Security-Focused LLM Memory Storage with Intelligence Gathering, Reverse Engineering, and MITRE ATT&CK Integration
TinyBrain is a comprehensive memory storage system designed specifically for security professionals, penetration testers, and AI assistants working on offensive security tasks. It provides intelligent memory management, pattern recognition, and comprehensive intelligence gathering capabilities through the Model Context Protocol (MCP).
π View Complete Documentation | π Report Issues | π¬ Discussions
- OSINT: Open Source Intelligence collection and analysis
- HUMINT: Human Intelligence gathering and social engineering assessment
- SIGINT: Signals Intelligence and communications analysis
- GEOINT: Geospatial Intelligence and location-based analysis
- MASINT: Measurement and Signature Intelligence
- TECHINT: Technical Intelligence and technology assessment
- FININT: Financial Intelligence and cryptocurrency tracking
- CYBINT: Cyber Intelligence and threat analysis
- Malware Analysis: Static and dynamic malware analysis capabilities
- Binary Analysis: PE, ELF, Mach-O file format analysis
- Vulnerability Research: Fuzzing, exploit development, and vulnerability analysis
- Protocol Analysis: Network and application protocol reverse engineering
- Code Analysis: Source code and assembly analysis tools
- Complete Framework: All 14 Enterprise tactics and 200+ techniques
- TTP Mapping: Map findings to specific tactics, techniques, and procedures
- Attack Chain Analysis: Complete attack chain mapping and analysis
- Threat Hunting: Hunt for specific TTPs and attack patterns
- Campaign Tracking: Track attack campaigns and threat actor activities
- Real-Time Data: Live MITRE ATT&CK dataset with 823+ techniques and 14 tactics
- Intelligent Querying: Semantic search across attack techniques and procedures
- CWE Integration: Common Weakness Enumeration patterns and classifications
- OWASP Compliance: OWASP Top 10 2021 and testing guide integration
- Multi-Language Support: Security patterns for 10+ programming languages
- Authorization Templates: RBAC, ABAC, and DAC access control patterns
- Standards Compliance: NIST, ISO 27001, PTES, and industry standards
- NVD Integration: National Vulnerability Database with 314,835+ CVEs
- OWASP Testing Guide: Complete web application security testing procedures
- NVD Integration: National Vulnerability Database with 314,835+ CVEs
- MITRE ATT&CK: Complete framework with 823+ techniques and 14 tactics
- OWASP Testing Guide: Comprehensive web application security testing procedures
- Intelligent Retrieval: Context-aware querying with summarization
- Real-Time Updates: Incremental data updates from official sources
- Rate Limiting: Respectful API usage with proper rate limiting
- 30+ Memory Categories: Comprehensive categorization for intelligence, reconnaissance, and analysis data
- Intelligence Objects: Threat actors, attack campaigns, IOCs, TTPs, patterns, and correlations
- Context-Aware Storage: Automatically categorizes and prioritizes information
- Advanced Search: Semantic, exact, fuzzy, tag-based, and relationship-based search
- Access Tracking: Monitors which memories are most relevant and frequently accessed
- Context Summaries: Provides relevant memory summaries for current tasks
- Embedded SQLite Backend: Single binary with a pure-Go SQLite engine (no cgo) and FTS5 full-text search
- Dashboard: Web-based status dashboard at http://127.0.0.1:8090/_/ (in
servemode) - REST API: Full REST API at http://127.0.0.1:8090/api/ for external integrations
- MCP Protocol: JSON-RPC 2.0 over stdio for AI assistant integration
- Optimized Queries: Indexed searches and efficient relationship traversal
- Transaction Safety: ACID compliance for data integrity
- Concurrent Access: Thread-safe operations for multiple LLM interactions
- Zero Configuration: Works out of the box with minimal setup
- Semantic Search: AI-powered memory search using embeddings for conceptual similarity
- Embedding Generation: Generate embeddings for text (placeholder for AI integration)
- Similarity Calculation: Calculate semantic similarity between embeddings
- Future-Ready: Complete foundation for OpenAI, Cohere, or local model integration
- Memory Notifications: Real-time alerts for memory events and system activities
- High Priority Alerts: Notifications for high-priority memories (priority β₯8, confidence β₯0.8)
- Duplicate Detection: Alerts for potential duplicate memories with similarity scores
- Cleanup Notifications: Notifications for automated cleanup operations
- Notification Management: Mark notifications as read, filter by session, priority-based sorting
- Simple Installation:
go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest - Comprehensive Logging: Detailed logging with structured output
- Extensive Testing: Full test coverage for all MCP tool handlers
- Docker Support: Containerized deployment ready
