Course 2B · Deep-Dive SDD-B12

MITRE ATLAS
The Adversary's Playbook for AI Systems

The ATT&CK equivalent for AI/ML. Twelve tactics, ~80+ techniques, dozens of case studies. The connective tissue between OWASP, Microsoft, and the offensive expansion.

Senior engineer+ · 45 min · Prereqs: B1, B9, B10, SDD-B01, SDD-B11

The thesis

The framing

ATLAS gives you the adversary's playbook. C2B B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that names every technique an adversary has used against an AI system, in the order an adversary chains them.

  • OWASP ASI is a builder's checklist — ten rows, scored.
  • Microsoft B10 is a defender's diagnostic — twelve failure modes by origin.
  • SDD-B01 is the offensive expansion — the same ten rows read as attack procedures.
  • ATLAS is the adversary's full playbook — a kill chain, fed by real-world case studies.

None of them alone is the complete picture. ATLAS is the superset, organized as a kill chain.

What ATLAS is, structurally

The ATT&CK analog for AI/ML. Same structure, designed to compose.

Tactic (AML.TA0001–12)
Adversary objective in the kill chain. "Why." Columns in the matrix. Reconnaissance through Impact.
Technique (AML.Txxxx)
How the objective is achieved. Cells in the matrix. Has sub-techniques, procedure examples, mitigations.
Case study
Real-world attack cataloged against the techniques it used. The evidence layer. Why a technique is in the matrix.
Mitigation (AML.Mxxxx)
Framework-agnostic control class mapped to the techniques it addresses. Names the class, not the product.

Technique Maturity filter (added Secure AI v2, May 2026): each technique tagged by in-the-wild weaponization level. The red-team planner's first filter.

The twelve tactics, kill-chain order

#
Tactic
Adversary objective
ATT&CK analog
TA0001
Reconnaissance
Gather info on the AI system
Yes
TA0002
Resource Development
Build attack capabilities (parallel)
Yes
TA0003
Initial Access
Gain a foothold
Yes
TA0004
ML Model Access
Obtain access to the model asset
No — AI-specific
TA0005
Execution
Run adversarial inputs through the model
Yes
TA0006
Persistence
Maintain access across sessions
Yes
TA0007
Defense Evasion
Evade guardrails, filters, detectors
Yes
TA0008
Discovery
Explore internal layout
Yes
TA0009
Collection
Gather data of interest
Yes
TA0010
ML Attack Staging
Prepare the attack offline
No — AI-specific
TA0011
Exfiltration
Remove data from the target
Yes
TA0012
Impact
Degrade, manipulate, destroy
Yes

The two tactics with no ATT&CK analog

AML.TA0004 — ML Model Access
Exists because AI systems have an asset class (the trained model) traditional systems do not. The access tier determines which downstream techniques are available. Black-box API → PI, stealing, MIF. White-box weights → adds AdvEx, rep-level, poisoning.
AML.TA0010 — ML Attack Staging
Crafting adversarial examples, training surrogate models, building the payload. No runtime defense — it happens on the adversary's laptop. Mitigation is upstream: restrict ML Model Access so the adversary cannot query enough to stage.
Load-bearing

These two tactics are what makes ATLAS distinct from ATT&CK. An engagement that scopes them out has reduced ATLAS to a relabeled ATT&CK and lost the model-layer coverage that justifies the framework.

The six load-bearing techniques

Of ~80+, six recur in nearly every agentic-harness engagement.

TechniqueATLAS homeOWASP ASIModel or agent?
Prompt Injection (AML.T0048)Execution, ImpactASI01, ASI07Agent
Model Inversion (AML.T0043)Exfiltration(silent)Model
Data Poisoning (AML.T0034)PersistenceASI08Model
Adversarial Examples (AML.T0040)ImpactASI01, ASI06Model
Model Stealing (AML.T0025)Collection, Exfiltration(silent)Model
Membership InferenceCollection(silent)Model
The OWASP gap

Four of six load-bearing techniques have no OWASP ASI row. They target the model layer the agent is built on. OWASP covers the agent; ATLAS covers both. This is the connective-tissue claim: ATLAS is the superset.

