{
  "module": "SDD-B12",
  "title": "MITRE ATLAS: The Adversary's Playbook for AI Systems",
  "course": "2B — Securing & Attacking Harnesses and LLMs",
  "pillar": "Deep-Dives",
  "duration": 45,
  "passing_score_percent": 70,
  "bloom_distribution": {
    "target": { "remember": 20, "apply": 40, "analyze": 40 },
    "actual": { "remember": 20, "apply": 40, "analyze": 40 }
  },
  "questions": [
    {
      "id": "q01",
      "bloom": "remember",
      "type": "multiple_choice",
      "prompt": "What is MITRE ATLAS, structurally?",
      "options": [
        "A regulatory standard for AI system security, comparable to PCI-DSS for payment systems",
        "An ATT&CK-analog knowledge base of adversary tactics and techniques against AI-enabled systems, structured as a matrix of tactics × techniques with case studies and mitigations",
        "A defensive control catalog listing specific products and their configuration settings for securing ML pipelines",
        "A benchmark suite for evaluating ML model robustness against adversarial examples"
      ],
      "answer_index": 1,
      "rationale": "ATLAS is the ATT&CK equivalent for AI/ML: a living knowledge base structured identically to ATT&CK (tactics as columns, techniques as cells, sub-techniques, case studies as evidence, mitigations as framework-agnostic control classes). Option A confuses it with a compliance regime; C confuses it with a product catalog; D confuses it with a benchmark."
    },
    {
      "id": "q02",
      "bloom": "remember",
      "type": "multiple_choice",
      "prompt": "Which two ATLAS tactics have NO ATT&CK analog, and why?",
      "options": [
        "Reconnaissance and Resource Development — they are unique to AI systems",
        "Persistence and Defense Evasion — they require ML-specific tooling",
        "ML Model Access and ML Attack Staging — they exist because AI systems have an asset class (the trained model) traditional systems do not",
        "Exfiltration and Impact — they target AI-specific data formats"
      ],
      "answer_index": 2,
      "rationale": "ML Model Access (TA0004) and ML Attack Staging (TA0010) have no ATT&CK analog because AI systems introduce a new asset class — the trained model — that traditional systems lack. ML Model Access determines which downstream techniques are available; ML Attack Staging covers offline preparation with no runtime defense. The other tactics (Reconnaissance, Persistence, etc.) all have ATT&CK analogs."
    },
    {
      "id": "q03",
      "bloom": "remember",
      "type": "multiple_choice",
      "prompt": "What is the Technique Maturity filter in ATLAS, and when was it added?",
      "options": [
        "A filter ranking techniques by detection difficulty, added in ATLAS v3.0",
        "A filter tagging each technique by in-the-wild weaponization level (theoretical → weaponized), added in the Secure AI v2 release in May 2026",
        "A filter ranking techniques by mitigation cost, added in the original ATLAS release",
        "A filter ranking techniques by OWASP ASI row number, added alongside the OWASP mapping"
      ],
      "answer_index": 1,
      "rationale": "The Technique Maturity filter was added in the Secure AI v2 release (May 2026) and tags each technique by how weaponized it is in the wild — from theoretical (published, never observed) to weaponized (available as tooling, used against production). It is the red-team planner's first prioritization lever for time-boxed engagements."
    },
    {
      "id": "q04",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "An adversary has black-box API access to an LLM (the chat endpoint only). Which set of ATLAS techniques is IN SCOPE?",
      "options": [
        "Prompt injection, model stealing, membership inference only",
        "Prompt injection, model stealing, membership inference, adversarial examples at scale, representation-level attacks, weight poisoning",
        "Weight poisoning, model inversion with full weight access, backdoor implantation only",
        "All twelve tactics are equally in scope regardless of access tier"
      ],
      "answer_index": 0,
      "rationale": "Black-box API access scopes the adversary to techniques that work via query-response: prompt injection, model stealing (AML.T0025), and membership inference. White-box weight access is required to unlock adversarial-example crafting at scale, representation-level attacks (B13), and weight poisoning. The access tier is the first variable an ATLAS-aware red team records — it bounds the entire engagement."
