This repository provides a ready-to-use Docker Compose setup for deploying the ATT&CK Workbench application and its related services.

1. Clone the repository:

   git clone https://github.com/mitre-attack/attack-workbench-deployment.git
   cd attack-workbench-deployment

2. Configure environment variables:

   cp configs/rest-api/template.env configs/rest-api/.env
   # (Optional) For TAXII support:
   cp configs/taxii/config/template.env configs/taxii/config/.env

3. Start the Workbench application:

   docker compose up -d

4. (Optional) Start with TAXII server:

   docker compose --profile with-taxii up -d

The ATT&CK Workbench is composed of several services:

• A Frontend UI
• A REST API backend
• A MongoDB database
• An optional TAXII 2.1 Server

This repository lets you deploy all of them using Docker Compose. You can choose to:

• ✅ Use published Docker images (default and recommended)
• 🛠️ Or build from source (for development or customization)

The ATT&CK Workbench services are tied to specific versions of the ATT&CK Specification, maintained by the ATT&CK Data Model. Each release of the Workbench frontend and REST API aligns with a major version of the ATT&CK Specification.

Please refer to the COMPATIBILITY.md file for a complete compatibility matrix.

This is the default mode and best for most users. No need to clone or modify Workbench source code — the Compose file pulls prebuilt images directly from the GitHub Container Registry:

services:
  rest-api:
    image: ghcr.io/center-for-threat-informed-defense/attack-workbench-rest-api:latest

If you want to customize or test unreleased changes, you can modify the compose.yaml to build images locally:

services:
  rest-api:
    build: ../attack-workbench-rest-api

Note: The provided Compose file is preconfigured for published images but can be adapted to support builds.

Edit the .env file at configs/rest-api/.env to configure the backend.

Example:

DATABASE_URL=mongodb://attack-workbench-database/attack-workspace
AUTHN_MECHANISM=anonymous

Optional: You can also provide a JSON config file and reference it via:

JSON_CONFIG_PATH=configs/rest-api/rest-api-service-config.json

The TAXII 2.1 server is an optional sidecar service to expose ATT&CK data via the TAXII protocol.

1. Use .env files to configure the server:

   • configs/taxii/config/.env (default)
   • or use the TAXII_ENV variable to load dev.env, prod.env, etc.

2. Example environment config usage:

TAXII_ENV=prod

3. If enabling HTTPS:

   • Provide PEM files:

     configs/taxii/config/private-key.pem
     configs/taxii/config/public-certificate.pem
     

   • OR base64-encode and set them via:

     TAXII_SSL_PRIVATE_KEY=<base64>
     TAXII_SSL_PUBLIC_KEY=<base64>

Use Compose profiles to include or exclude the optional TAXII service:

• With TAXII:

  docker compose --profile with-taxii up -d

• Without TAXII:

  docker compose up -d

The with-taxii profile is defined in docker-compose.yml.

In zero-trust environments such as those using ZScaler or deep packet inspection, ATT&CK Workbench may require a custom certificate authority (CA) bundle to communicate with external resources (e.g., downloading remote collection indexes).

You can provide your own PKI certificates by following the guide in certs/README.md.

This setup augments the main deployment with an additional Compose file:

docker compose -f compose.yaml -f compose.certs.yaml up -d

If you're working on ATT&CK Workbench source code:

• Clone the relevant service repositories
• Modify the compose.yaml to build from local source (build: instead of image:)
• Use volume mounts for live reloading if needed

• ATT&CK Workbench Frontend
• ATT&CK REST API
• ATT&CK TAXII Server
• MongoDB Docker Image