The ATT&CK equivalent for AI/ML. Twelve tactics, ~80+ techniques, dozens of case studies. The connective tissue between OWASP ASI, the Microsoft failure taxonomy, and the offensive expansion — the framework that names every technique an adversary has used against an AI system, in the order an adversary actually chains them.
ATLAS gives you the adversary's playbook. C2B B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that names every technique an adversary has actually used against an AI system, in the order an adversary actually chains them, from reconnaissance through impact.
None of the prior three frameworks is the adversary's full playbook. OWASP is a checklist — ten rows, score each. Microsoft B10 is a diagnostic — twelve failure modes by origin. SDD-B01 is the offensive expansion of OWASP — the same ten rows read as attack procedures. A real adversary does not think in ten rows or twelve failure modes. An adversary thinks in a kill chain. ATLAS is that kill chain, fed by real-world case studies and structured exactly like ATT&CK.
ATLAS gives you the adversary's playbook. B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that lets a red-team lead walk into an engagement and answer, technique by technique, "has anyone ever done this to an AI system before, and how did it work?"
ATLAS covers both the agent layer (overlapping OWASP) and the model layer (where OWASP is silent). Four of the six load-bearing techniques — Model Inversion, Data Poisoning, Model Stealing, Membership Inference — target the model the agent is built on. OWASP ASI has no row for them. ATLAS is the framework that covers the model.
ATLAS is a kill chain, not a checklist. The value is the compound: Reconnaissance enables Initial Access enables Execution enables Impact. Single-technique findings are entry points; the compound chain is the finding. This is the SDD-B01 "compound is the finding" thesis restated in ATLAS terms.
ML Model Access (TA0004) and ML Attack Staging (TA0010) have no ATT&CK analog. They exist because AI systems have an asset class — the trained model — that traditional systems do not. The access tier determines which downstream techniques are available. ML Attack Staging has no runtime defense — it happens on the adversary's laptop. The mitigation is upstream.
A failure that is an ATLAS technique, an OWASP ASI row, and a Microsoft B10 failure mode is the highest-confidence finding you can report. All three frameworks describe the same adversary behavior from different angles.
The empty OWASP cells — Model Inversion, Model Stealing, Membership Inference — are the finding surface ATLAS adds that OWASP cannot reach.