What is MITRE ATLAS and how do I use it for AI security?

What MITRE ATLAS is

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of real-world adversary tactics, techniques, and case studies targeting AI and machine-learning systems — including modern generative-AI and agentic systems. It is the AI-security counterpart to MITRE ATT&CK: where ATT&CK catalogs how adversaries compromise conventional IT and OT, ATLAS catalogs how they attack the model, the ML pipeline, and the AI application around it.

• Tactics are the matrix columns — the adversary's goal at a phase of the attack lifecycle (e.g. get initial access, evade defenses, exfiltrate).
• Techniques (and sub-techniques) are the cells under each tactic — the specific methods used to achieve that goal. A technique can appear under more than one tactic.
• ATLAS is curated by MITRE with community contributions and is intended to be used alongside ATT&CK, not as a replacement.

How ATLAS extends ATT&CK

ATLAS deliberately mirrors ATT&CK's structure so the two interoperate, then adds an AI-specific layer:

• Shared ID scheme. Each tactic has an AML.TAxxxx ID, each technique an AML.Txxxx ID (sub-techniques append .00x), each mitigation an AML.Mxxxx ID, and each documented case study an AML.CSxxxx ID.
• Reuses ATT&CK Enterprise tactics where AI attacks overlap ordinary compromise — Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact all map directly to their ATT&CK equivalents.
• Adds two AI-native tactics that have no ATT&CK equivalent: AI Model Access (AML.TA0000) and AI Attack Staging (AML.TA0001). These capture phases unique to attacking a model — gaining query/white-box access, and building/validating an adversarial attack offline against a proxy model before firing it.
• AI-native techniques and mitigations live under both the shared and AI-specific tactics — adversarial-example crafting, model poisoning/backdoors, prompt injection, jailbreak, model extraction, RAG poisoning, and a growing family of agent-tool-abuse techniques.

ATLAS has expanded steadily to cover generative and agentic AI. The Lateral Movement tactic was added in v5.1.0 (November 2025), taking the matrix from 15 to 16 tactics, alongside an expanded agentic case-study corpus.

The canonical tactics (matrix columns)

Below are the verified ATLAS tactics with their canonical IDs and the kinds of techniques each contains. AI-native tactics are called out.

• Reconnaissance (AML.TA0002) — Gather information about the target AI system: search the victim's publicly available research materials and adversarial-vulnerability analyses, scan victim-owned websites and application/model repositories, and actively probe a deployed model to learn its capabilities and data.
• Resource Development (AML.TA0003) — Acquire the infrastructure, tooling, data, and ML artifacts to stage an attack: obtain public AI artifacts (datasets/models), obtain or develop adversarial-ML and generative-AI attack capabilities, and publish poisoned datasets or poisoned models.
• Initial Access (AML.TA0004) — Gain a foothold in the AI system or surrounding pipeline: AI Supply Chain Compromise (with hardware, ML-software, data, and model sub-techniques), Valid Accounts, Evade AI Model, Exploit Public-Facing Application, Phishing, and LLM Prompt Injection used as the access vector.
• AI Model Access (AML.TA0000) — AI-NATIVE, no ATT&CK equivalent — Obtain some level of access to the model, from query-only black-box to full white-box. Techniques: AI Model Inference API Access, access via an AI-Enabled Product or Service, Physical Environment Access, and Full AI Model Access. This is a precondition for many ML attacks.
• Execution (AML.TA0005) — Run adversary-controlled code or instructions: User Execution (incl. malicious package), Command and Scripting Interpreter, and LLM Prompt Injection (AML.T0051, with direct/indirect/triggered variants) as the execution vector. This is where agent tool-invocation abuse lands (see the agentic techniques below).
• Persistence (AML.TA0006) — Maintain a foothold across restarts, retraining, or session resets: Poison Training Data, Backdoor AI Model, and LLM-prompt self-replication, plus memory/context-poisoning patterns for agents.
• Privilege Escalation (AML.TA0012) — Gain higher permissions in the AI application or agent: LLM Jailbreak (AML.T0054) to bypass guardrails, prompt injection to act with the agent's privileges, and abuse of over-privileged agent tool permissions.
• Defense Evasion (AML.TA0007) — Avoid AI-based or conventional detection: Evade AI Model, Craft Adversarial Data to defeat ML detectors, LLM Prompt Obfuscation, LLM Jailbreak, and impersonation/masquerading.
• Credential Access (AML.TA0013) — Steal credentials, API keys, or secrets: Unsecured Credentials, Extract LLM System Prompt, and LLM Data Leakage to surface embedded secrets.
• Discovery (AML.TA0008) — Learn the system's internals and environment: Discover AI Model Ontology, Discover AI Model Family, Discover AI Artifacts, Discover LLM Hallucinations, and Discover LLM System Information.
• Lateral Movement (AML.TA0015) — added v5.1.0 (Nov 2025) — Pivot from the AI/agent component to other systems, accounts, or agents: use of alternate authentication material (incl. application access tokens), agent-to-agent and tool-chain pivoting, and reuse of harvested credentials to reach connected resources — emphasized by the agentic-AI case studies.
• Collection (AML.TA0009) — Gather data of interest: AI Artifact Collection, Data from Information Repositories, Data from Local System, plus harvesting of model inputs/outputs, RAG sources, and conversation/memory stores.
• AI Attack Staging (AML.TA0001) — AI-NATIVE, no ATT&CK equivalent — Prepare the attack against the model, often offline using collected artifacts or a proxy/shadow model: Create Proxy AI Model, Backdoor AI Model, Verify Attack, Craft Adversarial Data (with white-box/black-box optimization, transfer, manual modification, and backdoor-trigger sub-techniques), LLM Prompt Crafting, and Retrieval Content Crafting / RAG poisoning.
• Command and Control (AML.TA0014) — Establish covert control of compromised AI components: Reverse Shell and abuse of AI-service APIs as covert C2 channels — illustrated by case studies where attackers repurposed a model-provider API to control an AI-agent backdoor.
• Exfiltration (AML.TA0010) — Steal AI artifacts or other data: Exfiltration via AI Inference API (incl. extracting model parameters or inferring training-data membership), Exfiltration via Cyber Means, LLM Data Leakage, Extract LLM System Prompt, and indirect-injection-driven exfiltration through agent tools.
• Impact (AML.TA0011) — Manipulate, degrade, or destroy AI systems and data, or abuse them for downstream harm: Evade AI Model, Denial of AI Service, Spamming with Chaff Data, Erode AI Model Integrity, Cost Harvesting, Generate Deepfakes, and broader External Harms (financial, reputational, societal, IP).

