{"id":9115,"library":"mitreattack-python","title":"MITRE ATT&CK Python Library","description":"mitreattack-python is a Python library developed by MITRE for working with ATT&CK data. It provides various tools and utilities for interacting with MITRE ATT&CK STIX 2.0 content, including functionalities for handling ATT&CK Navigator layers, converting ATT&CK data to Excel spreadsheets, and managing ATT&CK Collections. The library is actively maintained and frequently updated to align with the latest versions of the ATT&CK knowledge base, typically on a quarterly release cadence.","status":"active","version":"5.4.4","language":"en","source_language":"en","source_url":"https://github.com/mitre-attack/mitreattack-python","tags":["MITRE ATT&CK","STIX","cyber security","threat intelligence","CTI","security automation"],"install":[{"cmd":"pip install mitreattack-python","lang":"bash","label":"Latest Stable Release"}],"dependencies":[{"reason":"Core for handling STIX 2.x formatted cyber threat intelligence data.","package":"stix2","optional":false},{"reason":"Used by the attackToExcel module for data manipulation and DataFrame exports.","package":"pandas","optional":true},{"reason":"Used by the attackToExcel module for generating Excel files.","package":"openpyxl","optional":true},{"reason":"Used for building command-line interfaces for various utility scripts.","package":"typer","optional":false}],"imports":[{"note":"The primary class for interacting with ATT&CK STIX data was moved to the top-level `mitreattack` package in newer versions (post v2.x).","wrong":"from mitreattack.stix20 import MitreAttackData","symbol":"MitreAttackData","correct":"from mitreattack.MitreAttackData import MitreAttackData"},{"note":"For working with ATT&CK Navigator layers.","symbol":"Layer","correct":"from mitreattack.navlayers import Layer"},{"note":"For functionalities related to exporting ATT&CK data to Excel or Pandas DataFrames.","symbol":"attackToExcel","correct":"from mitreattack.attackToExcel import attackToExcel"}],"quickstart":{"code":"from mitreattack.MitreAttackData import MitreAttackData\n\n# Initialize with a specific domain (e.g., 'enterprise-attack', 'mobile-attack', 'ics-attack')\n# The data will be downloaded and cached locally if not present.\nattack_data = MitreAttackData(\"enterprise-attack\")\n\n# Get all techniques\ntechniques = attack_data.get_techniques()\nprint(f\"Found {len(techniques)} Enterprise ATT&CK techniques.\")\n\n# Get a specific technique by ATT&CK ID\nspec_technique = attack_data.get_techniques_by_attack_id(\"T1566.001\")\nif spec_technique:\n    print(f\"\\nSpecific Technique: {spec_technique[0].name} (ID: {spec_technique[0].attack_id})\")\n\n# Get all groups\ngroups = attack_data.get_groups()\nprint(f\"\\nFound {len(groups)} Enterprise ATT&CK groups.\")\n","lang":"python","description":"This quickstart demonstrates how to initialize the MitreAttackData object for a specific ATT&CK domain, retrieve all techniques, and fetch a specific technique by its ATT&CK ID. It also shows how to retrieve all adversary groups."},"warnings":[{"fix":"Upgrade your Python environment to 3.11+ or constrain `mitreattack-python` to `<5.0.0` in your `requirements.txt`.","message":"Version 5.0.0 and above of `mitreattack-python` requires Python 3.11 or newer. Projects running on older Python versions must upgrade or stick to `mitreattack-python` < 5.0.0.","severity":"breaking","affected_versions":">=5.0.0"},{"fix":"Review the official ATT&CK Data Model documentation for v18.0 and above. Update custom code that processes Data Sources/Components to utilize the new Detection Strategies and Analytics objects. Ensure your `mitreattack-python` version is up-to-date (>=5.4.0) to correctly parse the latest ATT&CK STIX data.","message":"With the October 2025 (v18) ATT&CK release, the underlying STIX schema for detections has changed significantly. 'Data Sources' and 'Data Components' are largely deprecated in favor of new 'Detection Strategies' and 'Analytics' objects. This impacts functions in modules like `diffStix` and methods interacting with detection-related data.","severity":"breaking","affected_versions":">=5.4.0 (for full support of v18 data), potentially earlier versions when processing v18 data"},{"fix":"Utilize the `remove_revoked_deprecated=True` parameter in relevant `MitreAttackData` methods (e.g., `get_techniques(remove_revoked_deprecated=True)`).","message":"When querying ATT&CK data, it's highly recommended to filter out 'revoked' and 'deprecated' objects as they are no longer actively maintained by MITRE. Not doing so can lead to unexpected results or outdated information.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Update your import statement from `from mitreattack.stix20 import MitreAttackData` to `from mitreattack.MitreAttackData import MitreAttackData`.","cause":"The main MitreAttackData class was reorganized in recent major versions, moving from a submodule (like `stix20`) to directly under the top-level `mitreattack` package.","error":"ModuleNotFoundError: No module named 'mitreattack.stix20'"},{"fix":"Consult the `mitreattack.attackToExcel` module's documentation for the current version to ensure correct usage of functions like `techniquesToDf()` or `tacticsToDf()`. The `MitreAttackData` object is initialized with the domain, and subsequent methods often operate on that initialized data without needing a repeated 'domain' argument.","cause":"This error typically occurs when using older patterns or methods from the `attackToExcel` module, where the 'domain' argument might have been expected directly on a function that now infers it or uses a different argument structure, especially after updates to handle STIX 2.1 or newer ATT&CK versions.","error":"TypeError: tacticsToDf() got an unexpected keyword argument 'domain'"}]}