Framework Explorer / MITRE ATLAS
MITRE ATLAS in the AI Governance Framework Explorer
MITRE ATLAS is the adversarial threat knowledge base for AI — tactics and techniques observed in real attacks against machine-learning systems, modeled after ATT&CK. It is where AI governance meets threat intelligence.
Open the Interactive ExplorerJump to MITRE ATLAS
Every MITRE ATLAS entry, explained
Titles identify each requirement; the one-line summaries below are original Tech Jacks plain-English descriptions, not official standard text. Click any ID to open the full entry — implementation guidance, evidence checklists, risk analysis, and FAQs — in the interactive explorer.
RECON — Reconnaissance1 entries
Adversary techniques for gathering information about target machine learning systems before launching an attack, including identifying architectures, training data, deployment infrastructure, and API endpoints.
RESOURCE — Resource Development1 entries
Adversary techniques for building capabilities to attack ML systems, including acquiring compute resources, developing adversarial examples, creating proxy models, and obtaining poisoned datasets.
EXEC — Execution and Persistence1 entries
Adversary techniques for running adversarial payloads against ML systems and maintaining long-term access through backdoors, configuration changes, or embedded triggers.
PRIV — Privilege Escalation and Defense Evasion1 entries
Techniques for gaining higher-level access within ML systems and evading detection, including moving from inference-only to training pipeline access and bypassing safety filters.
CRED — Credential Access and Discovery1 entries
Adversary techniques for stealing credentials that grant access to ML systems and discovering ML assets within compromised environments.
COLLECT — Collection and ML Attack Staging1 entries
Techniques for gathering data from ML systems and preparing for attack execution, including extracting training data, stealing model parameters, and crafting adversarial inputs.
EXFIL — Exfiltration, Impact, C2 and Lateral Movement1 entries
Final phases of ML adversary campaigns covering data removal from target environments, disruption of AI functionality, command and control channels, and movement between connected AI systems.
AML.TA0000 — ML Model Access4 entries
Obtaining access to ML model inference APIs, model files, or training pipelines for attack execution.
Accessing AI model inference APIs to query models, extract information, or stage further attacks against the ML system.
Gaining physical access to environments where AI/ML systems operate, including data centers, edge devices, or IoT deployments.
Obtaining complete access to ML model internals including weights, architecture, gradients, and training configuration.
AML.TA0001 — ML Attack Staging5 entries
Preparing and staging ML-specific attacks including data poisoning, model backdooring, and adversarial input crafting.
Inserting hidden triggers into ML models that activate malicious behavior only when specific input patterns are present.
Injecting malicious samples into training datasets to alter model behavior, introduce biases, or create backdoors.
Testing and validating adversarial attacks against target ML systems to confirm effectiveness before deployment at scale.
Creating specifically crafted adversarial inputs designed to cause ML models to produce targeted misclassifications or incorrect outputs.
AML.TA0002 — Reconnaissance8 entries
Gathering information about target AI/ML systems, models, training data, and infrastructure to plan attacks.
Searching for publicly available research papers, conference presentations, blog posts, and documentation about the target organization’s ML systems and approaches.
Searching for publicly available adversarial vulnerability analyses, security research, and red-team findings about the target organization’s ML systems.
Acquiring publicly available ML model artifacts including pre-trained weights, datasets, and model cards to study target system characteristics and build surrogate models.
Searching victim-owned websites, documentation portals, and developer resources for information about AI system deployments, architectures, and capabilities.
Searching application repositories such as app stores, model hubs, and package registries for information about target AI systems and their dependencies.
Actively probing AI system endpoints, APIs, and infrastructure to discover model types, configurations, input formats, and security controls.
Discovering ML model artifacts in public or semi-public repositories including model files, datasets, configuration files, and documentation about target AI systems.
AML.TA0003 — Resource Development9 entries
Acquiring or developing resources such as adversarial tools, poisoned datasets, or surrogate models to support AI attacks.
Creating a proxy or surrogate ML model that approximates the target system’s behavior, enabling offline adversarial attack development and testing.
Acquiring computational infrastructure such as cloud GPU instances, training clusters, or specialized hardware to support adversarial ML operations.
Obtaining adversarial ML tools, frameworks, pre-trained models, or exploit code to use in attacks against target AI systems.
Developing custom adversarial ML tools, attack frameworks, poisoned datasets, or specialized exploits targeting specific AI system vulnerabilities.
Publishing poisoned datasets to public repositories that target organizations may use for training or fine-tuning, enabling indirect data poisoning attacks.
Creating accounts on ML platforms, model registries, or AI service providers to support adversarial operations and maintain persistent access.
Publishing ML models containing backdoors or manipulated weights to public repositories where target organizations may download and deploy them.
Creating fictitious but plausible entities in public knowledge sources that LLMs may incorporate as facts during training or retrieval.
AML.TA0004 — Initial Access8 entries
Gaining first access to an AI/ML system through prompt injection, supply chain compromise, or other entry vectors.
Compromising ML supply chain components including pre-trained models, training data, model repositories, and ML libraries to gain initial access to target AI systems.
Using legitimate credentials to access ML systems, model repositories, or AI service APIs, obtained through credential theft, purchase, or social engineering.
Exploiting vulnerabilities in public-facing AI applications, web interfaces, or API endpoints to gain initial access to ML systems.
Using social engineering and phishing techniques to gain access to AI systems, steal credentials, or deliver adversarial payloads to ML operators.
Manipulating LLM behavior through crafted prompts including direct injection in user input and indirect injection via external content.
