MITRE ATT&CK Python Library

5.4.4 · active · verified Thu Apr 16

mitreattack-python is a Python library developed by MITRE for working with ATT&CK data. It provides various tools and utilities for interacting with MITRE ATT&CK STIX 2.0 content, including functionalities for handling ATT&CK Navigator layers, converting ATT&CK data to Excel spreadsheets, and managing ATT&CK Collections. The library is actively maintained and frequently updated to align with the latest versions of the ATT&CK knowledge base, typically on a quarterly release cadence.

Common errors

```
ModuleNotFoundError: No module named 'mitreattack.stix20'
```
cause The main MitreAttackData class was reorganized in recent major versions, moving from a submodule (like `stix20`) to directly under the top-level `mitreattack` package.

fix Update your import statement from `from mitreattack.stix20 import MitreAttackData` to `from mitreattack.MitreAttackData import MitreAttackData`.
```
TypeError: tacticsToDf() got an unexpected keyword argument 'domain'
```
cause This error typically occurs when using older patterns or methods from the `attackToExcel` module, where the 'domain' argument might have been expected directly on a function that now infers it or uses a different argument structure, especially after updates to handle STIX 2.1 or newer ATT&CK versions.

fix Consult the `mitreattack.attackToExcel` module's documentation for the current version to ensure correct usage of functions like `techniquesToDf()` or `tacticsToDf()`. The `MitreAttackData` object is initialized with the domain, and subsequent methods often operate on that initialized data without needing a repeated 'domain' argument.

Warnings

breaking Version 5.0.0 and above of `mitreattack-python` requires Python 3.11 or newer. Projects running on older Python versions must upgrade or stick to `mitreattack-python` < 5.0.0.
Fix: Upgrade your Python environment to 3.11+ or constrain `mitreattack-python` to `<5.0.0` in your `requirements.txt`.
breaking With the October 2025 (v18) ATT&CK release, the underlying STIX schema for detections has changed significantly. 'Data Sources' and 'Data Components' are largely deprecated in favor of new 'Detection Strategies' and 'Analytics' objects. This impacts functions in modules like `diffStix` and methods interacting with detection-related data.
Fix: Review the official ATT&CK Data Model documentation for v18.0 and above. Update custom code that processes Data Sources/Components to utilize the new Detection Strategies and Analytics objects. Ensure your `mitreattack-python` version is up-to-date (>=5.4.0) to correctly parse the latest ATT&CK STIX data.
gotcha When querying ATT&CK data, it's highly recommended to filter out 'revoked' and 'deprecated' objects as they are no longer actively maintained by MITRE. Not doing so can lead to unexpected results or outdated information.
Fix: Utilize the `remove_revoked_deprecated=True` parameter in relevant `MitreAttackData` methods (e.g., `get_techniques(remove_revoked_deprecated=True)`).

Install

pip install mitreattack-python Latest Stable Release

Imports

MitreAttackData
wrong:
```
from mitreattack.stix20 import MitreAttackData
```
correct:
```
from mitreattack.MitreAttackData import MitreAttackData
```
The primary class for interacting with ATT&CK STIX data was moved to the top-level `mitreattack` package in newer versions (post v2.x).
Layer
```
from mitreattack.navlayers import Layer
```
For working with ATT&CK Navigator layers.
attackToExcel
```
from mitreattack.attackToExcel import attackToExcel
```
For functionalities related to exporting ATT&CK data to Excel or Pandas DataFrames.

Quickstart

This quickstart demonstrates how to initialize the MitreAttackData object for a specific ATT&CK domain, retrieve all techniques, and fetch a specific technique by its ATT&CK ID. It also shows how to retrieve all adversary groups.

from mitreattack.MitreAttackData import MitreAttackData

# Initialize with a specific domain (e.g., 'enterprise-attack', 'mobile-attack', 'ics-attack')
# The data will be downloaded and cached locally if not present.
attack_data = MitreAttackData("enterprise-attack")

# Get all techniques
techniques = attack_data.get_techniques()
print(f"Found {len(techniques)} Enterprise ATT&CK techniques.")

# Get a specific technique by ATT&CK ID
spec_technique = attack_data.get_techniques_by_attack_id("T1566.001")
if spec_technique:
    print(f"\nSpecific Technique: {spec_technique[0].name} (ID: {spec_technique[0].attack_id})")

# Get all groups
groups = attack_data.get_groups()
print(f"\nFound {len(groups)} Enterprise ATT&CK groups.")

view raw JSON →