What is ATLAS (MITRE ATLAS — Adversarial Threat Landscape for AI Systems)?
MITRE's ATT&CK-style framework for AI threats, published 2020 and continuously updated. Catalogs adversarial tactics, techniques, and procedures specific to AI/ML systems: model evasion, model inversion, training-data poisoning, prompt injection, model theft, supply-chain attacks. Referenced by red teams + threat-intelligence reports.
Full explanation
ATLAS extends MITRE ATT&CK's adversary-centric taxonomy to AI systems. Tactics include reconnaissance (model card scraping, API behavior probing), resource development (adversarial example crafting, poisoned-dataset preparation), initial access (model marketplace + shared-weight repositories), execution (prompt injection, jailbreak), persistence (training-data poisoning, weight modification), defense evasion (multimodal evasion, indirect injection), exfiltration (model stealing, training-data inference). Used by NIST AI RMF, OWASP Gen AI, and most enterprise AI threat-modeling efforts. Alongside the OWASP LLM Top 10, it's the primary structured taxonomy for AI threats.
Example
A red team uses ATLAS to plan an engagement: T0049 (Multimodal Evasion) for the OCR component, T0051 (Prompt Injection) for the chatbot, T0055 (Model Stealing) for the API's rate-limit boundaries. The engagement report maps each finding to its ATLAS technique ID for the security org's threat-modeling roll-up.
Related
FAQ
How is this different from OWASP LLM Top 10?
OWASP LLM Top 10 is a curated risks list (top 10). ATLAS is a comprehensive technique catalog (dozens of techniques across multiple tactics). They're complementary — most security orgs use OWASP for prioritization and ATLAS for threat-modeling depth.
Is it specific to LLMs?
No. ATLAS covers all ML systems — classifiers, recommenders, computer vision, audio. LLM-specific techniques are a growing subset.