MITRE ATLAS: the adversarial threat matrix for AI systems
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the definitive knowledge base for adversarial threats to AI. Think of it as MITRE ATT&CK, but specifically for machine learning systems. As of v5.4.0 (February 2026), it contains 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, and 42 real-world case studies.
What ATLAS covers
ATLAS maps the adversarial ML attack lifecycle — from initial reconnaissance through impact. The 16 tactics represent the “why” of an attack (the adversary’s goal at each stage), while the 84 techniques represent the “how.”
Key tactics
| Tactic | Description | Example |
|---|---|---|
| Reconnaissance | Gathering information about the ML system | Probing API endpoints to discover model architecture |
| Resource Development | Building tools for the attack | Creating adversarial examples, training surrogate models |
| Initial Access | Getting first interaction with the model | Prompt injection, data poisoning |
| ML Attack Staging | Preparing the ML-specific attack | Crafting adversarial inputs, model extraction |
| Exfiltration | Extracting data from the ML system | Model stealing via API queries, training data extraction |
| Impact | Achieving the attacker’s objective | Model degradation, misclassification, denial of service |
Agentic AI expansion (2026)
The February 2026 update (v5.4.0) added techniques specifically targeting agentic AI systems — AI that takes autonomous actions like running code, browsing the web, and managing infrastructure. New techniques include:
- Tool manipulation — adversaries compromise or impersonate tools the agent uses
- Instruction hierarchy exploitation — bypassing system-level instructions via context manipulation
- Agent chain poisoning — injecting malicious instructions that propagate through multi-agent workflows
How to use ATLAS
For threat modeling
- Identify which ATLAS tactics apply to your AI system
- Map applicable techniques to your threat model
- Cross-reference with the 32 mitigations
- Use the ATLAS Navigator (free tool) to visualize coverage gaps
For red teaming
ATLAS provides the Arsenal — a collection of tools for adversarial testing of ML systems. Combined with the technique descriptions and case studies, it’s a practical playbook for AI red teams.
Integration with existing frameworks
ATLAS is designed to complement, not replace:
- OWASP LLM Top 10 — focuses on application-layer risks for LLM-powered products
- NIST AI RMF — governance and risk management framework
- MITRE ATT&CK — traditional cyber attack framework (ATLAS extends this for ML)
The ATLAS team publishes data in STIX 2.1 format, enabling automated ingestion into SIEMs, threat intelligence platforms, and security orchestration tools.
Why ATLAS matters now
With 255 model releases in Q1 2026 alone and agentic AI going mainstream (Claude Managed Agents, GPT-5.4 computer-use), the attack surface for AI systems is expanding faster than security practices can keep up. ATLAS provides a structured, evolving knowledge base that security teams can actually operationalize — not just another risk checklist.
70% of existing security controls can be adapted to fit ATLAS-identified threats. The gap is in the 30% that’s ML-specific: adversarial examples, model extraction, training data poisoning, and the new frontier of agentic exploitation.