pip install cognis-attackmap
attackmap scan . # → prioritized findings in secondsReal, reproducible output from the tool — runs offline:
$ attackmap-emit --version
attackmap 2.0.0$ attackmap-emit --help
usage: attackmap [-h] [--version]
{map,heatmap,gap,navigator,lookup,tactics} ...
Map free-text security findings to MITRE ATT&CK techniques and render a
coverage heatmap. Defensive use.
positional arguments:
{map,heatmap,gap,navigator,lookup,tactics}
map Map findings to ATT&CK technique IDs.
heatmap Tactic-by-tactic coverage heatmap from findings.
gap Coverage / gap analysis vs the bundled catalog.
navigator Export a MITRE ATT&CK Navigator layer (JSON).
lookup Look up bundled techniques by id/name/keyword.
tactics List bundled ATT&CK tactics.
options:
-h, --help show this help message and exit
--version show program's version number and exitBlocks above are real
attackmapoutput — reproduce them from a clone.
Sample result format (illustrative values — run on your own data for real findings):
{
"attack_map": [
{
"id": "123456",
"name": "Example Attack",
"description": "This is an example attack.",
"tactics": [
{
"id": "T1234",
"name": "Initial Access"
},
{
"id": "T5678",
"name": "Persistence"
}
],
"techniques": [
{
"id": "T1111",
"name": "Phishing"
},
{
"id": "T2222",
"name": "Lateral Movement"
}
]
}
]
}
attackmap maps free-text security findings to MITRE ATT&CK techniques and builds coverage views.
- Install:
pip install -e . - Map findings (files, or stdin) to ATT&CK technique IDs:
attackmap map findings.txt --min-score 2
- Build a tactic heatmap or a coverage gap view:
attackmap heatmap findings.txt attackmap gap findings.txt
- Export an ATT&CK Navigator layer for visualization:
attackmap navigator findings.txt --name "incident-2026" --out layer.json - Look things up / automate —
lookupresolves a technique,tacticslists the bundled tactics; emit JSON in CI:attackmap lookup T1059 --format json attackmap map findings.txt --format json > attack.json
- Why attackmap? · Features · Quick start · Example · Architecture · AI stack · How it compares · Integrations · Install anywhere · Related · Contributing
speak ATT&CK
attackmap is single-purpose, scriptable, and self-hostable: point it at a target, get prioritized results in the format your workflow already speaks (table · JSON · SARIF), gate CI on it, and let agents drive it over MCP.
- ✅ Lookup Technique
- ✅ Resolve Keywords
- ✅ Map Findings
- ✅ Coverage Heatmap
- ✅ Navigator Layer
- ✅ Parse Findings
- ✅ Runs on Linux/macOS/Windows · Docker · devcontainer
- ✅ Ports in Python, JavaScript, Go, and Rust (
ports/)
pip install cognis-attackmap
attackmap --version
attackmap scan . # scan current project
attackmap scan . --format json # machine-readable
attackmap scan . --fail-on high # CI gate (non-zero exit)$ attackmap scan .
[HIGH ] ATT-001 example finding (./src/app.py)
[MEDIUM ] ATT-002 another signal (./config.yaml)
2 findings · risk score 5 · 38ms
flowchart LR
IN[input] --> P[attackmap<br/>analyze + score]
P --> OUT[report]
attackmap is interoperable with every popular way of using AI:
- MCP server —
attackmap mcp(Claude Desktop, Cursor, Cognis.Studio, uncensored-fleet) - OpenAI-compatible / JSON — pipe
attackmap scan . --format jsoninto any agent or LLM - LangChain · CrewAI · AutoGen · LlamaIndex — wrap the CLI/JSON as a tool in one line
- CI / scripts — exit codes + SARIF for non-AI pipelines
| Cognis attackmap | ATT&CK Navigator | |
|---|---|---|
| Self-hostable, no account | ✅ | varies |
| Single command, zero config | ✅ | |
| JSON + SARIF for CI | ✅ | varies |
| MCP-native (AI agents) | ✅ | ❌ |
| Polyglot ports (JS/Go/Rust) | ✅ | ❌ |
| Open license | ✅ COCL | varies |
Built in the spirit of ATT&CK Navigator, re-framed the Cognis way. Missing a credit? Open a PR.
Pipes into your stack: SARIF for code-scanning, JSON for anything, an MCP server (attackmap mcp) for AI agents, and a webhook forwarder for SIEM/Slack/Jira. See docs/INTEGRATIONS.md.
pip install "git+https://github.com/cognis-digital/attackmap.git" # pip (works today)
pipx install "git+https://github.com/cognis-digital/attackmap.git" # isolated CLI
uv tool install "git+https://github.com/cognis-digital/attackmap.git" # uv
pip install cognis-attackmap # PyPI (when published)
docker run --rm ghcr.io/cognis-digital/attackmap:latest --help # Docker
brew install cognis-digital/tap/attackmap # Homebrew tap
curl -fsSL https://raw.githubusercontent.com/cognis-digital/attackmap/main/install.sh | sh| Linux | macOS | Windows | Docker | Cloud |
|---|---|---|---|---|
scripts/setup-linux.sh |
scripts/setup-macos.sh |
scripts/setup-windows.ps1 |
docker run ghcr.io/cognis-digital/attackmap |
DEPLOY.md (AWS/Azure/GCP/k8s) |
portfan— Summarize and diff nmap XML into prioritized, attackable findingssubhunt— Aggregate & dedupe subdomain enumeration from multiple sourcesdirsight— Analyze web content-discovery output (ffuf/gobuster) into ranked endpointsjwtinspect— Decode JWTs and lint for alg=none, weak secrets, and missing claimscorsaudit— Detect permissive/misconfigured CORS from headers or a configheaderscan— Grade HTTP security headers (CSP/HSTS/XFO) A-F from a response dump
Explore the suite → 🗂️ all 170+ tools · ⭐ awesome-cognis · 🔗 cognis-sources · 🤖 uncensored-fleet · 🧠 engram
PRs, new rules, and demo scenarios are welcome under the collaboration-pull model — see CONTRIBUTING.md and SECURITY.md.
{} composes with the 300+ tool Cognis suite — JSON in/out and a shared
OpenAI-compatible /v1 backbone. See INTEROP.md for the
suite map, composition patterns, and reference stacks.
Source-available under the Cognis Open Collaboration License (COCL) v1.0 — free for personal, internal-evaluation, research, and educational use; commercial / production use requires a license (licensing@cognis.digital). See LICENSE.