    },
    {
      "id": "q05",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "Where does Prompt Injection sit in the ATLAS matrix, and what is its OWASP ASI cross-reference?",
      "options": [
        "Reconnaissance tactic; OWASP ASI02 (Prompt Leakage)",
        "Execution tactic (and Impact); OWASP ASI01 (Goal Hijacking) and ASI07 (Insecure Output Handling — the indirect channel)",
        "Persistence tactic; OWASP ASI04 (Memory Poisoning)",
        "Exfiltration tactic; OWASP ASI08 (Supply Chain)"
      ],
      "answer_index": 1,
      "rationale": "Prompt Injection (AML.T0048) is an Execution and Impact technique — the adversary executes an adversarial input through the model's instruction-processing pipeline. Sub-techniques cover direct (test surface) and indirect (deployed attack via tool output/retrieved doc/inter-agent message) injection. OWASP cross-references are ASI01 (Goal Hijacking) and ASI07 (Insecure Output Handling — the indirect channel that is the SDD-B01 load-bearing evasion)."
    },
    {
      "id": "q06",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "Data Poisoning (AML.T0034) sits under which ATLAS tactic, and why is the placement load-bearing?",
      "options": [
        "Initial Access — because poisoning requires gaining entry to the training pipeline first",
        "Persistence — because a poisoned model is a durable compromise that survives model reloads, retraining, and defensive resets, distinct from a one-shot injection",
        "Impact — because the poisoning causes the model to misclassify",
        "Defense Evasion — because the poisoned examples bypass input filters"
      ],
      "answer_index": 1,
      "rationale": "Data Poisoning sits under Persistence (TA0006) because the backdoor is baked into the weights — it survives model reloads, retraining, and defensive resets. This is distinct from a one-shot prompt injection. The BadNets case study (2017) demonstrates the backdoor survives transfer learning and fine-tuning. The placement is load-bearing because it tells you the mitigation effort is an order of magnitude larger than a runtime finding."
    },
    {
      "id": "q07",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "You are planning an ATLAS-driven engagement. You have walked the matrix and produced the technique inventory. What is the NEXT step, and what is its output?",
      "options": [
        "Score each technique individually and produce a per-tactic scorecard",
        "Map each in-scope technique to a concrete target surface (PI → user turn + tool outputs; Data Poisoning → training pipeline + RAG index + memory store); the output is the technique-to-surface map (the attack plan)",
        "Filter by Technique Maturity to produce the technique inventory",
        "Report the mitigations implemented and produce the closeout document"
      ],
      "answer_index": 1,
      "rationale": "The four-step procedure is: (1) establish access tier, (2) walk the matrix to produce the technique inventory, (3) map each technique to a concrete target surface — this produces the technique-to-surface map (the attack plan), (4) design the chains. Option A is the checklist anti-pattern; C is step 2 (already done); D is closeout, not planning."
    },
    {
      "id": "q08",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "In the ATLAS–Tau mapping lab, what does the tactic-to-surface-to-control document become?",
      "options": [
        "A scored report of which Tau surfaces failed",
        "The hardening plan — every ATLAS tactic has a Tau surface, every Tau surface has a B-module control that closes it; the document maps the adversary playbook to the builder response",
        "A compliance attestation suitable for ISO 42001 certification",
        "A list of OWASP ASI rows that Tau violates"
      ],
      "answer_index": 1,
      "rationale": "The lab's output is the hardening plan. Tau is undefended, so nearly every ATLAS tactic applies. Each row of the document names an ATLAS tactic, the Tau surface it applies to, and the B-module control that closes it (e.g., Prompt Injection → agent loop → B2 taint gate). The frameworks are inverses: ATLAS is the adversary's playbook; the B-modules are the builder's response. The document is the concrete artifact a B12 engagement delivers."