Three techniques in depth — case-study anchor

Prompt Injection
AML.T0048
Direct injection is the test; indirect injection (tool output, retrieved doc, inter-agent message) is the deployed attack. Evidenced by InjecAgent and the indirect-injection benchmark literature. OWASP ASI01 / ASI07.
Data Poisoning
AML.T0034
BadNets (2017): backdoored network that misclassifies on a trigger, survives fine-tuning. Modern analogue: pretraining-data poisoning via web content. A durable compromise — no runtime defense.
Model Stealing
AML.T0025
Tramèr (2016): extracted production models from major ML-as-a-service providers with thousands of queries. LLM analogue: distillation-based extraction. Evasion: low-and-slow, under the rate limit.

The other three (Model Inversion, Adversarial Examples, Membership Inference) follow the same structure: case study anchors the technique, OWASP cross-reference names the agent-layer overlap (or its absence), Microsoft B10 names the failure class.

The cross-reference: three frameworks, one finding surface

Where the three frameworks overlap

A failure that is an ATLAS technique, an OWASP ASI row, and a Microsoft B10 failure mode is the highest-confidence finding. All three frameworks describe the same adversary behavior from different angles.

  • ATLAS — the adversary's kill chain (what they do, in order).
  • OWASP ASI — the builder's checklist (which row to score).
  • Microsoft B10 — the diagnostic (which class of failure it is).

The empty OWASP cells (Model Inversion, Model Stealing, Membership Inference) are the finding surface ATLAS adds that OWASP cannot reach.

Planning an engagement — the four-step procedure

Step 1 — Establish access tier
Black-box API? Gray-box (tool schemas, system prompt)? White-box (weights, harness source)? The tier bounds everything downstream.
Step 2 — Walk the matrix
Left to right. Filter by Technique Maturity. Output: the technique inventory — the scope.
Step 3 — Map to surfaces
Each in-scope technique → concrete target surface. PI → user turn, tool outputs, retrieved docs. Output: the attack plan.
Step 4 — Design the chains
Single-technique findings are entry points. The compound is the finding. Kill-chain ordering structures the chain design.
Anti-pattern

Running ATLAS as "one technique per tactic, scored" is using it as a checklist. ATLAS is a kill chain. Score the chains, not the techniques in isolation.

Mapping ATLAS against Tau (the lab)

Tau: zero defenses, seven attack surfaces (SDD-B11). The exercise: for each ATLAS tactic, name the Tau surface and the B-module that closes it.

ATLAS tacticTau surfaceClosing B-module
Prompt Injectionagent loop (user turn + tool output)B2 — taint gate
Data Poisoning (Persistence)session / memory storeB3 — memory-write gate
Defense Evasion(nothing to evade — undefended)
Impactbash tool (unsandboxed)B7 — bash sandbox
Exfiltrationcredential store (plaintext)B5 — credential vault
Discovery / Collectionevent stream (no intent tracker)B8 — observability
The frameworks are inverses

Every ATLAS tactic has a Tau surface. Every Tau surface has a B-module control. The tactic-to-surface-to-control map IS the hardening plan.

Anti-patterns

  • Treating ATLAS as a checklist — it is a kill chain. Score the chains.
  • Scoping to agent-layer only — OWASP covers the agent. ATLAS's value is the model-layer tactics OWASP omits.
  • Ignoring Technique Maturity — a time-boxed engagement treats all techniques equally will spend half its time on theoretical ones.
  • Mapping ATLAS to OWASP one-to-one and stopping — the unmapped techniques (the model-layer ones) are the finding surface OWASP cannot reach.
  • Confusing ATLAS mitigations with controls — mitigations are framework-agnostic classes. Translating to a B-module control is the curriculum's work, not ATLAS's.

The lab and what comes next

Lab — 07-lab-spec.md

Map the ATLAS matrix against the Tau harness. Build the tactic-to-surface-to-control document. Design one compound chain across the ATLAS kill chain. Python 3.10+, stdlib only, 45–60 min.

  • B9 — the builder's checklist (OWASP ASI rows)
  • SDD-B01 — the offensive expansion of those rows
  • SDD-B11 — the Tau harness (the zero-defense target)
  • B13 — Representation-Level Attacks (the model-internal techniques ATLAS Persistence covers)
  • B10 — Microsoft failure taxonomy (the diagnostic overlay)

Read together: ATLAS is the adversary's playbook, the B-modules are the builder's response, the frameworks are inverses.