Gallery

Contacts

405 W. Greenlawn Ave Lansing, Michigan 48910

contact@techjacksolutions.com

+1-616-320-4064

Framework Explorer / MITRE ATLAS

MITRE ATLAS in the AI Governance Framework Explorer

79 entries 52 cross-framework mappings 19 risk profiles Threat intelligence Advisory

MITRE ATLAS is the adversarial threat knowledge base for AI — tactics and techniques observed in real attacks against machine-learning systems, modeled after ATT&CK. It is where AI governance meets threat intelligence.

Open the Interactive ExplorerJump to MITRE ATLAS

Every MITRE ATLAS entry, explained

Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.

RECON — Reconnaissance1 entries
RECONReconnaissance

Adversary techniques for gathering information about target machine learning systems before launching an attack, including identifying architectures, training data, deployment infrastructure, and API endpoints.

RESOURCE — Resource Development1 entries
RESOURCEResource Development

Adversary techniques for building capabilities to attack ML systems, including acquiring compute resources, developing adversarial examples, creating proxy models, and obtaining poisoned datasets.

EXEC — Execution and Persistence1 entries
EXECExecution and Persistence

Adversary techniques for running adversarial payloads against ML systems and maintaining long-term access through backdoors, configuration changes, or embedded triggers.

PRIV — Privilege Escalation and Defense Evasion1 entries
PRIVPrivilege Escalation and Defense Evasion

Techniques for gaining higher-level access within ML systems and evading detection, including moving from inference-only to training pipeline access and bypassing safety filters.

CRED — Credential Access and Discovery1 entries
CREDCredential Access and Discovery

Adversary techniques for stealing credentials that grant access to ML systems and discovering ML assets within compromised environments.

COLLECT — Collection and ML Attack Staging1 entries
COLLECTCollection and ML Attack Staging

Techniques for gathering data from ML systems and preparing for attack execution, including extracting training data, stealing model parameters, and crafting adversarial inputs.

EXFIL — Exfiltration, Impact, C2 and Lateral Movement1 entries
EXFILExfiltration, Impact, C2 and Lateral Movement

Final phases of ML adversary campaigns covering data removal from target environments, disruption of AI functionality, command and control channels, and movement between connected AI systems.

AML.TA0000 — ML Model Access4 entries
AML.TA0000ML Model Access

Obtaining access to ML model inference APIs, model files, or training pipelines for attack execution.

AML.T0040AI Model Inference API Access

Accessing AI model inference APIs to query models, extract information, or stage further attacks against the ML system.

AML.T0041Physical Environment Access

Gaining physical access to environments where AI/ML systems operate, including data centers, edge devices, or IoT deployments.

AML.T0044Full ML Model Access

Obtaining complete access to ML model internals including weights, architecture, gradients, and training configuration.

AML.TA0001 — ML Attack Staging5 entries
AML.TA0001ML Attack Staging

Preparing and staging ML-specific attacks including data poisoning, model backdooring, and adversarial input crafting.

AML.T0018Backdoor ML Model

Inserting hidden triggers into ML models that activate malicious behavior only when specific input patterns are present.

AML.T0020Poison Training Data

Injecting malicious samples into training datasets to alter model behavior, introduce biases, or create backdoors.

AML.T0042Verify Attack

Testing and validating adversarial attacks against target ML systems to confirm effectiveness before deployment at scale.

AML.T0043Craft Adversarial Data

Creating specifically crafted adversarial inputs designed to cause ML models to produce targeted misclassifications or incorrect outputs.

AML.TA0002 — Reconnaissance8 entries
AML.TA0002Reconnaissance

Gathering information about target AI/ML systems, models, training data, and infrastructure to plan attacks.

AML.T0000Search for Victim’s Publicly Available Research Materials

Searching for publicly available research papers, conference presentations, blog posts, and documentation about the target organization’s ML systems and approaches.

AML.T0001Search for Publicly Available Adversarial Vulnerability Analysis

Searching for publicly available adversarial vulnerability analyses, security research, and red-team findings about the target organization’s ML systems.

AML.T0002Acquire Public ML Artifacts

Acquiring publicly available ML model artifacts including pre-trained weights, datasets, and model cards to study target system characteristics and build surrogate models.

AML.T0003Search Victim-Owned Websites

Searching victim-owned websites, documentation portals, and developer resources for information about AI system deployments, architectures, and capabilities.

AML.T0004Search Application Repositories

Searching application repositories such as app stores, model hubs, and package registries for information about target AI systems and their dependencies.

AML.T0006Active Scanning

Actively probing AI system endpoints, APIs, and infrastructure to discover model types, configurations, input formats, and security controls.

AML.T0007Discover ML Artifacts

Discovering ML model artifacts in public or semi-public repositories including model files, datasets, configuration files, and documentation about target AI systems.

AML.TA0003 — Resource Development9 entries
AML.TA0003Resource Development

Acquiring or developing resources such as adversarial tools, poisoned datasets, or surrogate models to support AI attacks.

