# Diagrams — Deep-Dive SDD-B12: MITRE ATLAS

**Course**: 2B — Securing & Attacking Harnesses and LLMs · **Deep-Dive**: SDD-B12 — MITRE ATLAS: The Adversary's Playbook for AI Systems

Color coding (consistent with the course design system):
- `#5eead4` teal — the adversary's progression, tactics, inputs
- `#f0a868` warn — techniques, the model layer, surfaces
- `#f08080` danger — impact, exfiltration, findings
- `#9494a0` ink-secondary — annotations, defensive mappings

---

## Diagram 1 — The ATLAS Matrix: Twelve Tactics in Kill-Chain Order

**Type**: flowchart (left-to-right kill chain)
**Purpose**: Show all twelve ATLAS tactics ordered as an adversary progression, from Reconnaissance through Impact, with Resource Development as the parallel feeder. This is the mental model an analyst needs before reading any technique.

**Reading the diagram**: The adversary walks left to right. Each tactic is an objective; the arrow names the relationship ("enables"). Resource Development sits below because it happens in parallel — before and during the attack. The two tactics with no ATT&CK analog (ML Model Access, ML Attack Staging) are marked; they are what makes ATLAS distinct from ATT&CK.

```mermaid
flowchart LR
    classDef recon fill:#1a1a24,stroke:#5eead4,color:#e4e4e8
    classDef access fill:#1a1a24,stroke:#5eead4,color:#e4e4e8
    classDef ml fill:#1a1a24,stroke:#f0a868,color:#e4e4e8
    classDef mid fill:#1a1a24,stroke:#9494a0,color:#e4e4e8
    classDef impact fill:#1a1a24,stroke:#f08080,color:#e4e4e8

    T01[AML.TA0001<br/>Reconnaissance]:::recon
    T03[AML.TA0003<br/>Initial Access]:::access
    T04[AML.TA0004<br/>ML Model Access<br/>★ no ATT&CK analog]:::ml
    T05[AML.TA0005<br/>Execution]:::mid
    T06[AML.TA0006<br/>Persistence]:::mid
    T07[AML.TA0007<br/>Defense Evasion]:::mid
    T08[AML.TA0008<br/>Discovery]:::mid
    T09[AML.TA0009<br/>Collection]:::mid
    T10[AML.TA0010<br/>ML Attack Staging<br/>★ no ATT&CK analog]:::ml
    T11[AML.TA0011<br/>Exfiltration]:::impact
    T12[AML.TA0012<br/>Impact]:::impact

    T02[AML.TA0002<br/>Resource Development<br/>parallel feeder]:::recon

    T01 --> T03 --> T04 --> T05 --> T08 --> T09 --> T10 --> T11 --> T12
    T05 --> T06
    T05 --> T07
    T06 -.durable.-> T05
    T07 -.enables.-> T05

    T02 -.feeds.-> T04
    T02 -.feeds.-> T10
    T02 -.feeds.-> T03
```

---

## Diagram 2 — The Three-Framework Cross-Reference: ATLAS as Connective Tissue

**Type**: layered diagram
**Purpose**: Show how ATLAS, OWASP ASI, and the Microsoft taxonomy relate. ATLAS is the superset (model + agent), organized as a kill chain. OWASP covers the agent layer. Microsoft covers the failure-mode classification. The overlap is the highest-confidence finding surface.