Injecting adversarial instructions directly through the user input channel to override system prompts or safety instructions.
Embedding adversarial instructions in external content (websites, documents, emails) that the LLM processes as context.
AML.TA0005 — Execution4 entries
Running adversarial code or exploits within ML system environments to achieve attack objectives.
Exploiting AI system code execution capabilities including scripting interpreters, code generation tools, and shell access to run adversarial commands.
Compromising LLM plugins and extensions to execute unauthorized actions, exfiltrate data, or manipulate agent behavior through trusted tool interfaces.
Tricking users into executing adversarial ML payloads such as running poisoned models, loading malicious datasets, or executing compromised training scripts.
AML.TA0006 — Persistence2 entries
Maintaining continued access to ML systems through backdoors, configuration changes, or embedded triggers.
Crafting adversarial prompts that cause LLMs to reproduce and propagate the malicious prompt into downstream outputs and contexts.
AML.TA0007 — Defense Evasion4 entries
Avoiding detection by ML security controls, monitoring systems, and safety filters.
Bypassing LLM safety controls, content filters, and behavioral restrictions through crafted prompts that exploit model alignment weaknesses.
Extracting hidden system prompts, safety configurations, and operational parameters from LLMs through targeted conversational probing and prompt engineering techniques.
Crafting inputs that evade ML model detection or classification while achieving the adversary’s objective, including adversarial perturbations and evasion attacks.
AML.TA0008 — Discovery5 entries
Mapping AI system architecture, model capabilities, training data characteristics, and agent configurations.
Mapping the structure, inputs, outputs, and capabilities of target ML models through probing and documentation analysis to identify attack surfaces.
Identifying the type, architecture family, and training approach of a target ML model to narrow attack strategies and select appropriate adversarial techniques.
Probing AI models to discover output patterns, confidence scores, decision boundaries, and behavioral characteristics for attack planning.
Probing LLM systems to identify patterns of hallucination that reveal knowledge boundaries, training data composition, or exploitable factual gaps.
AML.TA0009 — Collection4 entries
Harvesting valuable data from AI services including training data, model parameters, and agent context.
Gathering ML artifacts including model files, training datasets, configuration files, and deployment manifests from compromised AI systems.
Extracting data from information repositories accessible to AI systems including vector databases, knowledge bases, and document stores.
Collecting data from local file systems accessible to AI agents or ML pipelines including training data, model files, and configuration.
AML.TA0010 — Exfiltration4 entries
Extracting stolen data, model weights, or training information from AI systems through inference APIs or agent tools.
Exploiting LLMs to leak sensitive training data, proprietary information, or PII through carefully crafted prompts and conversational extraction techniques.
Extracting model weights, training data, or sensitive information through carefully crafted queries to ML inference APIs.
Exfiltrating ML artifacts, training data, or model intellectual property through traditional cyber means such as network transfers, cloud storage, or removable media.
AML.TA0011 — Impact8 entries
Disrupting AI system functionality through denial of service, model evasion, or output manipulation.
Disrupting AI/ML system availability through overwhelming queries, resource exhaustion, or targeted denial-of-service attacks against ML infrastructure.
Gradually degrading ML model performance and reliability through sustained adversarial interactions, feedback manipulation, or data corruption.
Exploiting AI systems to generate excessive computational costs for the victim through resource-intensive queries or API abuse.
Flooding ML systems with junk or irrelevant data to degrade model quality, pollute training pipelines, or exhaust computational resources.
Targeting products or services that incorporate ML capabilities to cause downstream harm to end users and dependent systems.
Leveraging compromised AI systems to cause real-world harm beyond the immediate technical environment, including financial, reputational, and societal impacts.
Degrading the quality, accuracy, or reliability of datasets used by AI systems to undermine model performance over time.
AML.TA0012 — Privilege Escalation2 entries
Expanding access levels within ML systems to gain higher permissions or access restricted resources.
Breaking out of AI system sandboxes or containers to gain access to the underlying host infrastructure.
AML.TA0013 — Credential Access2 entries
Stealing authentication tokens, API keys, or credentials from AI systems and agent configurations.
Discovering and harvesting insecurely stored credentials including API keys, tokens, and passwords in AI system configurations, logs, or code repositories.
AML.TA0014 — Command and Control2 entries
Establishing and maintaining remote control channels over compromised AI systems and agents.
Using AI service APIs as command and control channels to issue instructions to compromised agents or systems.
AML.TA0015 — Lateral Movement1 entries
Moving between connected AI systems, models, and infrastructure components after initial compromise.
How MITRE ATLAS maps to other frameworks
Sample audited mappings
All 52 mappings are browsable in the interactive explorer and its knowledge graph.
Related guides
Frequently asked questions
How many MITRE ATLAS entries does the Framework Explorer cover?
79 entries, each with a plain-English explanation, implementation guidance at three organization sizes, evidence checklists, and risk context. 19 entries carry source-grounded risk profiles.
How does MITRE ATLAS relate to the other AI governance frameworks?
The Framework Explorer documents 52 audited cross-framework mappings touching MITRE ATLAS, connecting it to ISO/IEC 42001, NIST AI RMF, EU AI Act, ISO/IEC 27001, OWASP LLM Top 10, OWASP Agentic AI Top 10. Every mapping was verified against the source documents.
Is this content the official MITRE ATLAS text?
No. Entry titles identify each requirement, and all explanations are original plain-English summaries written by Tech Jacks Solutions. For official text, consult the publishing body directly.