    },
    {
      "id": "q09",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "Model Stealing (AML.T0025) has which standard defense, and what is the evasion?",
      "options": [
        "Standard defense: adversarial training. Evasion: transferability of adversarial examples",
        "Standard defense: differential privacy. Evasion: the quality-privacy tradeoff resolves in favor of quality",
        "Standard defense: rate limiting and query auditing. Evasion: the low-and-slow query pattern that stays under the rate limit (same shape as the ASI09 under-threshold loop)",
        "Standard defense: output sanitization. Evasion: the sanitizer only escapes HTML/shell/SQL, not natural language"
      ],
      "answer_index": 2,
      "rationale": "Model Stealing's standard defense is rate limiting and query auditing — detect when one client is querying enough to train a surrogate. The evasion is the low-and-slow query pattern that stays under the rate limit, which is structurally identical to the SDD-B01 ASI09 under-threshold loop (10,000 individually-legitimate calls that never trip the per-call breaker). Option A describes Adversarial Examples; B describes Membership Inference; D describes Prompt Injection/ASI07."
    },
    {
      "id": "q10",
      "bloom": "apply",
      "type": "multiple_choice",
      "prompt": "Which ATLAS technique has NO OWASP ASI cross-reference because it targets the model layer the agent is built on (not the agent)?",
      "options": [
        "Prompt Injection (AML.T0048) — it is agent-layer",
        "Model Inversion (AML.T0043) — it targets the model's training data via the model's outputs, which OWASP's agent-layer framework does not cover",
        "Memory Poisoning — it is covered by ASI04",
        "Tool Abuse — it is covered by ASI05"
      ],
      "answer_index": 1,
      "rationale": "Model Inversion, Model Stealing, and Membership Inference have NO OWASP ASI row because they target the model layer (training data, model weights, training-set membership), not the agent layer (loop, tools, permissions, memory). OWASP ASI is silent on the model layer by design. This empty OWASP cell is the load-bearing finding: ATLAS covers the model; OWASP covers the agent; together they cover both."
    },
    {
      "id": "q11",
      "bloom": "analyze",
      "type": "multiple_choice",
      "prompt": "Why is the claim 'ATLAS is the connective tissue between OWASP, Microsoft, and SDD-B01' load-bearing, rather than just marketing?",
      "options": [
        "Because ATLAS is the only framework that includes case studies",
        "Because ATLAS is the SUPERSET framework — it covers the model layer (where OWASP is silent), organized as the adversary's kill chain (which OWASP's checklist and Microsoft's diagnostic are not), and every agent-layer OWASP row maps to an ATLAS tactic while ATLAS adds model-layer tactics OWASP cannot reach",
        "Because ATLAS was created by MITRE, which also created ATT&CK, so it inherits credibility",
        "Because ATLAS is newer than the other frameworks and therefore more up-to-date"
      ],
      "answer_index": 1,
      "rationale": "ATLAS is the connective tissue because it is the superset: it covers both the agent layer (overlapping OWASP) and the model layer (where OWASP is silent), organized as a kill chain (which neither OWASP's checklist nor Microsoft's diagnostic provide). Every OWASP row maps to an ATLAS tactic; ATLAS adds model-layer tactics (Model Inversion, Model Stealing, Membership Inference, Data Poisoning) that have no OWASP row. The three-framework overlap (ATLAS technique + OWASP row + Microsoft failure mode) is the highest-confidence finding."
    },
    {
      "id": "q12",
      "bloom": "analyze",
      "type": "multiple_choice",
      "prompt": "An engagement reports 'we tested one ATLAS technique per tactic and produced a per-tactic scorecard.' What is the error, and what is lost?",
      "options": [
        "No error — this is the correct way to use ATLAS",
        "The error is treating ATLAS as a checklist instead of a kill chain. What is lost: the COMPOUND CHAINS — single-technique findings are entry points; the chain (Recon enables Discovery enables Execution enables Impact) is the finding. Per-tactic scoring reproduces the OWASP-as-checklist mistake in ATLAS clothing",
        "The error is not filtering by Technique Maturity. What is lost: prioritization of weaponized techniques",
        "The error is using ATLAS at all for an agentic system. What is lost: the OWASP coverage"
      ],
      "answer_index": 1,
      "rationale": "ATLAS is a kill chain, not a checklist. Treating it as 'one technique per tactic, scored' reproduces the OWASP-as-checklist mistake and loses the compound chains — the multi-tactic sequences where each step passes its individual control but the compound reaches impact (the SDD-B01 compound-is-the-finding thesis restated in ATLAS terms). The cure is to score chains, not techniques in isolation."
