Module SDD-B12 — MITRE ATLAS: The Adversary's Playbook for AI Systems

MITRE ATLAS: The Adversary's Playbook for AI Systems

ATLAS gives you the adversary's playbook. C2B B9 gives you the builder's checklist. SDD-B01 gives you the offensive expansion. ATLAS is the connective tissue — the framework that names every technique an adversary has actually used against an AI system, in the order an adversary actually chains them, from reconnaissance through impact. The ATT&CK equivalent for AI/ML: twelve tactics, ~80+ techniques, dozens of case studies.

45
minutes
8
artifacts
3
sub-sections
OWASP ASI (B9) is a builder's checklist — ten rows, scored. The Microsoft failure taxonomy (B10) is a defender's diagnostic — twelve failure modes by origin. SDD-B01 is the offensive expansion — the same ten rows read as attack procedures. None of them is the adversary's full playbook. A real adversary thinks in a kill chain: reconnaissance, initial access, staging, impact — and at every stage, a library of techniques to choose from, each observed in the wild against a real AI system, each with a documented case study. MITRE ATLAS is that library, structured exactly like ATT&CK, maintained by MITRE, fed by real incident reports. The curriculum framing: ATLAS is the connective tissue between the three frameworks — the superset that covers both the agent layer (overlapping OWASP) and the model layer (where OWASP is silent), organized as the adversary's kill chain.
Key Claims
Load-Bearing Claims

ATLAS is the connective tissue between OWASP, Microsoft, and SDD-B01. OWASP is a builder's checklist (ten rows). Microsoft is a diagnostic (twelve failure modes). SDD-B01 is the offensive expansion (the same ten rows as attack procedures). ATLAS is the adversary's full playbook — a kill chain, fed by real-world case studies, structured like ATT&CK. A failure that is an ATLAS technique, an OWASP row, and a Microsoft failure mode is the highest-confidence finding — robust to framework-shopping.

ATLAS covers the model layer OWASP is silent on. Four of the six load-bearing techniques (Model Inversion, Data Poisoning model-layer variant, Model Stealing, Membership Inference) target the model the agent is built on, not the agent. OWASP ASI has no row for them — it is an agent-layer framework by design. ATLAS is the framework that covers the model; OWASP covers the agent; together they cover both. The empty OWASP cells are the finding surface ATLAS adds that OWASP cannot reach.

ATLAS is a kill chain, not a checklist. The value is the compound: Reconnaissance enables Initial Access enables Execution enables Impact. Single-technique findings are entry points; the compound chain is the finding. This is the SDD-B01 'compound is the finding' thesis restated in ATLAS terms — the ATLAS kill chain is the structure for designing the compound. Treating ATLAS as 'one technique per tactic, scored' reproduces the OWASP-as-checklist mistake in ATLAS clothing.

The two AI-specific tactics (ML Model Access, ML Attack Staging) are what makes ATLAS distinct from ATT&CK. They exist because AI systems have an asset class — the trained model — that traditional systems do not. The access tier determines which downstream techniques are available (black-box API scopes to prompt injection, model stealing, membership inference; white-box weights unlock adversarial examples, representation-level attacks, weight poisoning). ML Attack Staging has no runtime defense — it happens on the adversary's laptop. Scoping these two tactics out reduces ATLAS to a relabeled ATT&CK and loses the model-layer coverage that justifies the framework.

After This Module
01
Explain what MITRE ATLAS is, how it is structured (tactics × techniques × case studies, the ATT&CK analog), and why it is the connective tissue between OWASP ASI (B9), the Microsoft failure taxonomy (B10), and the offensive expansion (SDD-B01).
02
Read the ATLAS matrix end-to-end: all twelve tactics (AML.TA0001–AML.TA0012), the techniques beneath each, and the case studies that evidence them — and map each to an agentic-harness attack surface from B1.
03
For the six load-bearing ATLAS techniques (prompt injection, model inversion, data poisoning, adversarial examples, model stealing, membership inference), state the full attack procedure, the real-world case study that evidences it, and the OWASP ASI / Microsoft taxonomy cross-reference.
04
Use ATLAS to plan a red-team engagement: establish the access tier, walk the matrix left-to-right, select techniques by maturity and platform applicability, map techniques to surfaces, and produce a technique-by-technique attack plan a B12 assessor would accept.
05
Map ATLAS techniques against a zero-defense harness (the Tau harness from SDD-B11) and identify which techniques apply — the lab exercise that anchors the deep-dive.
Artifacts
01
Teaching Document
~3,400 words; 3 sub-sections — the matrix (twelve tactics, the ATT&CK analog), six load-bearing techniques in depth (case-study anchored: BadNets, Fredrikson, Carlini, Tramèr, Shokri, Goodfellow), planning an engagement + mapping ATLAS against Tau; with anti-patterns, key terms, references
READ
02
Diagrams
5 Mermaid diagrams — the twelve tactics in kill-chain order (with the two AI-specific tactics flagged), the three-framework cross-reference (ATLAS as superset), the six load-bearing techniques mapped to case studies, the four-step engagement procedure, the ATLAS–Tau tactic-to-surface-to-control hardening map
READ
03
Slide Deck
12 slides — reveal.js, dark theme, design-system teal; covers the thesis, ATLAS structure, twelve tactics, two AI-specific tactics, six load-bearing techniques, cross-reference, engagement procedure, Tau mapping, anti-patterns, the lab
READ
04
Teaching Script
Verbatim transcript with [SLIDE N] cues, ~2,800 words spoken at ~140 wpm across 12 slide cues
READ
05
Flashcards
20 flashcards (TSV) — mix of recall and analysis; covers ATLAS structure, all twelve tactics, six load-bearing techniques, the engagement procedure, anti-patterns, the ATLAS–Tau inverse relationship
TEST
06
Exam
15 questions, 20/40/40 Bloom distribution (3 recall / 6 application / 6 analysis), 70% pass; validated JSON with rationale per question
TEST
07
Lab Spec
Map the ATLAS Matrix Against a Zero-Defense Harness — runnable simulation (Python 3.10+, type hints, no GPU, no external deps): establish the access tier, walk the matrix, build the tactic-to-surface-to-control hardening map, design one compound chain across the kill chain (~45-60 min)
DO
08
Module Web Page
Single-file HTML hub
HERE