MITRE ATT&CK MCP Server

MCP server for querying MITRE ATT&CK framework data — adversarial tactics, techniques, and procedures (TTPs) used by threat actors. Enables AI security agents to retrieve ATT&CK technique details, tactic mappings, threat group information, and mitigation guidance for security analysis and threat intelligence workflows.

Evaluated Mar 06, 2026 (0d ago) vcurrent
Homepage ↗ Repo ↗ Other mitre-attack cybersecurity threat-intelligence tactics techniques mcp-server soc
⚙ Agent Friendliness
73
/ 100
Can an agent use this?
🔒 Security
75
/ 100
Is it safe for agents?
⚡ Reliability
64
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
65
Documentation
65
Error Messages
63
Auth Simplicity
95
Rate Limits
90

🔒 Security

TLS Enforcement
80
Auth Strength
75
Scope Granularity
68
Dep. Hygiene
70
Secret Handling
80

Public ATT&CK reference data. No auth required. Defensive security use case. No sensitive data exposure.

⚡ Reliability

Uptime/SLA
65
Version Stability
65
Breaking Changes
62
Error Recovery
65
AF Security Reliability

Best When

A security analyst or SOC team wants AI agents to quickly look up ATT&CK framework information — enabling natural language queries against the authoritative adversary behavior framework.

Avoid When

You need real-time threat intelligence or live threat feeds. ATT&CK is a reference framework — combine with threat intel feeds for operational use.

Use Cases

  • Querying ATT&CK techniques and tactics for threat intelligence analysis agents
  • Mapping observed attacker behaviors to ATT&CK framework from SOC agents
  • Retrieving threat group profiles and associated TTPs for threat hunting agents
  • Looking up mitigation guidance for specific ATT&CK techniques from security agents

Not For

  • Non-security teams (specialized cybersecurity framework)
  • Real-time threat detection (reference data, not live threat feeds)
  • Replacing full threat intelligence platforms for enterprise SOC

Interface

REST API
No
GraphQL
No
gRPC
No
MCP Server
Yes
SDK
No
Webhooks
No

Authentication

Methods: none
OAuth: No Scopes: No

No auth required. MITRE ATT&CK data is publicly available. Likely queries local STIX data or the public ATT&CK API.

Pricing

Model: free
Free tier: Yes
Requires CC: No

MITRE ATT&CK is free public knowledge base. MCP server is free open source.

Agent Metadata

Pagination
none
Idempotent
Full
Retry Guidance
Not documented

Known Gotchas

  • ATT&CK framework version matters — ensure data is current (ATT&CK updates regularly)
  • Technique IDs change between ATT&CK versions — verify ID format matches your version
  • Community implementation — validate ATT&CK data accuracy against official MITRE sources
  • ATT&CK knowledge alone doesn't constitute threat intelligence — combine with live feeds

Alternatives

virustotal-mcp shodan-mcp nvd-mcp

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for MITRE ATT&CK MCP Server.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5173
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered