attack-navigator-layers

star 11

Creates MITRE ATT&CK Navigator layers and analyzes coverage. Use when generating coverage layers, gap analysis, threat actor comparisons, or checking detection coverage against ATT&CK.

MHaggis By MHaggis schedule Updated 1/14/2026
play_arrow Run Skill in Manus View GitHub

name: attack-navigator-layers description: Creates MITRE ATT&CK Navigator layers and analyzes coverage. Use when generating coverage layers, gap analysis, threat actor comparisons, or checking detection coverage against ATT&CK.

MITRE ATT&CK Coverage Analysis

⚡ ULTRA-FAST TOOLS (Use These!)

All queries use pre-computed denormalized tables - instant results, minimal tokens.

Quick Coverage Check (~200 bytes)

quick_coverage_check(group_id: "G0016", covered_ids: [...])

Returns: { covered: 45, gaps: 22, coverage_percent: 67%, top_gaps: [...] }

Batch Check Multiple Groups (ONE call)

batch_coverage_check(
  group_ids: ["G0016", "G0032", "G0045"],
  covered_ids: [...]
)

Get Common Groups (no search needed)

get_common_groups()

Returns top 20 groups by technique count - pre-computed, instant.

Lightweight ID Queries (indexed lookups)

get_technique_ids_by_tactic(tactic: "execution")
get_technique_ids_by_platform(platform: "Windows")

Returns just IDs - no full technique objects.

Layer Generation

Coverage Layer

generate_coverage_layer(covered_ids: [...], name: "My Coverage")

Threat Group Layer

generate_group_layer(group_id: "G0016", name: "APT29 TTPs")

Gap Layer

generate_gap_layer(covered_ids: [...], target_ids: [...], name: "Gap Analysis")

Efficient Workflows

"What's my coverage against APT29?" (2 calls max)

# Option 1: Just stats? ONE call!
quick_coverage_check(group_id: "G0016", covered_ids: your_ids)

# Option 2: Need layer? TWO calls
techs = get_group_techniques(group_id: "G0016")
layer = generate_gap_layer(covered_ids: your_ids, target_ids: techs, name: "vs APT29")

"Check multiple threat actors" (ONE call)

batch_coverage_check(
  group_ids: ["G0016", "G0032", "G0045"],
  covered_ids: your_ids
)

DON'T (heavy/slow)

list_techniques_by_tactic(...)  # Returns full objects
search_groups(query: "APT")     # When you know the ID

DO (fast/efficient)

get_technique_ids_by_tactic(...)  # Just IDs, indexed
quick_coverage_check(...)         # Pre-computed stats
get_common_groups()               # No search needed

Database Optimizations

This MCP uses:

  • Denormalized lookup tables for instant technique-tactic/platform queries
  • Pre-computed group stats for instant group info
  • Technique summaries for lightweight list operations
  • Indexed foreign keys for fast joins

Result: ~10-100x faster than naive queries.

Install via CLI
npx skills add https://github.com/MHaggis/mitre-attack-mcp --skill attack-navigator-layers
Repository Details
star Stars 11
call_split Forks 2
navigation Branch main
article Path SKILL.md
More from Creator
MHaggis
MHaggis Explore all skills →