AML.T0005Create Proxy ML Model

Creating a proxy or surrogate ML model that approximates the target system’s behavior, enabling offline adversarial attack development and testing.

AML.T0008Acquire Infrastructure

Acquiring computational infrastructure such as cloud GPU instances, training clusters, or specialized hardware to support adversarial ML operations.

AML.T0016Obtain Capabilities

Obtaining adversarial ML tools, frameworks, pre-trained models, or exploit code to use in attacks against target AI systems.

AML.T0017Develop Capabilities

Developing custom adversarial ML tools, attack frameworks, poisoned datasets, or specialized exploits targeting specific AI system vulnerabilities.

AML.T0019Publish Poisoned Datasets

Publishing poisoned datasets to public repositories that target organizations may use for training or fine-tuning, enabling indirect data poisoning attacks.

AML.T0021Establish Accounts

Creating accounts on ML platforms, model registries, or AI service providers to support adversarial operations and maintain persistent access.

AML.T0058Publish Poisoned Models

Publishing ML models containing backdoors or manipulated weights to public repositories where target organizations may download and deploy them.

AML.T0060Publish Hallucinated Entities

Creating fictitious but plausible entities in public knowledge sources that LLMs may incorporate as facts during training or retrieval.

AML.TA0004 — Initial Access8 entries
AML.TA0004Initial Access

Gaining first access to an AI/ML system through prompt injection, supply chain compromise, or other entry vectors.

AML.T0010ML Supply Chain Compromise

Compromising ML supply chain components including pre-trained models, training data, model repositories, and ML libraries to gain initial access to target AI systems.

AML.T0012Valid Accounts

Using legitimate credentials to access ML systems, model repositories, or AI service APIs, obtained through credential theft, purchase, or social engineering.

AML.T0049Exploit Public-Facing Application

Exploiting vulnerabilities in public-facing AI applications, web interfaces, or API endpoints to gain initial access to ML systems.

AML.T0052Phishing

Using social engineering and phishing techniques to gain access to AI systems, steal credentials, or deliver adversarial payloads to ML operators.

AML.T0051LLM Prompt Injection

Manipulating LLM behavior through crafted prompts including direct injection in user input and indirect injection via external content.

AML.T0051.000Direct Prompt Injection

Injecting adversarial instructions directly through the user input channel to override system prompts or safety instructions.

AML.T0051.001Indirect Prompt Injection

Embedding adversarial instructions in external content (websites, documents, emails) that the LLM processes as context.

AML.TA0005 — Execution4 entries
AML.TA0005Execution

Running adversarial code or exploits within ML system environments to achieve attack objectives.

AML.T0050Command and Scripting Interpreter

Exploiting AI system code execution capabilities including scripting interpreters, code generation tools, and shell access to run adversarial commands.

AML.T0053LLM Plugin Compromise

Compromising LLM plugins and extensions to execute unauthorized actions, exfiltrate data, or manipulate agent behavior through trusted tool interfaces.

AML.T0011User Execution

Tricking users into executing adversarial ML payloads such as running poisoned models, loading malicious datasets, or executing compromised training scripts.

AML.TA0006 — Persistence2 entries
AML.TA0006Persistence

Maintaining continued access to ML systems through backdoors, configuration changes, or embedded triggers.

AML.T0061LLM Prompt Self-Replication

Crafting adversarial prompts that cause LLMs to reproduce and propagate the malicious prompt into downstream outputs and contexts.

AML.TA0007 — Defense Evasion4 entries
AML.TA0007Defense Evasion

Avoiding detection by ML security controls, monitoring systems, and safety filters.

AML.T0054LLM Jailbreak

Bypassing LLM safety controls, content filters, and behavioral restrictions through crafted prompts that exploit model alignment weaknesses.

AML.T0056LLM Meta Prompt Extraction

Extracting hidden system prompts, safety configurations, and operational parameters from LLMs through targeted conversational probing and prompt engineering techniques.

AML.T0015Evade ML Model

Crafting inputs that evade ML model detection or classification while achieving the adversary’s objective, including adversarial perturbations and evasion attacks.

AML.TA0008 — Discovery5 entries
AML.TA0008Discovery

Mapping AI system architecture, model capabilities, training data characteristics, and agent configurations.

AML.T0013Discover ML Model Ontology

Mapping the structure, inputs, outputs, and capabilities of target ML models through probing and documentation analysis to identify attack surfaces.

AML.T0014Discover ML Model Family

Identifying the type, architecture family, and training approach of a target ML model to narrow attack strategies and select appropriate adversarial techniques.

AML.T0063Discover AI Model Outputs

Probing AI models to discover output patterns, confidence scores, decision boundaries, and behavioral characteristics for attack planning.

AML.T0062Discover LLM Hallucinations

Probing LLM systems to identify patterns of hallucination that reveal knowledge boundaries, training data composition, or exploitable factual gaps.

AML.TA0009 — Collection4 entries
AML.TA0009Collection

Harvesting valuable data from AI services including training data, model parameters, and agent context.