- 50+ MCP Tools: Complete API for all memory management operations
- Single Binary: MCP server, REST API, and dashboard in one executable
TinyBrain provides a comprehensive set of more than 50 MCP tools for complete LLM memory management:
store_memory- Store new memory entriesget_memory- Retrieve memory by IDsearch_memories- Advanced search with multiple strategiesupdate_memory- Update existing memory entriesdelete_memory- Delete memory entriesfind_similar_memories- Find similar memories by contentcheck_duplicates- Check for duplicate memoriesget_memory_stats- Get comprehensive memory statistics
create_session- Create new security assessment sessionsget_session- Retrieve session informationlist_sessions- List all sessions with filteringcreate_task_progress- Create task progress entriesupdate_task_progress- Update task progresslist_task_progress- List task progress entries
create_relationship- Create memory relationshipsget_related_memories- Get related memoriescreate_context_snapshot- Create context snapshotsget_context_snapshot- Retrieve context snapshotslist_context_snapshots- List context snapshotsget_context_summary- Get memory summaries for contextexport_session_data- Export session dataimport_session_data- Import session data
get_security_templates- Get predefined security templatescreate_memory_from_template- Create memories from templatesbatch_create_memories- Bulk create memory entriesbatch_update_memories- Bulk update memory entriesbatch_delete_memories- Bulk delete memory entriesget_detailed_memory_info- Get detailed memory debugging info
cleanup_old_memories- Age-based memory cleanupcleanup_low_priority_memories- Priority-based cleanupcleanup_unused_memories- Access-based cleanupget_system_diagnostics- Comprehensive system diagnostics
semantic_search- AI-powered semantic searchgenerate_embedding- Generate embeddings for textcalculate_similarity- Calculate embedding similarity
get_notifications- Get notifications and alertsmark_notification_read- Mark notifications as readcheck_high_priority_memories- Check for high-priority alertscheck_duplicate_memories- Check for duplicate alerts
health_check- Perform system health checks
TinyBrain's security patterns and vulnerability datasets are aligned with industry-standard security frameworks:
- OWASP Top 10 2021 - Web Application Security Risks
- CWE (Common Weakness Enumeration) - Software Weakness Classification
- NIST SP 800-115 - Technical Guide to Information Security Testing
- ISO 27001 - Information Security Management Systems
- PTES (Penetration Testing Execution Standard) - Penetration Testing Methodology
Our security patterns and vulnerability datasets are based on authoritative sources:
- OWASP Code Review Guide - Comprehensive secure code review methodology
- OWASP Secure Coding Dojo - Interactive security code review training
- OWASP Testing Guide - Web application security testing methodology
- SANS Top 25 CWE - Most dangerous software errors
- NIST Cybersecurity Framework - Cybersecurity risk management
Our security patterns cover 10 major programming languages with language-specific vulnerability patterns:
- JavaScript/Node.js - Web application security patterns
- Python - Backend and automation security patterns
- Java - Enterprise application security patterns
- C#/.NET - Microsoft ecosystem security patterns
- PHP - Web application security patterns
- Ruby - Web framework security patterns
- Go - System and API security patterns
- C/C++ - System-level security patterns
- TypeScript - Type-safe web application patterns
- Rust - Memory-safe system programming patterns
Download the latest release for your platform from Releases:
- macOS (Apple Silicon):
tinybrain_*_Darwin_arm64.tar.gz - macOS (Intel):
tinybrain_*_Darwin_x86_64.tar.gz - Linux (x86_64):
tinybrain_*_Linux_x86_64.tar.gz - Linux (ARM64):
tinybrain_*_Linux_arm64.tar.gz - Windows:
tinybrain_*_Windows_x86_64.zip
Extract and run:
# Extract (Linux/macOS)
tar -xzf tinybrain_*_*.tar.gz
cd tinybrain_*
# Make executable
chmod +x tinybrain
# Run
./tinybrain serve# Install latest version
go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest
# Install specific version
go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest
# The binary will be installed as 'tinybrain' in your $GOPATH/bin or $GOBIN
# Make sure $GOPATH/bin or $GOBIN is in your PATHgit clone https://github.com/rainmana/tinybrain.git
cd tinybrain
go build -o tinybrain ./cmd/tinybraindocker pull rainmana/tinybrain:latest
docker run -p 8090:8090 rainmana/tinybrainTinyBrain ships as a Claude Code plugin that registers the MCP server and installs
skills teaching Claude how to use it well (capture findings as you go, build an engagement
knowledge graph, recall it across sessions). The plugin includes a core using-tinybrain
skill plus domain workflows for code review, CTFs, and threat intelligence.
