// Creates MITRE ATT&CK Navigator layers and analyzes coverage. Use when generating coverage layers, gap analysis, threat actor comparisons, or checking detection coverage against ATT&CK.
| name | attack-navigator-layers |
| description | Creates MITRE ATT&CK Navigator layers and analyzes coverage. Use when generating coverage layers, gap analysis, threat actor comparisons, or checking detection coverage against ATT&CK. |
All queries use pre-computed denormalized tables - instant results, minimal tokens.
quick_coverage_check(group_id: "G0016", covered_ids: [...])
Returns: { covered: 45, gaps: 22, coverage_percent: 67%, top_gaps: [...] }
batch_coverage_check(
group_ids: ["G0016", "G0032", "G0045"],
covered_ids: [...]
)
get_common_groups()
Returns top 20 groups by technique count - pre-computed, instant.
get_technique_ids_by_tactic(tactic: "execution")
get_technique_ids_by_platform(platform: "Windows")
Returns just IDs - no full technique objects.
generate_coverage_layer(covered_ids: [...], name: "My Coverage")
generate_group_layer(group_id: "G0016", name: "APT29 TTPs")
generate_gap_layer(covered_ids: [...], target_ids: [...], name: "Gap Analysis")
# Option 1: Just stats? ONE call!
quick_coverage_check(group_id: "G0016", covered_ids: your_ids)
# Option 2: Need layer? TWO calls
techs = get_group_techniques(group_id: "G0016")
layer = generate_gap_layer(covered_ids: your_ids, target_ids: techs, name: "vs APT29")
batch_coverage_check(
group_ids: ["G0016", "G0032", "G0045"],
covered_ids: your_ids
)
list_techniques_by_tactic(...) # Returns full objects
search_groups(query: "APT") # When you know the ID
get_technique_ids_by_tactic(...) # Just IDs, indexed
quick_coverage_check(...) # Pre-computed stats
get_common_groups() # No search needed
This MCP uses:
Result: ~10-100x faster than naive queries.