**Reading the diagram**: Three concentric zones. ATLAS is the outer ring because it covers both the model layer (where OWASP is silent) and the agent layer. OWASP sits inside, covering only the agent. The Microsoft taxonomy intersects both as a classification overlay. The region where all three overlap is the "highest-confidence finding" zone — a failure that is an ATLAS technique, an OWASP row, and a Microsoft failure mode is the strongest possible finding.

```mermaid
flowchart TB
    classDef atlas fill:#14141f,stroke:#5eead4,color:#e4e4e8
    classDef owasp fill:#14141f,stroke:#f0a868,color:#e4e4e8
    classDef msft fill:#14141f,stroke:#f08080,color:#e4e4e8
    classDef overlap fill:#1a2a26,stroke:#5eead4,color:#e4e4e8

    subgraph ATLAS["ATLAS — the adversary playbook (model + agent)"]
        direction TB
        subgraph MODEL["Model-layer tactics<br/>(silent in OWASP)"]
            MI[Model Inversion<br/>Data Poisoning<br/>Model Stealing<br/>Membership Inference]:::atlas
        end
        subgraph AGENT["Agent-layer tactics<br/>(overlaps OWASP)"]
            OVERLAP["Prompt Injection<br/>Goal Hijack<br/>Memory Poisoning<br/>Supply Chain<br/>Resource Exhaustion"]:::overlap
        end
    end

    OWASP["OWASP ASI B9<br/>builder checklist<br/>agent layer only"]:::owasp
    MSFT["Microsoft B10<br/>failure taxonomy<br/>classification overlay"]:::msft

    OWASP -.covers.-> OVERLAP
    MSFT -.classifies.-> OVERLAP
    MSFT -.classifies.-> MI
```

---

## Diagram 3 — The Six Load-Bearing Techniques, Tactic-to-Case-Study Map

**Type**: graph (technique → tactic → case study)
**Purpose**: Anchor each of the six load-bearing ATLAS techniques to its home tactic and its evidencing case study. This is the "why is this technique in the matrix" map.

**Reading the diagram**: Each technique sits under its tactic (left column) and is evidenced by its case study (right column). The middle column is the technique. The arrows show "is a sub-technique of" (technique → tactic) and "is evidenced by" (technique → case study).

```mermaid
flowchart LR
    classDef tactic fill:#14141f,stroke:#5eead4,color:#e4e4e8
    classDef tech fill:#14141f,stroke:#f0a868,color:#e4e4e8
    classDef study fill:#14141f,stroke:#9494a0,color:#e4e4e8

    TA_EXEC[Execution / Impact]:::tactic
    TA_EXFIL[Exfiltration]:::tactic
    TA_PERSIST[Persistence]:::tactic
    TA_COLL[Collection]:::tactic

    T_PI[Prompt Injection<br/>AML.T0048]:::tech
    T_MI[Model Inversion<br/>AML.T0043]:::tech
    T_DP[Data Poisoning<br/>AML.T0034]:::tech
    T_AE[Adversarial Examples<br/>AML.T0040]:::tech
    T_MS[Model Stealing<br/>AML.T0025]:::tech
    T_MIF[Membership Inference]:::tech

    C_PI[InjecAgent<br/>indirect injection]:::study
    C_MI[Fredrikson 2015<br/>Carlini LLM extraction]:::study
    C_DP[BadNets 2017<br/>pretraining poisoning]:::study
    C_AE[Goodfellow 2015<br/>physical-world attacks]:::study
    C_MS[Tramer 2016<br/>LLM distillation theft]:::study
    C_MIF[Shokri 2017<br/>training-data canaries]:::study

    TA_EXEC --> T_PI --> C_PI
    TA_EXFIL --> T_MI --> C_MI
    TA_PERSIST --> T_DP --> C_DP
    TA_EXEC --> T_AE --> C_AE
    TA_COLL --> T_MS --> C_MS
    TA_COLL --> T_MIF --> C_MIF
```

---

## Diagram 4 — Planning an Engagement: The Four-Step ATLAS-Driven Procedure

**Type**: flowchart (top-down procedure)
**Purpose**: Show the engagement-planning procedure: establish access tier, walk the matrix, map to surfaces, design chains. The output is the attack plan.