First install the binary (the plugin's MCP config runs tinybrain from your PATH):
go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latestThen add the marketplace and install the plugin from inside Claude Code:
/plugin marketplace add rainmana/tinybrain
/plugin install tinybrain@tinybrain-marketplace
That's it β the tinybrain MCP server is registered (pointed at ~/.tinybrain/memory.db)
and the skills activate automatically when you do security work. To point at a different
database, set TINYBRAIN_DB_PATH in your environment before launching Claude Code.
# Start the server (data stored in ~/.tinybrain by default)
tinybrain serve
# Or specify a custom data directory
tinybrain serve --dir /path/to/your/data
# Customize the HTTP host/port (default is 127.0.0.1:8090)
tinybrain serve --port 9000
tinybrain serve --host 0.0.0.0 --port 8090
# Or use environment variables
TINYBRAIN_HOST=0.0.0.0 TINYBRAIN_PORT=9000 tinybrain serve
# Access the dashboard
open http://127.0.0.1:8090/_/
# The REST API is available at:
# http://127.0.0.1:8090/api/In serve mode TinyBrain speaks the MCP protocol over stdio and serves the
REST API/dashboard over HTTP. Running plain tinybrain (no subcommand) starts
a stdio-only MCP server, which is what most MCP client configs use.
- Single Binary: Everything in one executable with zero configuration
- Dashboard: Web interface at http://127.0.0.1:8090/_/ for stats and links
- REST API: Sessions and memory endpoints at http://127.0.0.1:8090/api/
- Optional Auth: Set
TINYBRAIN_API_TOKENto require a bearer token on the REST API - Data Persistence: SQLite database at
<dir>/memory.db(default~/.tinybrain/memory.db) - MCP over stdio: JSON-RPC 2.0; works with Claude Desktop, Cursor, Cline, and any MCP client
// Create an OSINT intelligence session
session := &Session{
Name: "OSINT Intelligence Gathering",
TaskType: "intelligence_analysis",
IntelligenceType: "osint",
Classification: "unclassified",
ThreatLevel: "medium",
}
// Store intelligence findings
finding := &IntelligenceFinding{
Title: "Social Media Intelligence",
IntelligenceType: "osint",
ThreatLevel: "medium",
MITRETactic: "TA0001",
MITRETechnique: "T1591",
KillChainPhase: "reconnaissance",
}{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "mcp_tinybrain-mcp-server_create_session",
"arguments": {
"name": "Security Assessment",
"task_type": "penetration_test",
"intelligence_type": "osint"
}
}
}If you encounter issues with go install, try these solutions:
# Standard install (note the /v3 in the module path β required for v3.x)
go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest
# Build from a clone instead
git clone https://github.com/rainmana/tinybrain.git
cd tinybrain
go build -o tinybrain ./cmd/tinybrain
# For Go module proxy issues, use direct mode
GOPROXY=direct go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest
# For checksum database errors right after a new release
GOSUMDB=off go install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latestCommon Issues:
- "module path must match major version" error: Include the
/v3in the path βgo install github.com/rainmana/tinybrain/v3/cmd/tinybrain@latest - Binary not found: Ensure
$GOPATH/binor$GOBINis in your PATH - Checksum errors: Wait a few minutes after a new release, or temporarily use
GOSUMDB=off
Add to your MCP client configuration (e.g., Claude Desktop):
{
"mcpServers": {
"tinybrain": {
"command": "tinybrain",
"args": ["serve"],
"env": {
"TINYBRAIN_DB_PATH": "~/.tinybrain/memory.db"
}
}
}
}Note: The binary name is tinybrain (from cmd/tinybrain); go install github.com/rainmana/tinybrain/v3/cmd/server@latest installs the same program as server. The SQLite database is created at ~/.tinybrain/memory.db by default.
