Skip to content

L2.3.1 — What ATLAS is and how it relates to ATT&CK

Type: Theory · Duration: ~4 min · Status: Mandatory Module: Module 2 — AI Security Foundations Framework tags: MITRE ATLAS (introduction)

Learning objectives

  1. Define MITRE ATLAS in one sentence and state when to reach for it vs OWASP LLM Top 10.
  2. Explain ATLAS's relationship to MITRE ATT&CK at three levels: shape, scope, complementarity.

Core content

MITRE ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems — is MITRE's free, public knowledge base of adversary tactics and techniques against AI/ML systems, modeled directly on MITRE ATT&CK. It exists because ATT&CK didn't have a natural home for AI-specific techniques (data poisoning, model extraction, ML supply-chain compromise) and the threat-modeling community needed a shared shorthand.

When to reach for ATLAS vs OWASP LLM Top 10

OWASP LLM Top 10 MITRE ATLAS
Audience Application teams, AppSec Threat modelers, red-teamers, detection engineers
Granularity 10 broad categories ~70 specific techniques, organized by tactic
Use case Code-review checklist; pre-launch review Threat model; red-team plan; detection rule mapping
Updated by OWASP community, version-controlled releases MITRE, continuous updates
Maps cleanly to Engineering controls Adversary behaviors

You'll use both. OWASP is your "did we cover the basics" checklist. ATLAS is your "what would an attacker actually do" planner.

ATLAS's relationship to ATT&CK

Three levels.

Shape. ATLAS uses the same vocabulary as ATT&CK. Tactics are the attacker's high-level goals (Reconnaissance, Initial Access, Defense Evasion, Impact, etc.). Techniques are the concrete how. Each technique has an ID — AML.T0051 for "LLM Prompt Injection" — the analog of T1059 for "Command and Scripting Interpreter" in ATT&CK. If you've used ATT&CK, you can read ATLAS without a learning curve.

Scope. ATT&CK covers the entire enterprise attack surface: endpoints, cloud, mobile, ICS. ATLAS covers AI/ML systems specifically. They overlap — an attacker who gains initial access via standard phishing (ATT&CK) then targets a model registry (ATLAS) traverses both. Real-world incidents typically need both frameworks to describe end-to-end.

Complementarity. ATLAS doesn't replace ATT&CK; it extends the coverage to AI. A complete threat model for an AI-bearing system uses ATT&CK for the classical infra/app/cloud layer and ATLAS for the AI-specific layer. Red-team plans reference both, often with techniques chained across.

Real-world example

ATLAS includes a "Case Studies" section with real-world incidents mapped to its tactics and techniques — the PoisonGPT incident, attacks on Microsoft Tay, the Bing system-prompt extraction, multiple academic adversarial-example demonstrations. Each case study lists the chain of techniques the attacker used. Reading three or four of them is the single best way to internalize the framework. We do this in L2.3.3.

Key terms

  • Tactic — an adversary's high-level goal at a step in their kill chain.
  • Technique — the concrete how an adversary uses to achieve a tactic.
  • Technique ID — e.g., AML.T0051; the shorthand used in threat models and red-team plans.

References

  • MITRE ATLAS home — https://atlas.mitre.org/
  • MITRE ATT&CK home — https://attack.mitre.org/
  • ATLAS case studies — https://atlas.mitre.org/studies

Quiz items

  1. Q: In one sentence, the difference between OWASP LLM Top 10 and MITRE ATLAS? A: OWASP LLM Top 10 is a practitioner checklist of vulnerability classes; MITRE ATLAS is a knowledge base of adversary tactics and techniques modeled on ATT&CK.
  2. Q: True or false: an AI red-team plan typically uses only ATLAS. A: False. Real-world chains usually traverse both ATT&CK (classical layers) and ATLAS (AI-specific layer).

Video script (~520 words, ~3.5 min)

[SLIDE 1 — Title]

MITRE ATLAS. Four minutes. By the end you'll know what it is, when to reach for it vs OWASP, and how it relates to ATT&CK.

[SLIDE 2 — What ATLAS is]

MITRE ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems — is MITRE's free, public knowledge base of adversary tactics and techniques against AI and ML systems, modeled directly on MITRE ATT&CK. It exists because ATT&CK didn't have a natural home for AI-specific techniques — data poisoning, model extraction, ML supply-chain compromise — and the threat-modeling community needed a shared shorthand.

[SLIDE 3 — When to reach for ATLAS vs OWASP]

When to reach for each. OWASP LLM Top 10 is your code-review checklist, your pre-launch review template. Ten broad categories. Application teams and AppSec use it. ATLAS is your threat-modeling and red-team planning tool. About seventy specific techniques, organized by tactic. Threat modelers, red-teamers, detection engineers use it. You'll use both, for different jobs. OWASP for "did we cover the basics." ATLAS for "what would an attacker actually do."

[SLIDE 4 — Relationship to ATT&CK: shape]

ATLAS's relationship to ATT&CK, level one: shape. Same vocabulary. Tactics are the attacker's high-level goals — Reconnaissance, Initial Access, Defense Evasion, Impact. Techniques are the concrete how. Each technique has an ID. AML.T0051 for "LLM Prompt Injection" — the analog of T1059 for "Command and Scripting Interpreter" in ATT&CK. If you've used ATT&CK, you can read ATLAS without a learning curve.

[SLIDE 5 — Relationship: scope]

Level two: scope. ATT&CK covers the entire enterprise attack surface — endpoints, cloud, mobile, ICS. ATLAS covers AI/ML systems specifically. They overlap. An attacker who gains initial access via standard phishing — ATT&CK — then targets a model registry — ATLAS — traverses both. Real incidents typically need both frameworks to describe end-to-end.

[SLIDE 6 — Relationship: complementarity]

Level three: complementarity. ATLAS doesn't replace ATT&CK. It extends the coverage to AI. A complete threat model for an AI-bearing system uses ATT&CK for the classical infra, app, and cloud layer, and ATLAS for the AI-specific layer. Red-team plans reference both, often with techniques chained across.

[SLIDE 7 — Case studies anchor]

ATLAS includes a "Case Studies" section with real-world incidents mapped to its tactics and techniques. PoisonGPT. Tay. Bing system-prompt extraction. Multiple academic adversarial-example demonstrations. Each case study lists the chain of techniques used. Reading three or four of them is the single best way to internalize the framework. We do this in lesson L2.3.3.

[SLIDE 8 — Up next]

Next lesson: ATLAS tactics — the AI kill chain — in five minutes. See you there.

Slide outline

  1. Title — "What ATLAS is and how it relates to ATT&CK".
  2. What ATLAS is — ATLAS logo + 1-line definition.
  3. When to reach for each — comparison table (OWASP vs ATLAS).
  4. Relationship: shape — side-by-side technique pages from ATT&CK (T1059) and ATLAS (AML.T0051) showing identical structure.
  5. Relationship: scope — Venn-style: ATT&CK covers enterprise; ATLAS covers AI; intersection is real.
  6. Relationship: complementarity — chained attack: phishing (ATT&CK) → model registry (ATLAS) → impact.
  7. Case studies anchor — screenshot of ATLAS case-studies page; arrow to "L2.3.3".
  8. Up next — "L2.3.2 — ATLAS tactics, ~5 min."

Production notes

  • Recording: ~3.5–4 min. Cap 5.
  • Slide 4 should be a real screenshot pair (ATT&CK and ATLAS technique pages) — visually anchors the "same shape" claim.