Course 2B · Deep-Dive SDD-B12 · 45 min

MITRE ATLAS
The Adversary's Playbook for AI Systems

The ATT&CK equivalent for AI/ML. Twelve tactics, ~80+ techniques, dozens of case studies. The connective tissue between OWASP ASI, the Microsoft failure taxonomy, and the offensive expansion — the framework that names every technique an adversary has used against an AI system, in the order an adversary actually chains them.

12tactics in kill-chain order
80+techniques cataloged
6load-bearing techniques in depth
4step engagement procedure

01The thesis

ATLAS gives you the adversary's playbook. C2B B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that names every technique an adversary has actually used against an AI system, in the order an adversary actually chains them, from reconnaissance through impact.

None of the prior three frameworks is the adversary's full playbook. OWASP is a checklist — ten rows, score each. Microsoft B10 is a diagnostic — twelve failure modes by origin. SDD-B01 is the offensive expansion of OWASP — the same ten rows read as attack procedures. A real adversary does not think in ten rows or twelve failure modes. An adversary thinks in a kill chain. ATLAS is that kill chain, fed by real-world case studies and structured exactly like ATT&CK.

02Key claims

The framing

ATLAS gives you the adversary's playbook. B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that lets a red-team lead walk into an engagement and answer, technique by technique, "has anyone ever done this to an AI system before, and how did it work?"

The superset

ATLAS covers both the agent layer (overlapping OWASP) and the model layer (where OWASP is silent). Four of the six load-bearing techniques — Model Inversion, Data Poisoning, Model Stealing, Membership Inference — target the model the agent is built on. OWASP ASI has no row for them. ATLAS is the framework that covers the model.

The kill chain

ATLAS is a kill chain, not a checklist. The value is the compound: Reconnaissance enables Initial Access enables Execution enables Impact. Single-technique findings are entry points; the compound chain is the finding. This is the SDD-B01 "compound is the finding" thesis restated in ATLAS terms.

The two AI-specific tactics

ML Model Access (TA0004) and ML Attack Staging (TA0010) have no ATT&CK analog. They exist because AI systems have an asset class — the trained model — that traditional systems do not. The access tier determines which downstream techniques are available. ML Attack Staging has no runtime defense — it happens on the adversary's laptop. The mitigation is upstream.

03After this module, you can

04The three-framework cross-reference

A failure that is an ATLAS technique, an OWASP ASI row, and a Microsoft B10 failure mode is the highest-confidence finding you can report. All three frameworks describe the same adversary behavior from different angles.

ATLAS
The adversary's kill chain — twelve tactics ordered by progression. What they do, in order.
OWASP ASI (B9)
The builder's checklist — ten risks, one control each. Which row to score. Silent on the model layer.
Microsoft (B10)
The diagnostic — twelve failure modes by origin. Which class of failure it is.

The empty OWASP cells — Model Inversion, Model Stealing, Membership Inference — are the finding surface ATLAS adds that OWASP cannot reach.

05Artifacts

06Read with