AML.T0035ML Artifact Collection

Gathering ML artifacts including model files, training datasets, configuration files, and deployment manifests from compromised AI systems.

AML.T0036Data from Information Repositories

Extracting data from information repositories accessible to AI systems including vector databases, knowledge bases, and document stores.

AML.T0037Data from Local System

Collecting data from local file systems accessible to AI agents or ML pipelines including training data, model files, and configuration.

AML.TA0010 — Exfiltration4 entries
AML.TA0010Exfiltration

Extracting stolen data, model weights, or training information from AI systems through inference APIs or agent tools.

AML.T0057LLM Data Leakage

Exploiting LLMs to leak sensitive training data, proprietary information, or PII through carefully crafted prompts and conversational extraction techniques.

AML.T0024Exfiltration via ML Inference API

Extracting model weights, training data, or sensitive information through carefully crafted queries to ML inference APIs.

AML.T0025Exfiltration via Cyber Means

Exfiltrating ML artifacts, training data, or model intellectual property through traditional cyber means such as network transfers, cloud storage, or removable media.

AML.TA0011 — Impact8 entries
AML.TA0011Impact

Disrupting AI system functionality through denial of service, model evasion, or output manipulation.

AML.T0029Denial of ML Service

Disrupting AI/ML system availability through overwhelming queries, resource exhaustion, or targeted denial-of-service attacks against ML infrastructure.

AML.T0031Erode ML Model Integrity

Gradually degrading ML model performance and reliability through sustained adversarial interactions, feedback manipulation, or data corruption.

AML.T0034Cost Harvesting

Exploiting AI systems to generate excessive computational costs for the victim through resource-intensive queries or API abuse.

AML.T0046Spamming ML System with Chaff Data

Flooding ML systems with junk or irrelevant data to degrade model quality, pollute training pipelines, or exhaust computational resources.

AML.T0047ML-Enabled Product or Service

Targeting products or services that incorporate ML capabilities to cause downstream harm to end users and dependent systems.

AML.T0048External Harms

Leveraging compromised AI systems to cause real-world harm beyond the immediate technical environment, including financial, reputational, and societal impacts.

AML.T0059Erode Dataset Integrity

Degrading the quality, accuracy, or reliability of datasets used by AI systems to undermine model performance over time.

AML.TA0012 — Privilege Escalation2 entries
AML.TA0012Privilege Escalation

Expanding access levels within ML systems to gain higher permissions or access restricted resources.

AML.T0026Escape to Host

Breaking out of AI system sandboxes or containers to gain access to the underlying host infrastructure.

AML.TA0013 — Credential Access2 entries
AML.TA0013Credential Access

Stealing authentication tokens, API keys, or credentials from AI systems and agent configurations.

AML.T0055Unsecured Credentials

Discovering and harvesting insecurely stored credentials including API keys, tokens, and passwords in AI system configurations, logs, or code repositories.

AML.TA0014 — Command and Control2 entries
AML.TA0014Command and Control

Establishing and maintaining remote control channels over compromised AI systems and agents.

AML.T0096AI Service API

Using AI service APIs as command and control channels to issue instructions to compromised agents or systems.

AML.TA0015 — Lateral Movement1 entries
AML.TA0015Lateral Movement

Moving between connected AI systems, models, and infrastructure components after initial compromise.

How MITRE ATLAS maps to other frameworks

ISO/IEC 420017 audited mappingsview framework →
NIST AI RMF11 audited mappingsview framework →
EU AI Act8 audited mappingsview framework →
ISO/IEC 270017 audited mappingsview framework →
OWASP LLM Top 1011 audited mappingsview framework →
OWASP Agentic AI Top 108 audited mappingsview framework →

Sample audited mappings

HighAML.T0051LLM01LLM Prompt Injection (AML.T0051) is the ATLAS technique behind OWASP LLM01
HighAML.T0020LLM04Poison Training Data (AML.T0020) maps directly to data and model poisoning risk
HighAML.T0006LLM03Active Scanning (AML.T0006) identifies supply chain entry points relevant to LLM supply chain risk
HighAML.T0019LLM02Publish Poisoned Datasets (AML.T0019) can embed sensitive data leakage vectors enabling information disclosure
HighAML.T0051.000LLM07Direct Prompt Injection (AML.T0051.000) can extract system prompts enabling LLM07
HighAML.T0029LLM10Denial of ML Service (AML.T0029) maps to unbounded consumption attacks

All 52 mappings are browsable in the interactive explorer and its knowledge graph.

Related guides

Frequently asked questions

How many MITRE ATLAS entries does the Framework Explorer cover?

79 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 19 entries carry source-grounded risk profiles.

How does MITRE ATLAS relate to the other AI governance frameworks?

The Framework Explorer documents 52 audited cross-framework mappings touching MITRE ATLAS, connecting it to ISO/IEC 42001, NIST AI RMF, EU AI Act, ISO/IEC 27001, OWASP LLM Top 10, OWASP Agentic AI Top 10. Every mapping was verified against the source documents.

Is this content the official MITRE ATLAS text?

No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.

Explore the other frameworks