playbooks

home / mcp / attack mcp server

Attack MCP Server

This project is an MCP (Model Context Protocol) server for querying ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) techniques and tactics. It provides a way to access and retrieve information about various attack techniques and tactics used by adversaries.

Installation
Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "alex-llm-attack-mcp-server": {
      "url": "http://127.0.0.1:8081/mcp"
    }
  }
}

You have an MCP server that lets you query ATT&CK techniques and tactics through both a local stdio interface and a remote HTTP interface. This makes it easy to integrate with your security tooling, automation pipelines, and CI workflows to retrieve technique details, mitigations, and detections.

How to use

You connect an MCP client to the server and use the provided tools to look up ATT&CK techniques by ID or by name, retrieve full technique details, get mitigations, and fetch detections. You can also list all tactics and fetch server information about versions and data sets. The HTTP interface exposes the MCP API over a network port, while the stdio interface runs locally for seamless integration with local tooling.

How to install

Prerequisites: Python 3.8+ and pip must be available on your system.

Step 1: Install dependencies.

pip install -r requirements.txt

Step 2: Ensure the ATT&CK data set is present in the project root.

Step 3: Run in stdio mode for local integration with clients that support local MCP stdio.

python main.py

Step 4: If you prefer an HTTP interface for remote access or development testing, start the server in HTTP mode.

python main.py --mode http --host 0.0.0.0 --port 8081 --log-level info

Configuration and environment notes

The server can be accessed via two primary MCP configurations: an HTTP endpoint for remote access and a local stdio interface for direct, intra-process integration. If you need to adjust the listening address or port, set the host and port when launching in HTTP mode. No credentials are described in the surface details, so rely on your network controls to restrict access.

Additional notes

- The HTTP interface exposes an endpoint where you can request techniques, full technique details, mitigations, detections, and tactics. - The stdio interface is ideal for local automation suites and CI/CD pipelines that run within the same process or container.

Tools and endpoints

This server provides a set of MCP tools to query ATT&CK data and get supporting information. You can query by technique ID or by technique name, fetch full technique data, retrieve mitigations and detections, list all tactics, and obtain server information.

Available tools

query_technique

Query ATT&CK techniques by ID or by name, returning matching technique data.

search_technique_full

Fetch full details for techniques by ID or name, including IDs, descriptions, platforms, kill chain phases, references, sub-techniques, and mitigations.

query_mitigations

Retrieve mitigations for a specific technique by ID.

query_detections

Retrieve detections for a specific technique by ID.

list_tactics

List all ATT&CK tactics.

server_info

Return server version, dataset version, maintainer, and Git information.