For complete documentation, API reference, and detailed guides, visit our comprehensive documentation site:
The documentation includes:
- Getting Started - Installation and basic usage
- Core Features - Memory management, sessions, and search
- Intelligence & Reconnaissance - OSINT, HUMINT, SIGINT, and more
- Reverse Engineering - Malware analysis and vulnerability research
- Security Patterns - CWE, OWASP, and multi-language patterns
- Integration - AI assistant integration and development setup
- API Reference - Complete MCP tools and REST API documentation
- Contributing - Guidelines for contributors
Task Types: security_review, penetration_test, exploit_dev, vulnerability_analysis, threat_modeling, incident_response, intelligence_analysis
Intelligence Types: osint, humint, sigint, geoint, masint, techint, finint, cybint
{
"name": "list_sessions",
"arguments": {
"task_type": "security_review",
"status": "active",
"limit": 10
}
}{
"name": "store_memory",
"arguments": {
"session_id": "session_123",
"title": "SQL Injection in Login Form",
"content": "Found SQL injection vulnerability in username parameter of login form. Payload: ' OR 1=1--",
"category": "vulnerability",
"content_type": "text",
"priority": 8,
"confidence": 0.9,
"tags": "[\"sql-injection\", \"authentication\", \"critical\"]",
"source": "manual-testing"
}
}Categories: finding, vulnerability, exploit, payload, technique, tool, reference, context, hypothesis, evidence, recommendation, note
{
"name": "search_memories",
"arguments": {
"query": "SQL injection authentication",
"session_id": "session_123",
"search_type": "semantic",
"categories": "[\"vulnerability\", \"exploit\"]",
"min_priority": 7,
"limit": 20
}
}Search Types: semantic, exact, fuzzy, tag, category, relationship
{
"name": "get_related_memories",
"arguments": {
"memory_id": "memory_456",
"relationship_type": "exploits",
"limit": 10
}
}{
"name": "create_relationship",
"arguments": {
"source_memory_id": "memory_123",
"target_memory_id": "memory_456",
"relationship_type": "exploits",
"strength": 0.8,
"description": "SQL injection can be used to bypass authentication"
}
}Relationship Types: depends_on, causes, mitigates, exploits, references, contradicts, supports, related_to, parent_of, child_of
{
"name": "get_context_summary",
"arguments": {
"session_id": "session_123",
"current_task": "Analyzing authentication vulnerabilities",
"max_memories": 20
}
}TinyBrain is built with:
- Go 1.24+ - High-performance backend
- modernc.org/sqlite - Pure-Go embedded SQLite with FTS5 full-text search (no cgo)
- MCP Protocol - LLM integration standard with 50+ tools over stdio (JSON-RPC 2.0)
- MITRE ATT&CK - Security framework integration
- Jekyll - Documentation site with Minimal theme
- No External Dependencies: Works anywhere Go runs; CGO-free cross-compilation
- Embedded Database: SQLite database file managed by the binary
- Dashboard: Built-in status dashboard at
/_/ - REST API: Full REST API for external integrations and automation
- Zero Configuration: Works out of the box with sensible defaults
- Data Persistence: All data automatically persisted across restarts
- Security-First: All data structures and operations designed for security tasks
- Intelligence-Focused: Comprehensive intelligence gathering and analysis capabilities
- Performance: Optimized queries and indexes for fast retrieval
- Flexibility: Extensible schema and relationship system
- Reliability: ACID transactions and data integrity checks
- Usability: Simple API with comprehensive documentation
# Run all tests
make test
# Run tests with coverage
go test -v -race -coverprofile=coverage.out ./...