GenAI and agentic techniques to know

ATLAS has grown a distinct generative-AI and agentic technique set. The headline ones:

• LLM Prompt Injection (AML.T0051) — Untrusted input overrides the model's intended instructions. It is versatile: it appears under Execution as the run vector and under Initial Access and Privilege Escalation as the entry/escalation vector. Direct, indirect, and triggered variants are documented as sub-techniques.
• LLM Jailbreak (AML.T0054) — Crafted input that bypasses safety guardrails to unlock restricted capability; central to Privilege Escalation and Defense Evasion.
• AI Agent Tool Invocation (AML.T0053) and the related AI Agent Tools family (AML.T0085, incl. AML.T0085.001) — the canonical techniques for abusing an agent's ability to call tools. Tool invocation is also the vehicle for agent-specific Exfiltration via AI Agent Tool Invocation (AML.T0086) and Data Destruction via AI Agent Tool Invocation (AML.T0101). These are the canonical agent-tool technique IDs — prefer them over routing all agent-tool abuse through prompt injection alone.

Accuracy note on IDs: a handful of recent GenAI/agentic technique numbers that circulate in summaries — including AML.T0011.002 ("Publish Poisoned AI Agent Tool"), AML.T0092, AML.T0093, and AML.T0094 — could not be independently confirmed in this pass and may be mis-numbered. Treat the specific numbers as unverified and confirm against atlas.mitre.org/techniques before citing the exact ID. The tactic names and IDs above are verified.

Mitigations: name them correctly

ATLAS pairs techniques with AML.Mxxxx mitigations (e.g. Verify AI Artifacts, Sanitize Training Data, Adversarial Input Detection, Generative AI Guardrails, AI Telemetry Logging, Restrict Number of AI Model Queries, Control Access to AI Models and Data at Rest, Encrypt Sensitive Information). For the agent-permission and human-oversight controls, use the canonical names exactly — these are commonly mis-stated:

• AML.M0026 = "Privileged AI Agent Permissions Configuration" (not "Use AI Agent Tool Permissions").
• AML.M0027 = "Single-User AI Agent Permissions Configuration" (not "Use Human-in-the-Loop Safeguards").
• Human-in-the-loop is a separate mitigation: AML.M0029 "Human In-the-Loop."

Do not assert the older "least privilege" / "human-in-the-loop safeguards" labels against M0026/M0027 — they are non-canonical pairings.

Using ATLAS for threat-informed defense

ATLAS is meant to drive a concrete defensive workflow, the same way teams use ATT&CK:

• Map your AI attack surface. Walk the matrix tactic by tactic against your system — model access path, training/ingestion pipeline, RAG stores, agent tools — and record which techniques are plausible. Don't forget the AI-native columns (AI Model Access, AI Attack Staging), which conventional threat models miss.
• Prioritize and select mitigations. For each in-scope technique, pull its associated AML.Mxxxx mitigations and decide build-vs-defer based on exposure and blast radius. Agentic systems should specifically weigh AML.M0026, AML.M0027, and AML.M0029.
• Build detections and telemetry. Use the technique catalog to define what to log and alert on (e.g. AI Telemetry Logging, Adversarial Input Detection), then validate coverage with red-team exercises framed in ATLAS terms.
• Communicate in a shared language. Because ATLAS interoperates with ATT&CK, an AI incident can be described with the same tactic/technique vocabulary your SOC already uses — easing handoffs between AI, security, and compliance teams.
• Track over time. ATLAS evolves (e.g. Lateral Movement and expanded agentic content in v5.1.0); periodically re-map as the framework and your system change.

The case-study corpus

ATLAS's distinguishing asset is its corpus of documented, real-world case studies (each an AML.CSxxxx ID, ~42 as of v5.1.0). Each case study reconstructs an actual or realistically demonstrated attack on an AI system as a sequence of ATLAS tactics and techniques — including incidents where attackers abused a model-provider API as a covert C2 channel for an AI-agent backdoor. Teams use the corpus to:

• Ground threat models in observed reality rather than hypotheticals, and justify control investment with concrete precedent.
• Seed red-team scenarios and tabletop exercises by replaying a case study's technique chain against their own stack.
• Train responders on what AI-specific compromise actually looks like end to end.

Bottom line

ATLAS gives engineers and security/compliance leads an ATT&CK-compatible, AI-specific common language: 16 tactics (14 borrowed from ATT&CK plus the AI-native AI Model Access and AI Attack Staging), a technique catalog that now spans classic adversarial ML through GenAI prompt injection/jailbreak and agent-tool abuse, mitigations to match, and a case-study corpus to keep the model honest. Use the verified tactic IDs and the canonical mitigation names (especially AML.M0026/AML.M0027/AML.M0029), and verify any recent technique ID against atlas.mitre.org before citing it.