Python toolchain that fetches MITRE ATT&CK enterprise STIX data, maps techniques to threat groups, mitigations, and MITRE D3FEND defensive techniques, and builds ATT&CK Navigator heat-map layers from the result.
This is the working code behind the MITRE series on SecurityScriptographer:
- MITRE ATT&CK in Python: from STIX data to coverage map — the walkthrough of this codebase.
- MITRE ATT&CK fundamentals — tactics, techniques, and procedures background.
- MITRE D3FEND fundamentals — the defensive companion framework this maps to.
| Module | Role |
|---|---|
loader.py |
Fetches enterprise ATT&CK STIX via mitreattack-python and caches techniques, groups, mitigations, and relationships as JSON |
mapper.py |
Joins techniques to groups, mitigations, and D3FEND defensive techniques (per-technique D3FEND API lookups, cached) |
analyzer.py |
Computes coverage statistics and writes ATT&CK Navigator layer files (group and mitigation heat maps) |
optimizer.py |
Deduplicates references and saves the compact merged dataset |
config.py |
Paths and logging setup |
main.py |
Runs the whole pipeline end to end |
pip install -r requirements.txt
python main.py
The first run downloads the ATT&CK bundle and one D3FEND mapping per technique into cache/ (a few hundred MB, and the D3FEND calls take a while — subsequent runs are fast). Navigator layers land in navigator_layers/; load them at ATT&CK Navigator.
Example output layers for groups and mitigations are included in navigator_layers/.
- defensive-toolkit — scripts and detection rules from the rest of the blog.
MIT.