Skip to content

cognis-digital/attackmap

Repository files navigation

ATTACKMAP

ATTACKMAP

Map findings to MITRE ATT&CK techniques + coverage heatmap

PyPI CI License: COCL 1.0 Suite

Part of the Cognis Neural Suite.

pip install cognis-attackmap
attackmap scan .            # → prioritized findings in seconds

🔎 Example output

Real, reproducible output from the tool — runs offline:

$ attackmap-emit --version
attackmap 2.0.0
$ attackmap-emit --help
usage: attackmap [-h] [--version]
                 {map,heatmap,gap,navigator,lookup,tactics} ...

Map free-text security findings to MITRE ATT&CK techniques and render a
coverage heatmap. Defensive use.

positional arguments:
  {map,heatmap,gap,navigator,lookup,tactics}
    map                 Map findings to ATT&CK technique IDs.
    heatmap             Tactic-by-tactic coverage heatmap from findings.
    gap                 Coverage / gap analysis vs the bundled catalog.
    navigator           Export a MITRE ATT&CK Navigator layer (JSON).
    lookup              Look up bundled techniques by id/name/keyword.
    tactics             List bundled ATT&CK tactics.

options:
  -h, --help            show this help message and exit
  --version             show program's version number and exit

Blocks above are real attackmap output — reproduce them from a clone.

Sample result format (illustrative values — run on your own data for real findings):

{
"attack_map": [
    {
        "id": "123456",
        "name": "Example Attack",
        "description": "This is an example attack.",
        "tactics": [
            {
                "id": "T1234",
                "name": "Initial Access"
            },
            {
                "id": "T5678",
                "name": "Persistence"
            }
        ],
        "techniques": [
            {
                "id": "T1111",
                "name": "Phishing"
            },
            {
                "id": "T2222",
                "name": "Lateral Movement"
            }
        ]
    }
]
}

Usage — step by step

attackmap maps free-text security findings to MITRE ATT&CK techniques and builds coverage views.

  1. Install:
    pip install -e .
  2. Map findings (files, or stdin) to ATT&CK technique IDs:
    attackmap map findings.txt --min-score 2
  3. Build a tactic heatmap or a coverage gap view:
    attackmap heatmap findings.txt
    attackmap gap findings.txt
  4. Export an ATT&CK Navigator layer for visualization:
    attackmap navigator findings.txt --name "incident-2026" --out layer.json
  5. Look things up / automatelookup resolves a technique, tactics lists the bundled tactics; emit JSON in CI:
    attackmap lookup T1059 --format json
    attackmap map findings.txt --format json > attack.json

Contents

Why attackmap?

speak ATT&CK

attackmap is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.

Features

  • ✅ Lookup Technique
  • ✅ Resolve Keywords
  • ✅ Map Findings
  • ✅ Coverage Heatmap
  • ✅ Navigator Layer
  • ✅ Parse Findings
  • ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
  • ✅ Ports in Python, JavaScript, Go, and Rust (ports/)

Quick start

pip install cognis-attackmap
attackmap --version
attackmap scan .                       # scan current project
attackmap scan . --format json         # machine-readable
attackmap scan . --fail-on high        # CI gate (non-zero exit)

Example

$ attackmap scan .
  [HIGH    ] ATT-001  example finding             (./src/app.py)
  [MEDIUM  ] ATT-002  another signal              (./config.yaml)

  2 findings · risk score 5 · 38ms

Architecture

flowchart LR
  IN[input] --> P[attackmap<br/>analyze + score]
  P --> OUT[report]
Loading

Use it from any AI stack

attackmap is interoperable with every popular way of using AI:

  • MCP serverattackmap mcp (Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet)
  • OpenAI-compatible / JSON — pipe attackmap scan . --format json into any agent or LLM
  • LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
  • CI / scripts — exit codes + SARIF for non-AI pipelines

How it compares

Cognis attackmap ATT&CK Navigator
Self-hostable, no account varies
Single command, zero config ⚠️
JSON + SARIF for CI varies
MCP-native (AI agents)
Polyglot ports (JS/Go/Rust)
Open license ✅ COCL varies

Built in the spirit of ATT&CK Navigator, re-framed the Cognis way. Missing a credit? Open a PR.

Integrations

Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (attackmap mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.

Install — every way, every platform

pip install "git+https://github.com/cognis-digital/attackmap.git"    # pip (works today)
pipx install "git+https://github.com/cognis-digital/attackmap.git"   # isolated CLI
uv tool install "git+https://github.com/cognis-digital/attackmap.git" # uv
pip install cognis-attackmap                                          # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/attackmap:latest --help        # Docker
brew install cognis-digital/tap/attackmap                             # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/attackmap/main/install.sh | sh
Linux macOS Windows Docker Cloud
scripts/setup-linux.sh scripts/setup-macos.sh scripts/setup-windows.ps1 docker run ghcr.io/cognis-digital/attackmap DEPLOY.md (AWS/Azure/GCP/k8s)

Related Cognis tools

  • portfan — Summarize and diff nmap XML into prioritized, attackable findings
  • subhunt — Aggregate & dedupe subdomain enumeration from multiple sources
  • dirsight — Analyze web content-discovery output (ffuf/gobuster) into ranked endpoints
  • jwtinspect — Decode JWTs and lint for alg=none, weak secrets, and missing claims
  • corsaudit — Detect permissive/misconfigured CORS from headers or a config
  • headerscan — Grade HTTP security headers (CSP/HSTS/XFO) A-F from a response dump

Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram

Contributing

PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.

⭐ If attackmap saved you time, star it — it genuinely helps others find it.

Interoperability

{} composes with the 300+ tool Cognis suite — JSON in/out and a shared OpenAI-compatible /v1 backbone. See INTEROP.md for the suite map, composition patterns, and reference stacks.

License

Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.


Cognis Digital · one of 170+ tools in the Cognis Neural Suite · Making Tomorrow Better Today