MITRE ATLAS

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversarial tactics and techniques targeting machine learning systems, structured in the same format as MITRE ATT&CK. As of version 5.6.0, it covers 16 tactics, 101 parent techniques, 69 subtechniques, 35 mitigations, and 57 case studies.1

Structure

ATLAS uses the ATT&CK-style structure: techniques are organized by tactic (the adversary goal), with sub-techniques providing additional specificity. Mitigations are linked to techniques. Case studies document real-world incidents with technique mappings.

Key tactic categories include: Reconnaissance, Resource Development, Initial Access, ML Attack Staging, Exfiltration, and Impact.

Q1 2026 Developments

ATLAS expanded its agentic-threat coverage rapidly through early 2026, adding agent, memory, and supply-chain techniques across v5.3.0–v5.6.0.

v5.3.0 (January 2026) — Techniques contributed by Zenity Labs:

  • AI Service API exploitation
  • AI Agent Clickbait (browser manipulation)
  • Credential harvesting from agent tools
  • SesameOp case study (AML.CS0042): OpenAI Assistants API backdoor use for command and control
  • Three new case studies covering MCP server compromises and malicious AI agent deployment

v5.4.0 (February 2026):

  • “Publish Poisoned AI Agent Tool” — supply chain attack technique
  • “Escape to Host” — container/sandbox escape via agent tool execution

OpenClaw Investigation (February 9, 2026):

  • Dedicated investigation report identifying 7 new techniques unique to the OpenClaw campaign
  • Includes CVE-2026-25253
  • Case study AML.CS0050 (OpenClaw 1-Click Remote Code Execution, CVE-2026-25253)

Cross-mapping to OWASP ASI Top 10 now covers all 10 of 10 categories.

Counts verified against primary data

Version and counts are read from the mitre-atlas/atlas-data repository (v5.6.0), not vendor summaries. Earlier vendor-sourced figures (v5.4.0; 84 techniques) were stale; see the 2026-Q2 standards review.

Strengths

  • ATT&CK-style structure enables integration with existing SOC workflows and threat modeling tools
  • Most rapid agentic threat coverage expansion of any framework
  • OpenClaw Investigation demonstrates valuable rapid-response threat intelligence capability
  • Arsenal CALDERA plugin supports automated red team exercise integration (though shows no major 2026 updates)
  • Cross-maps to OWASP ASI Top 10 across all 10 categories

Known gaps and absence claims

  • Exclusively adversary-centric — catalogs attack techniques but provides no defensive control specifications.
  • Mitigations (35) are descriptive rather than prescriptive; none include implementation details, evidence criteria, or testing procedures.
  • Does not address non-adversarial AI failures, safety issues, or governance.
  • No incident response playbooks, IoCs, or forensic guidance.
  • Arsenal CALDERA plugin shows no major 2026 updates; still relies on Microsoft Counterfit library.
  • No technique models agent-to-agent trust exploitation or cascading multi-agent failure (the closest, AML.T0061 LLM Prompt Self-Replication, models prompt propagation through a data channel, not a trust chain).

The four claims above are stated falsifiably and survived an adversarial second pass in the MITRE ATLAS 2026-Q2 review (claim on multi-agent coverage narrowed after a partial refutation).

Coverage Against OWASP ASI Top 10

ASI CategoryCoverage
ASI01: Agent Goal Hijack● Specific techniques
ASI02: Tool Misuse● Specific techniques
ASI03: Identity & Privilege◐ Partial
ASI04: Supply Chain● Specific techniques
ASI05: Unexpected Code Execution (RCE)● Specific techniques (AML.T0105 Escape to Host; command/scripting execution)
ASI06: Memory Poisoning● AML.T0080 confirmed in-wild
ASI07: Insecure Inter-Agent◐ Partial
ASI08: Cascading Failures○ None
ASI09: Human-Agent Trust Exploitation○ None
ASI10: Rogue Agents◐ Partial

Mapping to the Agentic AI Security CMM and Reference Architecture

  • CMM domains touched: D2–D8, strongest on D4 (Runtime), D6 (Data, Memory & RAG), and D8 (Supply Chain). D9 (Operations) is thin; D1 (Governance) has no coverage. ATLAS supplies the threat model, not graded defensive criteria.
  • RA planes touched: Identity, Control, Runtime, Egress, Data, Observability.
  • Control-level detail and the full technique/mitigation crosswalk: the MITRE ATLAS 2026-Q2 review and the Standards Crosswalk.

Key Techniques (Agentic Focus)

  • AML.T0080 — AI Agent Context Poisoning: Memory (confirmed in-the-wild February 2026 by Microsoft)
  • “Publish Poisoned AI Agent Tool” — supply chain attack via marketplace
  • “Escape to Host” — sandbox/container escape
  • AI Service API exploitation, credential harvesting from agent tools

See Also

Notes

Sources

Footnotes

  1. MITRE ATLAS — atlas-data repository, data.yaml (v5.6.0) and source data files, retrieved 2026-05-27. 16 tactics, 101 parent techniques, 69 subtechniques, 35 mitigations, 57 case studies.