**Reading the diagram**: The procedure is sequential. Each step's output feeds the next. The access tier (step 1) bounds the technique inventory (step 2), which bounds the surface map (step 3), which bounds the chains (step 4). The final output — the attack plan — is a chain-by-chain finding document, not a row-by-row scorecard.

```mermaid
flowchart TB
    classDef step fill:#14141f,stroke:#5eead4,color:#e4e4e8
    classDef output fill:#1a2a26,stroke:#5eead4,color:#e4e4e8
    classDef note fill:#14141f,stroke:#9494a0,color:#9494a0

    S1["STEP 1 — Establish access tier<br/>black-box / gray-box / white-box"]:::step
    S2["STEP 2 — Walk the matrix<br/>left to right; filter by Technique Maturity"]:::step
    S3["STEP 3 — Map techniques to surfaces<br/>each in-scope technique → concrete target surface"]:::step
    S4["STEP 4 — Design the chains<br/>kill-chain ordering; compound is the finding"]:::step

    O1[/"black-box scopes to PI, stealing, MIF<br/>white-box adds AdvEx, rep-level, poisoning"/]:::note
    O2[/"technique inventory<br/>(the engagement scope)"/]:::output
    O3[/"technique-to-surface map<br/>(the attack plan)"/]:::output
    O4[/"chain-by-chain finding document<br/>(the deliverable)"/]:::output

    S1 --> O1 --> S2 --> O2 --> S3 --> O3 --> S4 --> O4
```

---

## Diagram 5 — Mapping ATLAS Against the Tau Harness: Tactic-to-Surface-to-Control

**Type**: matrix table-as-graph
**Purpose**: Show the lab's core output — for each ATLAS tactic, the Tau surface it applies to, the technique that applies, and the B-module control that closes it. This is the hardening map ATLAS + Tau produces.

**Reading the diagram**: Three columns. Left: the ATLAS tactic. Middle: the Tau attack surface (from SDD-B11's seven surfaces). Right: the B-module control that closes it. The arrows show "applies to" (tactic → surface) and "closed by" (surface → control). The pattern: every ATLAS tactic has a Tau surface, and every Tau surface has a B-module control. The frameworks are inverses.

```mermaid
flowchart LR
    classDef tactic fill:#14141f,stroke:#5eead4,color:#e4e4e8
    classDef surface fill:#14141f,stroke:#f0a868,color:#e4e4e8
    classDef control fill:#1a2a26,stroke:#82e0aa,color:#e4e4e8

    T_PI[Prompt Injection<br/>Execution]:::tactic
    T_DP[Data Poisoning<br/>Persistence]:::tactic
    T_DE[Defense Evasion<br/>trivial — Tau undefended]:::tactic
    T_IMP[Impact<br/>unsandboxed bash]:::tactic
    T_EX[Exfiltration<br/>credential store is plaintext]:::tactic

    S_LOOP[agent loop<br/>user turn + tool output]:::surface
    S_MEM[session / memory store<br/>unmanaged writes]:::surface
    S_NOTHING[(no defenses present)]:::surface
    S_BASH[bash tool<br/>runs asyncio.create_subprocess_shell]:::surface
    S_CRED[credential store<br/>plaintext API keys on disk]:::surface

    B2[B2 — taint gate<br/>injection defense layer]:::control
    B3[B3 — memory-write gate<br/>sleeper-attack defense]:::control
    B7[B7 — bash sandbox<br/>execution controls]:::control
    B5[B5 — credential vault<br/>identity and permission]:::control
    B8[B8 — intent tracker<br/>observability]:::control

    T_PI --> S_LOOP --> B2
    T_DP --> S_MEM --> B3
    T_DE --> S_NOTHING
    T_IMP --> S_BASH --> B7
    T_EX --> S_CRED --> B5
```

---

## Validation notes

- All five diagrams use the course design tokens (`#5eead4` accent, `#f0a868` warn, `#f08080` danger, `#9494a0` ink-secondary). No emoji. No AI purple/blue. No gradients.
- Diagram 1 is the load-bearing mental model — the twelve tactics in kill-chain order, with the two no-ATT&CK-analog tactics marked. If a reader internalizes only this, they can navigate the matrix.
- Diagram 2 is the "connective tissue" claim in visual form — ATLAS as the superset, OWASP and Microsoft as subsets/overlays. The overlap zone is the highest-confidence finding surface.
- Diagram 3 is the technique-to-case-study anchor — the six load-bearing techniques and the published attacks that evidence them. This is the "why is this in the matrix" reference.
- Diagram 4 is the engagement-planning procedure — the four-step method that turns the matrix into an attack plan.
- Diagram 5 is the lab's output structure — the tactic-to-surface-to-control map that becomes the hardening plan. Every tactic has a surface; every surface has a control.
