Enterprise Security in the Agentic AI Era

MITRE ATLAS

3 min read

MITRE ATLAS

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversarial tactics and techniques targeting machine learning systems, structured in the same format as MITRE ATT&CK. As of version 5.4.0, it covers 84 techniques, 16 tactics, 56 sub-techniques, 32 mitigations, and 42 case studies.

Structure

ATLAS uses the ATT&CK-style structure: techniques are organized by tactic (the adversary goal), with sub-techniques providing additional specificity. Mitigations are linked to techniques. Case studies document real-world incidents with technique mappings.

Key tactic categories include: Reconnaissance, Resource Development, Initial Access, ML Attack Staging, Exfiltration, and Impact.

Q1 2026 Developments

ATLAS had the most rapid agentic threat coverage expansion of any framework — 18 new techniques in one quarter.

v5.3.0 (January 2026) — Techniques contributed by Zenity Labs:

  • AI Service API exploitation
  • AI Agent Clickbait (browser manipulation)
  • Credential harvesting from agent tools
  • SesameOp case study (AML.CS0042): OpenAI Assistants API backdoor use for command and control
  • Three new case studies covering MCP server compromises and malicious AI agent deployment

v5.4.0 (February 2026):

  • “Publish Poisoned AI Agent Tool” — supply chain attack technique
  • “Escape to Host” — container/sandbox escape via agent tool execution

OpenClaw Investigation (February 9, 2026):

  • Dedicated investigation report identifying 7 new techniques unique to the OpenClaw campaign
  • Includes CVE-2026-25253
  • Case study AML.CS0050 (Exposed OpenClaw Control Interfaces)

Cross-mapping to OWASP ASI Top 10 now covers all 10 of 10 categories.

Data quality caveat

ATLAS version numbers (v5.3.0, v5.4.0) and exact technique counts are primarily sourced from Vectra AI (a commercial vendor) rather than MITRE’s official changelog. Independently verify exact counts from atlas.mitre.org.

Strengths

  • ATT&CK-style structure enables integration with existing SOC workflows and threat modeling tools
  • Most rapid agentic threat coverage expansion of any framework
  • OpenClaw Investigation demonstrates valuable rapid-response threat intelligence capability
  • Arsenal CALDERA plugin supports automated red team exercise integration (though shows no major 2026 updates)
  • Cross-maps to OWASP ASI Top 10 across all 10 categories

Gaps and Shortcomings

  • Exclusively adversary-centric — catalogs attack techniques but provides no defensive control specifications
  • Mitigations (32) are descriptive rather than prescriptive; none include implementation details, evidence criteria, or testing procedures
  • Does not address non-adversarial AI failures, safety issues, or governance
  • No incident response playbooks, IoCs, or forensic guidance
  • Arsenal CALDERA plugin shows no major 2026 updates; still relies on Microsoft Counterfit library
  • Coverage of cascading failures (ASI08) is absent

Coverage Against OWASP ASI Top 10

ASI CategoryCoverage
ASI01: Agent Goal Hijack● Specific techniques
ASI02: Tool Misuse● Specific techniques
ASI03: Identity & Privilege◐ Partial
ASI04: Supply Chain● Specific techniques
ASI05: Data Disclosure◐ Partial
ASI06: Memory Poisoning● AML.T0080 confirmed in-wild
ASI07: Insecure Inter-Agent◐ Partial
ASI08: Cascading Failures○ None
ASI09: Missing Guardrails○ None
ASI10: Rogue Agents◐ Partial

Key Techniques (Agentic Focus)

  • AML.T0080 — AI Agent Context Poisoning: Memory (confirmed in-the-wild February 2026 by Microsoft)
  • “Publish Poisoned AI Agent Tool” — supply chain attack via marketplace
  • “Escape to Host” — sandbox/container escape
  • AI Service API exploitation, credential harvesting from agent tools

See Also

Graph View

Backlinks