MITRE ATLAS
Living knowledge base of adversary tactics and techniques targeting AI systems.
- Audience
- Security teams, red teams, ML engineers.
- Unit of analysis
- Adversarial behaviors against ML/AI.
- Lifecycle coverage
- Adversarial exposure across model lifecycle.
- Outputs
- Threat-informed mitigations.
- Strengths
- Concrete, threat-informed; updated with real-world cases.
- Cautions
- Security-scoped; not an ethics or rights framework.
- Jurisdictional scope
- Global; widely used in US federal cyber contexts.
- Evidentiary weight
- Threat-informed reference; not a control catalog. Pairs with NIST SP 800-53 / AI RMF for control selection.
- Cost to adopt
- Free; cost is in red-team resourcing and monitoring.
- Certification path
- None; MITRE does not certify against ATLAS.
Inspired by the MITRE ATT&CK matrix. Public release 2020; expanded to cover LLM-specific tactics 2023+.
MITRE ATLAS
Indexed at the structural level. Excerpts are quoted under fair-use; full text is linked, not rehosted.
Tactics08
- AML.TA0002datamodeldeployment
Reconnaissance
“The adversary is trying to gather information they can use to plan future operations against the ML system.”
- AML.TA0003datamodel
Resource Development
“The adversary is establishing resources they can use to support operations: datasets, infrastructure, capabilities.”
- AML.TA0004deployment
ML Model Access
“The adversary is attempting to gain some level of access to a machine learning model.”
- AML.TA0005deployment
Execution
“The adversary is trying to run malicious code or trigger malicious behavior in the ML system.”
- AML.TA0006modeldeployment
Persistence
“The adversary is trying to maintain their foothold against the ML system across re-trainings, restarts, or rotations.”
- AML.TA0007deploymentmonitoring
Defense Evasion
“The adversary is trying to avoid being detected by ML-based or ML-supporting defenses.”
- AML.TA0010modeldeployment
Exfiltration
“The adversary is trying to steal ML artifacts or other information about the ML system: training data, weights, prompts.”
- AML.TA0011deploymentmonitoring
Impact
“The adversary is trying to manipulate, interrupt, erode confidence in, or destroy ML systems and the data they handle.”
Techniques13
- AML.TA0002AML.T0000datamodel
Search victim-owned websites
“Adversaries scrape victim-owned websites, model cards, datasheets, or research publications for system details.”
- AML.TA0003AML.T0006datamodel
Acquire public ML artifacts
“Adversaries obtain public datasets or pre-trained models for use in subsequent attacks (e.g., transfer-based evasion).”
- AML.TA0004AML.T0040deployment
ML model inference API access
“The adversary obtains query access to the model API and uses it to probe behavior, extract knowledge, or stage attacks.”
- AML.TA0007AML.T0015deployment
Evade ML model
“Adversaries craft inputs intended to cause an ML model to produce incorrect outputs at inference time.”
- AML.TA0006AML.T0020datamodel
Poison training data
“Adversaries inject crafted samples into a training dataset to influence model behavior.”
- AML.TA0006AML.T0018model
Backdoor ML model
“An adversary installs a hidden trigger in the model that produces attacker-chosen outputs when activated.”
- AML.TA0010AML.T0044deployment
Extract ML model
“Adversaries query a deployed model to reconstruct an approximate copy or recover its parameters.”
- AML.TA0010AML.T0024deployment
Membership inference
“Adversaries determine whether a specific data record was part of the training set, with privacy implications.”
- AML.TA0005AML.T0051deployment
LLM prompt injection
“Adversaries craft instructions in inputs or retrieved content to alter an LLM's behavior or exfiltrate data.”
- AML.TA0005AML.T0051.001deployment
Indirect prompt injection
“Adversaries plant prompt instructions in third-party content (web pages, documents, emails) consumed by an LLM via retrieval or tool use.”
- AML.TA0007AML.T0054deployment
LLM jailbreak
“Adversaries craft prompts that bypass alignment, safety, or policy constraints in an LLM.”
- AML.TA0011AML.T0029deploymentmonitoring
Denial of ML service
“Adversaries craft inputs that cause excessive compute, latency, or cost in the ML system.”
- AML.TA0010AML.T0057deployment
LLM data leakage
“Adversaries elicit memorized training data from a model via crafted prompts.”
Mitigations12
- AML.M0014model
Adversarial training
“Train models on adversarial examples or with robust optimization to reduce sensitivity to crafted inputs.”
- AML.M0015deployment
Input restriction & validation
“Restrict the format, length, and content of inputs; validate against schemas; reject anomalous inputs.”
- AML.M0004deployment
Restrict number of model queries
“Apply per-user or per-key rate limits and monitor for query-volume anomalies indicative of probing.”
- AML.M0006deployment
Output perturbation
“Add noise or rounding to outputs (probabilities, scores) to reduce information leak.”
- AML.M0010model
Differential privacy training
“Train with formal differential privacy guarantees to bound the influence of any single training record.”
- AML.M0007data
Validate training data
“Inspect training data for poisoning indicators; quarantine untrusted sources; statistical outlier checks.”
- AML.M0008datamodeldeployment
Model and data provenance
“Cryptographically sign and verify training data, model weights, and updates across the supply chain.”
- AML.M0011model
Model scanning for backdoors
“Run trigger-detection and behavior-analysis tools on models before deployment, especially for third-party models.”
- AML.M0017deployment
Prompt and content isolation
“Separate untrusted retrieved content from instruction context; enforce structured tool-call boundaries.”
- AML.M0018deploymentmonitoring
Content filtering
“Apply input and output filters for known unsafe categories, with monitoring of bypass attempts.”
- AML.M0019deployment
Tool-use allowlisting
“Constrain agent tool calls to a vetted allowlist; require human approval for high-impact actions.”
- AML.M0020framingdeployment
Disclosure discipline
“Limit publication of model architecture details, training data sources, and operational specifics that aid reconnaissance.”