MITRE ATT&CK Technique Mapper
Map threat descriptions, incident reports, or security observations to MITRE ATT&CK techniques and tactics. Submit free-text describing attacker behavior or upload a security report file — get back matched ATT&CK technique IDs, tactic categories, kill chain position, detection guidance, and mitigation recommendations.
Usage
This endpoint uses multipart/form-data — not JSON. Submit either a text description (input) or a file upload (file), or both together.
Option 1 — Text Input
curl -X POST https://portal.toolweb.in/apis/security/mitre-attack-mapper/map-technique \
-H "X-API-Key: YOUR_API_KEY" \
-F "input=Attacker used spearphishing email with malicious Office macro to gain initial access, then ran PowerShell to enumerate local users and dump credentials from LSASS memory"
Option 2 — File Upload
curl -X POST https://portal.toolweb.in/apis/security/mitre-attack-mapper/map-technique \
-H "X-API-Key: YOUR_API_KEY" \
-F "file=@incident_report.pdf"
Option 3 — Text + File Combined
curl -X POST https://portal.toolweb.in/apis/security/mitre-attack-mapper/map-technique \
-H "X-API-Key: YOUR_API_KEY" \
-F "input=Focus on lateral movement and credential access techniques" \
-F "file=@threat_intel_report.txt"
Parameters
Request content type: multipart/form-data
| Field | Type | Required | Description |
|---|---|---|---|
input | string | ❌ | Free-text description of attacker behavior, threat intelligence, or incident details. Default: empty string |
file | binary file | ❌ | Upload a security report, threat intel document, SIEM alert export, or incident log (PDF, TXT, DOCX, CSV) |
At least one of
inputorfileshould be provided for a meaningful result.
What to put in input
Describe attacker behavior in plain language or paste raw threat intelligence. Examples:
- Incident narrative: "Attacker gained access via phishing, established persistence using a scheduled task, and exfiltrated data to an external FTP server"
- SIEM alert text: "Suspicious PowerShell execution with encoded command, parent process: winword.exe"
- Threat actor TTP summary: "APT group used living-off-the-land binaries, disabled Windows Defender via registry modification, and moved laterally using PsExec"
- CVE description: "Exploit of public-facing application via SQL injection to achieve remote code execution"
What to upload as file
- Incident response reports (PDF, DOCX)
- Threat intelligence bulletins (PDF, TXT)
- SIEM/EDR alert exports (CSV, TXT)
- Penetration test findings (PDF, DOCX)
- Malware analysis reports (TXT, PDF)
What You Get
- Matched ATT&CK techniques — technique IDs (e.g., T1566.001), names, and confidence scores
- Tactic mapping — which kill chain phase each technique belongs to (Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Command & Control, Impact)
- ATT&CK Navigator layer — exportable technique coverage for visualization
- Detection guidance — log sources, SIEM queries, and indicators to look for per technique
- Mitigation recommendations — ATT&CK M-series mitigations mapped to each identified technique
- Threat actor association — known APT groups or threat actors that use the identified technique combination
Example Output
{
"techniques_identified": 4,
"confidence": "High",
"mapped_techniques": [
{
"technique_id": "T1566.001",
"technique_name": "Phishing: Spearphishing Attachment",
"tactic": "Initial Access",
"confidence": 0.95,
"detection": "Monitor email gateway logs for Office documents with macros; alert on winword.exe spawning child processes",
"mitigations": ["M1049 - Antivirus/Antimalware", "M1031 - Network Intrusion Prevention", "M1017 - User Training"]
},
{
"technique_id": "T1059.001",
"technique_name": "Command and Scripting Interpreter: PowerShell",
"tactic": "Execution",
"confidence": 0.92,
"detection": "Enable PowerShell ScriptBlock logging (Event ID 4104); alert on encoded commands (-EncodedCommand)",
"mitigations": ["M1049 - Antivirus/Antimalware", "M1038 - Execution Prevention", "M1026 - Privileged Account Management"]
},
{
"technique_id": "T1087.001",
"technique_name": "Account Discovery: Local Account",
"tactic": "Discovery",
"confidence": 0.88,
"detection": "Monitor for net user, whoami /all, Get-LocalUser execution",
"mitigations": ["M1028 - Operating System Configuration"]
},
{
"technique_id": "T1003.001",
"technique_name": "OS Credential Dumping: LSASS Memory",
"tactic": "Credential Access",
"confidence": 0.97,
"detection": "Monitor for lsass.exe memory access (Sysmon Event ID 10); alert on procdump, mimikatz, Task Manager targeting lsass",
"mitigations": ["M1043 - Credential Access Protection", "M1028 - Operating System Configuration", "M1026 - Privileged Account Management"]
}
],
"threat_actor_associations": ["APT29", "FIN7", "Lazarus Group"],
"kill_chain_coverage": ["Initial Access", "Execution", "Discovery", "Credential Access"]
}
API Reference
Base URL: https://portal.toolweb.in/apis/security/mitre-attack-mapper
| Endpoint | Method | Content-Type | Description |
|---|---|---|---|
/map-technique | POST | multipart/form-data | Map text or file to MITRE ATT&CK techniques |
Authentication: Pass your API key as X-API-Key header or mcp_api_key argument via MCP.
Pricing
| Plan | Daily Limit | Monthly Limit | Price |
|---|---|---|---|
| Free | 5 / day | 50 / month | $0 |
| Developer | 20 / day | 500 / month | $39 |
| Professional | 200 / day | 5,000 / month | $99 |
| Enterprise | 100,000 / day | 1,000,000 / month | $299 |
About
ToolWeb.in — 200+ security APIs, CISSP & CISM certified, built for enterprise security practitioners.
Platforms: Pay-per-run · API Gateway · MCP Server · OpenClaw · RapidAPI · YouTube
- 🌐 toolweb.in
- 🔌 portal.toolweb.in
- 🤖 hub.toolweb.in (MCP Server)
- 🦞 toolweb.in/openclaw/
- ⚡ rapidapi.com/user/mkrishna477
- 📺 youtube.com/@toolweb-009