Generate MITRE ATT&CK Navigator layers for coverage visualization, threat actor mapping, and gap analysis. Produces JSON files compatible with the Navigator web app.
ATT&CK Navigator layers are JSON files that visualize technique coverage on the MITRE ATT&CK matrix. This skill covers generating layers for three primary use cases:
Every layer follows this structure:
{
"name": "Layer Name",
"versions": {
"attack": "18.1",
"navigator": "5.3.1",
"layer": "4.5"
},
"domain": "enterprise-attack",
"description": "Layer description",
"techniques": [
{
"techniqueID": "T1059.001",
"tactic": "execution",
"score": 75,
"color": "#66b2ff",
"comment": "3 Sigma rules, 2 Splunk ESCU rules",
"enabled": true
}
],
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100
}
}
| Field | Type | Purpose |
|---|---|---|
techniqueID | string | MITRE technique ID (e.g., T1059.001) |
tactic | string | Tactic shortname (required for sub-techniques that appear in multiple tactics) |
score | number | 0–100, drives gradient coloring |
color | string | Hex color override (takes precedence over score gradient) |
comment | string | Hover text with details |
enabled | boolean | Whether technique is visible |
| Color | Meaning |
|---|---|
#8ec843 (green) | Good coverage (score 70–100) |
#ffe766 (yellow) | Partial coverage (score 30–69) |
#ff6666 (red) | Weak/no coverage (score 0–29) |
#6baed6 (blue) | Threat actor uses this technique |
#ffffff (white) | Not assessed / not applicable |
Visualize detection coverage across all techniques. Score is based on number and quality of detections.
Using MCP tools:
1. get_technique_ids() → Get all covered technique IDs
2. analyze_coverage() → Get tactic-level breakdown
3. generate_coverage_layer(covered_ids) → Generate the layer JSON
Scoring formula (suggested):
Highlight all techniques attributed to a specific threat group.
Using MCP tools:
1. search_groups("APT29") → Find group ID (G0016)
2. get_group_techniques("G0016") → Get technique list
3. generate_group_layer("G0016", "APT29") → Generate the layer
Compare your detection coverage against a target set of techniques (e.g., a threat actor's TTPs).
Using MCP tools:
1. get_technique_ids() → Your covered IDs
2. get_group_techniques("G0016") → Target IDs
3. generate_gap_layer(covered, target, "APT29 Gaps") → Gap layer
Gap layer color scheme:
If MCP tools aren't available, build the JSON directly:
import json
def make_layer(name, techniques, description=""):
return {
"name": name,
"versions": {"attack": "18.1", "navigator": "5.3.1", "layer": "4.5"},
"domain": "enterprise-attack",
"description": description,
"techniques": techniques,
"gradient": {
"colors": ["#ff6666", "#ffe766", "#8ec843"],
"minValue": 0,
"maxValue": 100,
},
}
techniques = [
{"techniqueID": "T1059.001", "score": 80, "comment": "5 detections"},
{"techniqueID": "T1053.005", "score": 40, "comment": "1 detection"},
]
layer = make_layer("My Coverage", techniques, "Detection coverage as of 2026-02")
with open("coverage_layer.json", "w") as f:
json.dump(layer, f, indent=2)
Or host Navigator locally:
git clone https://github.com/mitre-attack/attack-navigator.git
cd attack-navigator/nav-app
npm install && npm start
versions.attack to match the ATT&CK version your analysis used.