go tool cover -html=coverage.out -o coverage.html
# Run benchmarks
make bench
# Run specific test
go test -v ./internal/database -run TestNewDatabase# Build Docker image
make docker-build
# Run container
docker run --rm -it \
-v ~/.tinybrain:/app/data \
tinybrain:latest- Memory Entry Creation: ~1000 entries/second
- Search Operations: ~100 searches/second
- Relationship Queries: ~500 queries/second
- Database Size: ~1MB per 10,000 memory entries
- Connection Pooling: Optimized for SQLite single-writer model
- Index Strategy: Comprehensive indexing for all query patterns
- Full-Text Search: FTS5 virtual tables for semantic search
- Caching: Access pattern tracking for intelligent caching
TINYBRAIN_DB_PATH: Path to the SQLite database (default:~/.tinybrain/memory.db)TINYBRAIN_HOST: HTTP listen host in serve mode (default:127.0.0.1)TINYBRAIN_PORT: HTTP listen port in serve mode (default:8090)TINYBRAIN_HTTP: Set tofalseto disable the HTTP API in serve modeTINYBRAIN_API_TOKEN: If set, the REST API requires this bearer token
- Dashboard: http://127.0.0.1:8090/_/
- REST API index: http://127.0.0.1:8090/api/
- Health check: http://127.0.0.1:8090/health
- MCP protocol: stdio (JSON-RPC 2.0)
~/.tinybrain/
βββ memory.db # SQLite database
βββ memory.db-wal # Write-ahead log
βββ memory.db-shm # Shared memory file
The security pattern libraries, CWE references, and templates are published on the documentation site:
- Security Patterns - OWASP Top 10 2021 patterns, CWE Top 25, multi-language vulnerability patterns, and exploitation techniques
- CWE LLM Dataset - LLM-optimized CWE dataset in structured JSON format for efficient consumption (ships in this repo)
- Cursor Rules - Security assessment rules for Cursor AI assistant
- Cline Rules - Code review and exploitation framework for Cline
- Roo Mode - Penetration testing configuration for Roo AI assistant
- User Configuration Template - Customizable user configuration template
All security patterns are derived from authoritative sources and aligned with industry standards:
- OWASP Top 10 2021 - Based on OWASP Top 10 web application security risks
- CWE Patterns - Derived from Common Weakness Enumeration software weakness classification
- Code Review Standards - Aligned with OWASP Code Review Guide
- Training Integration - Compatible with OWASP Secure Coding Dojo
- Testing Methodology - Follows NIST SP 800-115 security testing guidelines
- Fork the repository
- Create a feature branch
- Add tests for new functionality
- Ensure all tests pass
- Submit a pull request
# Clone repository
git clone https://github.com/rainmana/tinybrain.git
cd tinybrain
# Setup development environment
make dev-setup
# Run tests
make test
# Build
make buildMIT License - see LICENSE file for details.
- mcp-go for MCP server framework
- go-sqlite3 for SQLite driver
- charmbracelet/log for structured logging
- OWASP for security standards and vulnerability classifications
- OWASP Code Review Guide for secure code review methodology
- OWASP Secure Coding Dojo for interactive security training
- CWE (Common Weakness Enumeration) for software weakness classification
- NIST for cybersecurity frameworks and testing guidelines
- SANS for security research and training materials
- Intelligence gathering frameworks (OSINT, HUMINT, SIGINT, etc.)
- MITRE ATT&CK integration
- Reverse engineering capabilities
- Enhanced memory categories
- Comprehensive documentation site
- HTTP transport support
- Memory compression and archiving
- Advanced analytics and insights
- Multi-user support with access controls
- Plugin system for custom memory types
- Integration with popular security tools
- Web dashboard for memory visualization
TinyBrain - Making LLM memory storage intelligent, fast, and security-focused. π§ π