MCP Server

MACAT includes a built-in Model Context Protocol (MCP) server that lets any MCP-compatible client control MACAT programmatically. With MCP, an AI assistant or automation tool can search procedures, build simulations, execute them, and review results.

The MCP server runs inside the MACAT process and shares the same database, services, and execution engine as the UI. Changes made through MCP are reflected in real time in the MACAT window.

Enabling the MCP Server

Click the Settings icon in the MACAT sidebar
Navigate to the MCP Server tab
Toggle Enable MCP Server on
Click Save
An API key will be generated automatically — copy it for the next step

The server starts on http://127.0.0.1:3457 by default. You can change the port and bind address in the same settings panel.

Warning

Binding to 0.0.0.0 or other externally-available addresses is HIGH RISK. It's recommended you use tunneling (Tailscale or similar) to the MACAT box and connect that way vs binding to a non-local address.

Connecting an MCP Client

Add the following to your MCP client configuration. The example below uses a generic format. Refer to your client's documentation for the exact syntax:

json

{
  "mcpServers": {
    "macat": {
      "type": "http",
      "url": "http://127.0.0.1:3457/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY_HERE"
      }
    }
  }
}

Replace YOUR_API_KEY_HERE with the API key from MACAT's settings. If you changed the default port, update the URL accordingly.

Available Tools

The MCP server exposes 23 tools organized into four categories.

Query Tools

Tool	Description
`list_procedures`	Search and filter procedures by tags, platforms, executors, techniques, threat profiles, privilege level, and free text
`get_procedure`	Get full details for a procedure including steps, arguments, and variables
`get_reference_data`	List available executors, platforms, tags, procedure types, and defense tool types
`get_mitre_data`	Query MITRE ATT&CK techniques and tactics with filtering
`list_threat_profiles`	Search STIX threat actors, malware, and tools
`get_config`	Read the current application configuration
`get_macatable_format`	Get the full MACATable TOML specification
`list_file_folders`	List procedure file folders with optional source filtering
`list_root_files`	List root-level procedure files
`get_folder_contents`	List files and subfolders within a specific folder
`load_simulation_from_file`	Load a saved simulation from a TOML or MCZ file on disk

Write Tools

Tool	Description
`save_procedure`	Create or update procedures from MACATable TOML
`delete_procedure`	Delete a procedure by ID
`save_config`	Update application configuration
`import_library_procedures`	Import procedures from a TOML or MCZ archive file
`save_simulation_to_file`	Save a simulation to a TOML or MCZ file

Simulation Tools

Tool	Description
`create_simulation`	Create a simulation from procedure IDs without executing it
`run_simulation`	Execute a simulation and receive a task ID for tracking
`rerun_simulation`	Re-execute an existing simulation without creating a new tab
`halt_simulation`	Stop a running simulation
`list_simulation_tabs`	List all open simulation tabs in the UI
`get_simulation_results`	Get in-memory results for the current session
`list_simulation_logs`	List persisted execution log files
`get_simulation_log`	Read results from a saved log file

Resources

The server also exposes three MCP resources that provide reference documentation to connected clients:

macat://docs/macatable-format - Full TOML specification for procedures and simulations
macat://docs/workflow-guide - Step-by-step workflow guide for common tasks
macat://reference/executors - Available executors with platform compatibility

Example Workflows

Search and Run

Ask your MCP client something like:

"Find all credential dumping procedures for Windows and run them in a simulation"

The client will use list_procedures with technique filters, create_simulation, and run_simulation to carry this out.

Build Custom Procedures

"Create a procedure that checks if Sysmon is running and logs the result"

The client will use get_macatable_format to understand the TOML schema, then save_procedure to create it.

Re-run and Compare

"Re-run the lateral movement simulation from earlier and show me the results"

The client will use list_simulation_tabs to find it, rerun_simulation to execute, and get_simulation_results to retrieve the output.

Tips

Use filters - list_procedures supports many filter parameters. Filtering is much faster than paginating through all procedures.
Rerun over re-create - Use rerun_simulation to avoid cluttering the UI with duplicate tabs.
Check results two ways - get_simulation_results is fast but session-only. get_simulation_log reads persisted logs that survive restarts.
Real-time events - Connected clients receive step-update, proc-update, and sim-update notifications as simulations execute.

Security

The MCP server only binds to 127.0.0.1 by default — it is not accessible from other machines.
All requests require a valid API key via the Authorization: Bearer header.
You can regenerate the API key at any time from the Settings panel.

MCP Server ​

Enabling the MCP Server ​

Connecting an MCP Client ​

Available Tools ​

Query Tools ​

Write Tools ​

Simulation Tools ​

Resources ​

Example Workflows ​

Search and Run ​

Build Custom Procedures ​

Re-run and Compare ​

Tips ​

Security ​