Do I need an API key for the MITRE ATT&CK lookup?

No. ATT&CK is open data, so the skill needs no subscription or paid key. You can resolve technique IDs, tactics and relationships straight away.

Can I look up which groups use a technique?

Yes. As well as resolving a technique ID to its details, the skill traces relationships, so you can ask which groups or software are associated with a given technique, or which techniques a particular group uses.

Does it cover sub-techniques and tactics?

Yes. A technique lookup returns its parent tactics and any sub-techniques, and you can query a tactic to list the techniques beneath it, which keeps your mappings aligned with the current ATT&CK structure.

CTI Skill · Lookups

MITRE ATT&CK Lookup.

/mitre-attack

The MITRE ATT&CK lookup skill queries the ATT&CK knowledge base from inside your AI coding agent. Resolve a technique ID to its name and description, list the techniques under a tactic, or trace the relationships between groups, software and techniques. It runs against the public ATT&CK data, so you can map a finding to the framework without keeping a browser tab open on the matrix.

Get the free pack on GitHub →Or join the free tier waitlist

What it does.

It looks up entries in the MITRE ATT&CK knowledge base on demand. Give it a technique ID such as T1059 and it returns the name, description, the tactics it belongs to and its sub-techniques. Ask about a tactic and it lists the techniques under it. Ask about a group or piece of software and it returns the techniques associated with it, so you can walk the relationships between actors, tooling and behaviour.

When to use it.

Use it whenever you need to ground a finding in ATT&CK: confirming what a technique ID means, mapping observed behaviour to the right technique, or checking which techniques a group or malware family is known to use. It is handy while writing assessments and detections, and other skills in the pack lean on it to attach ATT&CK context to actors and samples.

What you get back.

A clear summary of the requested entry: for a technique, its ID, name, description, parent tactics and sub-techniques; for a tactic, the techniques beneath it; for a group or software, the associated techniques and any related entries. The results follow ATT&CK's own structure, so they line up with mappings you already use in reports and detection logic.

How it fits your workflow.

ATT&CK is the shared language most teams use to describe adversary behaviour, so a fast lookup keeps your reports and rules consistent. Resolve technique IDs as you write, then carry the mapping into a SIGMA or KQL rule, or attach it to an actor profile. Paired with the CrowdStrike and threat-actor skills, it lets you move from an observed TTP to the groups that use it and back again.

Keep going.

Frequently Asked Questions.

Ready to do more with less?

Request a demo or start your free trial today. Get instant access to AI-powered threat intelligence tailored to your organisation.