MITRE ATLAS
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a knowledge base of adversarial tactics and techniques targeting machine learning systems, structured in the same format as MITRE ATT&CK. As of version 5.6.0, it covers 16 tactics, 101 parent techniques, 69 subtechniques, 35 mitigations, and 57 case studies.1
Structure
ATLAS uses the ATT&CK-style structure: techniques are organized by tactic (the adversary goal), with sub-techniques providing additional specificity. Mitigations are linked to techniques. Case studies document real-world incidents with technique mappings.
Key tactic categories include: Reconnaissance, Resource Development, Initial Access, ML Attack Staging, Exfiltration, and Impact.
Q1 2026 Developments
ATLAS expanded its agentic-threat coverage rapidly through early 2026, adding agent, memory, and supply-chain techniques across v5.3.0–v5.6.0.
v5.3.0 (January 2026) — Techniques contributed by Zenity Labs:
- AI Service API exploitation
- AI Agent Clickbait (browser manipulation)
- Credential harvesting from agent tools
- SesameOp case study (AML.CS0042): OpenAI Assistants API backdoor use for command and control
- Three new case studies covering MCP server compromises and malicious AI agent deployment
v5.4.0 (February 2026):
- “Publish Poisoned AI Agent Tool” — supply chain attack technique
- “Escape to Host” — container/sandbox escape via agent tool execution
OpenClaw Investigation (February 9, 2026):
- Dedicated investigation report identifying 7 new techniques unique to the OpenClaw campaign
- Includes CVE-2026-25253
- Case study AML.CS0050 (OpenClaw 1-Click Remote Code Execution, CVE-2026-25253)
Cross-mapping to OWASP ASI Top 10 now covers all 10 of 10 categories.
Counts verified against primary data
Version and counts are read from the
mitre-atlas/atlas-datarepository (v5.6.0), not vendor summaries. Earlier vendor-sourced figures (v5.4.0; 84 techniques) were stale; see the 2026-Q2 standards review.
Strengths
- ATT&CK-style structure enables integration with existing SOC workflows and threat modeling tools
- Most rapid agentic threat coverage expansion of any framework
- OpenClaw Investigation demonstrates valuable rapid-response threat intelligence capability
- Arsenal CALDERA plugin supports automated red team exercise integration (though shows no major 2026 updates)
- Cross-maps to OWASP ASI Top 10 across all 10 categories
Known gaps and absence claims
- Exclusively adversary-centric — catalogs attack techniques but provides no defensive control specifications.
- Mitigations (35) are descriptive rather than prescriptive; none include implementation details, evidence criteria, or testing procedures.
- Does not address non-adversarial AI failures, safety issues, or governance.
- No incident response playbooks, IoCs, or forensic guidance.
- Arsenal CALDERA plugin shows no major 2026 updates; still relies on Microsoft Counterfit library.
- No technique models agent-to-agent trust exploitation or cascading multi-agent failure (the closest,
AML.T0061LLM Prompt Self-Replication, models prompt propagation through a data channel, not a trust chain).
The four claims above are stated falsifiably and survived an adversarial second pass in the MITRE ATLAS 2026-Q2 review (claim on multi-agent coverage narrowed after a partial refutation).
Coverage Against OWASP ASI Top 10
| ASI Category | Coverage |
|---|---|
| ASI01: Agent Goal Hijack | ● Specific techniques |
| ASI02: Tool Misuse | ● Specific techniques |
| ASI03: Identity & Privilege | ◐ Partial |
| ASI04: Supply Chain | ● Specific techniques |
| ASI05: Unexpected Code Execution (RCE) | ● Specific techniques (AML.T0105 Escape to Host; command/scripting execution) |
| ASI06: Memory Poisoning | ● AML.T0080 confirmed in-wild |
| ASI07: Insecure Inter-Agent | ◐ Partial |
| ASI08: Cascading Failures | ○ None |
| ASI09: Human-Agent Trust Exploitation | ○ None |
| ASI10: Rogue Agents | ◐ Partial |
Mapping to the Agentic AI Security CMM and Reference Architecture
- CMM domains touched: D2–D8, strongest on D4 (Runtime), D6 (Data, Memory & RAG), and D8 (Supply Chain). D9 (Operations) is thin; D1 (Governance) has no coverage. ATLAS supplies the threat model, not graded defensive criteria.
- RA planes touched: Identity, Control, Runtime, Egress, Data, Observability.
- Control-level detail and the full technique/mitigation crosswalk: the MITRE ATLAS 2026-Q2 review and the Standards Crosswalk.
Key Techniques (Agentic Focus)
- AML.T0080 — AI Agent Context Poisoning: Memory (confirmed in-the-wild February 2026 by Microsoft)
- “Publish Poisoned AI Agent Tool” — supply chain attack via marketplace
- “Escape to Host” — sandbox/container escape
- AI Service API exploitation, credential harvesting from agent tools
See Also
- MITRE (publisher)
- OWASP Top 10 for Agentic Applications (ASI Top 10) — cross-mapped to ATLAS; complementary risk taxonomy
- Agentic AI Security Capability Maturity Model — ATLAS technique anchors (namespace-correct):
AML.T0051(LLM Prompt Injection),AML.T0054(LLM Jailbreak),AML.T0053(AI Agent Tool Invocation) → D4 Runtime;AML.T0080(AI Agent Context Poisoning),AML.T0070(RAG Poisoning),AML.T0020(Poison Training Data) → D6 Data;AML.T0104(Publish Poisoned AI Agent Tool),AML.T0010(AI Supply Chain Compromise),AML.T0109(Rug Pull) → D8 Supply Chain; ID-tagged evidence required at L3+. Full crosswalk: the 2026-Q2 standards review. - NIST AI Risk Management Framework (AI RMF) — governance complement; ATLAS provides the threat intelligence NIST lacks
- MITRE ATLAS — 2026-Q2 Standards Review — clause-level CMM crosswalk, ID corrections, and falsifiable absence claims.
- Threat Modeling for AI — uses ATLAS as the adversary-technique catalog for detection and red-team planning; Threat Taxonomy Reconciliation maps the
AML.T####techniques to ASI categories and CMM domains
Notes
Sources
Footnotes
-
MITRE ATLAS — atlas-data repository,
data.yaml(v5.6.0) and source data files, retrieved 2026-05-27. 16 tactics, 101 parent techniques, 69 subtechniques, 35 mitigations, 57 case studies. ↩