Lattice
Workspace
All frameworks
MITRE

MITRE ATLAS

Living knowledge base of adversary tactics and techniques targeting AI systems.

Audience
Security teams, red teams, ML engineers.
Unit of analysis
Adversarial behaviors against ML/AI.
Lifecycle coverage
Adversarial exposure across model lifecycle.
Outputs
Threat-informed mitigations.
Strengths
Concrete, threat-informed; updated with real-world cases.
Cautions
Security-scoped; not an ethics or rights framework.
Jurisdictional scope
Global; widely used in US federal cyber contexts.
Evidentiary weight
Threat-informed reference; not a control catalog. Pairs with NIST SP 800-53 / AI RMF for control selection.
Cost to adopt
Free; cost is in red-team resourcing and monitoring.
Certification path
None; MITRE does not certify against ATLAS.
History

Inspired by the MITRE ATT&CK matrix. Public release 2020; expanded to cover LLM-specific tactics 2023+.

Items
33
Stages
4
Cross-links
6
SourceMITRE
Version: Pinned 2026.Q1Last reviewed: 2026-05-02
ATLAS is also available in a dedicated threat-matrix view with candidate mitigations. Open the ATLAS matrix.

MITRE ATLAS

Indexed at the structural level. Excerpts are quoted under fair-use; full text is linked, not rehosted.

Tactics08

  • AML.TA0002datamodeldeployment

    Reconnaissance

    The adversary is trying to gather information they can use to plan future operations against the ML system.

  • AML.TA0003datamodel

    Resource Development

    The adversary is establishing resources they can use to support operations: datasets, infrastructure, capabilities.

  • AML.TA0004deployment

    ML Model Access

    The adversary is attempting to gain some level of access to a machine learning model.

  • AML.TA0005deployment

    Execution

    The adversary is trying to run malicious code or trigger malicious behavior in the ML system.

  • AML.TA0006modeldeployment

    Persistence

    The adversary is trying to maintain their foothold against the ML system across re-trainings, restarts, or rotations.

  • AML.TA0007deploymentmonitoring

    Defense Evasion

    The adversary is trying to avoid being detected by ML-based or ML-supporting defenses.

  • AML.TA0010modeldeployment

    Exfiltration

    The adversary is trying to steal ML artifacts or other information about the ML system: training data, weights, prompts.

  • AML.TA0011deploymentmonitoring

    Impact

    The adversary is trying to manipulate, interrupt, erode confidence in, or destroy ML systems and the data they handle.

Techniques13

  • AML.TA0002AML.T0000datamodel

    Search victim-owned websites

    Adversaries scrape victim-owned websites, model cards, datasheets, or research publications for system details.

  • AML.TA0003AML.T0006datamodel

    Acquire public ML artifacts

    Adversaries obtain public datasets or pre-trained models for use in subsequent attacks (e.g., transfer-based evasion).

  • AML.TA0004AML.T0040deployment

    ML model inference API access

    The adversary obtains query access to the model API and uses it to probe behavior, extract knowledge, or stage attacks.

  • AML.TA0007AML.T0015deployment

    Evade ML model

    Adversaries craft inputs intended to cause an ML model to produce incorrect outputs at inference time.

  • AML.TA0006AML.T0020datamodel

    Poison training data

    Adversaries inject crafted samples into a training dataset to influence model behavior.

  • AML.TA0006AML.T0018model

    Backdoor ML model

    An adversary installs a hidden trigger in the model that produces attacker-chosen outputs when activated.

  • AML.TA0010AML.T0044deployment

    Extract ML model

    Adversaries query a deployed model to reconstruct an approximate copy or recover its parameters.

  • AML.TA0010AML.T0024deployment

    Membership inference

    Adversaries determine whether a specific data record was part of the training set, with privacy implications.

  • AML.TA0005AML.T0051deployment

    LLM prompt injection

    Adversaries craft instructions in inputs or retrieved content to alter an LLM's behavior or exfiltrate data.

  • AML.TA0005AML.T0051.001deployment

    Indirect prompt injection

    Adversaries plant prompt instructions in third-party content (web pages, documents, emails) consumed by an LLM via retrieval or tool use.

    ATLAS technique AML.T0051.001View sourceItem detail & relationships
  • AML.TA0007AML.T0054deployment

    LLM jailbreak

    Adversaries craft prompts that bypass alignment, safety, or policy constraints in an LLM.

  • AML.TA0011AML.T0029deploymentmonitoring

    Denial of ML service

    Adversaries craft inputs that cause excessive compute, latency, or cost in the ML system.

  • AML.TA0010AML.T0057deployment

    LLM data leakage

    Adversaries elicit memorized training data from a model via crafted prompts.

Mitigations12

  • AML.M0014model

    Adversarial training

    Train models on adversarial examples or with robust optimization to reduce sensitivity to crafted inputs.

    ATLAS mitigation AML.M0014View sourceItem detail & relationships
  • AML.M0015deployment

    Input restriction & validation

    Restrict the format, length, and content of inputs; validate against schemas; reject anomalous inputs.

    ATLAS mitigation AML.M0015View sourceItem detail & relationships
  • AML.M0004deployment

    Restrict number of model queries

    Apply per-user or per-key rate limits and monitor for query-volume anomalies indicative of probing.

    ATLAS mitigation AML.M0004View sourceItem detail & relationships
  • AML.M0006deployment

    Output perturbation

    Add noise or rounding to outputs (probabilities, scores) to reduce information leak.

    ATLAS mitigation AML.M0006View sourceItem detail & relationships
  • AML.M0010model

    Differential privacy training

    Train with formal differential privacy guarantees to bound the influence of any single training record.

    ATLAS mitigation AML.M0010View sourceItem detail & relationships
  • AML.M0007data

    Validate training data

    Inspect training data for poisoning indicators; quarantine untrusted sources; statistical outlier checks.

    ATLAS mitigation AML.M0007View sourceItem detail & relationships
  • AML.M0008datamodeldeployment

    Model and data provenance

    Cryptographically sign and verify training data, model weights, and updates across the supply chain.

    ATLAS mitigation AML.M0008View sourceItem detail & relationships
  • AML.M0011model

    Model scanning for backdoors

    Run trigger-detection and behavior-analysis tools on models before deployment, especially for third-party models.

    ATLAS mitigation AML.M0011View sourceItem detail & relationships
  • AML.M0017deployment

    Prompt and content isolation

    Separate untrusted retrieved content from instruction context; enforce structured tool-call boundaries.

    ATLAS mitigation AML.M0017View sourceItem detail & relationships
  • AML.M0018deploymentmonitoring

    Content filtering

    Apply input and output filters for known unsafe categories, with monitoring of bypass attempts.

    ATLAS mitigation AML.M0018View sourceItem detail & relationships
  • AML.M0019deployment

    Tool-use allowlisting

    Constrain agent tool calls to a vetted allowlist; require human approval for high-impact actions.

    ATLAS mitigation AML.M0019View sourceItem detail & relationships
  • AML.M0020framingdeployment

    Disclosure discipline

    Limit publication of model architecture details, training data sources, and operational specifics that aid reconnaissance.

    ATLAS mitigation AML.M0020View sourceItem detail & relationships

Command palette

Search frameworks, systems, glossary, and pages