigator.ts # ATT&CK Navigator layer generation
management.ts # Data update management
soc/
client.ts # HTTP clients for Wazuh, TheHive, Cortex, MISP
wazuh.ts # Wazuh alert mapping and rule coverage
thehive.ts # TheHive case enrichment and creation
cortex.ts # Cortex analyzer coverage mapping
misp.ts # MISP event/IOC management
correlation.ts # Cross-stack ATT&CK correlation
index.ts # SOC module barrel export
tests/
parser.test.ts # STIX parser tests
tools.test.ts # Data store query tests
mapping.test.ts # Mapping and correlation tests
package.json
tsconfig.json
tsup.config.ts
vitest.config.ts
README.md
Data Sources
ATT&CK data is sourced from the official MITRE STIX 2.1 bundles:
Data is downloaded on first run and cached locally. Set MITRE_UPDATE_INTERVAL to control how often the server checks for updates.
License
MIT
About
MCP server for MITRE ATT&CK knowledge base. Map alerts to techniques, profile threat groups, analyze detection gaps, and enrich SOC workflows with adversary intelligence.