    },
    {
      "id": "q13",
      "bloom": "analyze",
      "type": "multiple_choice",
      "prompt": "Why does ATLAS place Data Poisoning under Persistence (TA0006) rather than under Impact (TA0012), and what does the placement tell you about mitigation effort?",
      "options": [
        "Because poisoning impacts training data, which is a persistence asset",
        "Because the poisoned backdoor is DURABLE — it survives model reloads, retraining, and defensive resets, making it a persistence technique. The placement tells you mitigation is an order of magnitude larger than a runtime finding: you must retrain from clean data or replace the checkpoint, not patch a runtime control",
        "Because poisoning has no runtime impact, only persistence impact",
        "Because the ATLAS matrix has no room for it under Impact"
      ],
      "answer_index": 1,
      "rationale": "Data Poisoning sits under Persistence because the compromise is durable — the backdoor lives in the weights and survives retraining (BadNets demonstrated survival through fine-tuning and transfer learning). The placement tells you the mitigation is a model-lifecycle problem (retrain from clean data, replace the checkpoint, scan pre-deployment), not a runtime patch. This is an order of magnitude more effort than a one-shot injection finding, which is why ATLAS separates Persistence from Impact."
    },
    {
      "id": "q14",
      "bloom": "analyze",
      "type": "multiple_choice",
      "prompt": "Why is 'mapping ATLAS to OWASP one-to-one and stopping there' an anti-pattern, and what is the cure?",
      "options": [
        "It is not an anti-pattern; the one-to-one mapping is the whole point",
        "The anti-pattern is that several techniques map cleanly to OWASP rows (PI→ASI01, Persistence→ASI04/08), so the temptation is to map the obvious ones and skip the rest — reproducing the OWASP scope (and its blind spots) in ATLAS clothing. The cure: map the UNMAPPED techniques first (the model-layer ones); they are the finding surface OWASP cannot reach",
        "The anti-pattern is that OWASP is obsolete and should not be mapped at all",
        "The anti-pattern is that the mapping requires MITRE's permission"
      ],
      "answer_index": 1,
      "rationale": "The obvious mappings (Prompt Injection→ASI01, Persistence→ASI04/08) reproduce the OWASP scope. The value of ATLAS is the UNMAPPED techniques — Model Inversion, Model Stealing, Membership Inference — that target the model layer OWASP does not cover. The cure: map the unmapped techniques first; they are the new findings. The obvious mappings are confirmation; the unmapped mappings are the gap."
    },
    {
      "id": "q15",
      "bloom": "analyze",
      "type": "multiple_choice",
      "prompt": "An engagement reports 'we implemented AML.M1015.' What is wrong with this report, and what is the corrected form?",
      "options": [
        "Nothing is wrong; ATLAS mitigation IDs are the correct unit of reporting",
        "AML.M1015 is a framework-AGNOSTIC mitigation class (e.g., 'input validation'), not a control. Reporting it produces an unfalsifiable claim. The corrected form: 'we implemented the B2 taint gate, which is the B-module INSTANTIATION of the ATLAS input-validation mitigation class.' The mitigation names the control class; the B-module names the specific implementation",
        "The report should cite the ATLAS tactic, not the mitigation",
        "The report should cite the case study, not the mitigation"
      ],
      "answer_index": 1,
      "rationale": "ATLAS mitigations are framework-agnostic control classes ('input validation,' 'adversarial training'), not products or B-module controls. Reporting 'we implemented AML.M1015' is unfalsifiable — there is no way to audit whether 'input validation' was actually built. The corrected form names the specific B-module control (the B2 taint gate at the tool-output boundary), which is auditable. Translating an ATLAS mitigation into a B-module control is the curriculum's work, not ATLAS's."
    }
  ]
}
