Skip to content

L2.3.3 — Reading ATLAS techniques and case studies

Type: Theory · Duration: ~5 min · Status: Mandatory Module: Module 2 — AI Security Foundations Framework tags: MITRE ATLAS (techniques + case studies)

Learning objectives

  1. Read an ATLAS technique page and extract: the technique ID, mitigations, related techniques, and case-study references.
  2. Use ATLAS technique IDs to label findings in a red-team report.

Core content

Anatomy of an ATLAS technique page

Every technique page follows the same structure. Take AML.T0051 — LLM Prompt Injection as the running example.

  • Header. Technique ID (AML.T0051), name, parent tactic (Initial Access or Defense Evasion depending on use), and any sub-techniques (AML.T0051.000 Direct, AML.T0051.001 Indirect).
  • Description. 2–4 paragraphs explaining what the technique is and why it works. Plain English; assumes ML literacy.
  • Procedure examples. Specific known instances of the technique in the wild, each linking to a case study if available.
  • Mitigations. Defenses that reduce the technique's effectiveness. Each mitigation has its own ID (AML.M0008, etc.) and its own page describing how to implement.
  • Related techniques. Cross-references to other ATLAS techniques that chain with this one.

What to extract when you're using the page in real work: - The ID for citation in your findings. - The mitigations list to inform your defense planning. - The related techniques to identify chains the attacker could pivot through.

Anatomy of an ATLAS case study

Case studies are real-world incident reconstructions. Each one names the incident, describes it briefly, lists the chain of tactics+techniques the attacker walked, and cites the original source.

Three case studies worth reading carefully (they recur as references in this course): - PoisonGPT — supply-chain + staging chain. - Microsoft Tay — data-poisoning at runtime. - VirusTotal Eclipse — extraction + evasion against an ML-based malware classifier.

Read at least three case studies before you start the L2.6 lab. The pattern recognition transfers.

Using ATLAS IDs in your reports

A finding in a red-team or pentest report should reference techniques by ID. Example:

Finding R2-04 — Indirect Prompt Injection via Retrieved Document Severity: High ATLAS: AML.T0051.001 (Indirect Prompt Injection) chained with AML.T0048 (Erode ML Model Integrity) OWASP LLM: LLM01 (Prompt Injection), LLM02 (Insecure Output Handling) NIST AI RMF: Measure 2.7 EU AI Act: Article 15 (Accuracy, robustness, cybersecurity for high-risk systems)

The retrieval corpus accepts content from any authenticated user. An attacker can plant instructions in a document; on retrieval, the model executes them.…

Multi-framework tagging in one line. This is the deliverable shape we'll use throughout the course, the capstone, and any client-facing red-team work.

Where to actually look this up

  • ATLAS Matrix view: https://atlas.mitre.org/matrices/ — visual table of tactics × techniques.
  • Technique lookup: https://atlas.mitre.org/techniques/AML.T0051 (substitute the ID).
  • Case studies: https://atlas.mitre.org/studies/.
  • ATLAS GitHub repo: https://github.com/mitre-atlas — file issues here if you find new techniques worth submitting.

Real-world example

In 2024, security researcher Johann Rehberger publicly documented a chain against Microsoft Copilot involving indirect prompt injection and tool abuse, with every step mapped to ATLAS technique IDs. The map turned a long discovery narrative into a single-page summary that engineering teams could action. That's the operational value of ATLAS — it gives you a shared shorthand that compresses a complex incident into something a stakeholder can read in a minute.

Key terms

  • Sub-technique — a more specific variant of a parent technique (e.g., AML.T0051.001 for Indirect Prompt Injection under AML.T0051 Prompt Injection).
  • Mitigation ID — an AML.M#### identifier for a defense.
  • Multi-framework tagging — citing ATLAS, OWASP, NIST, and EU AI Act on a single finding.

References

  • ATLAS Matrix — https://atlas.mitre.org/matrices/
  • AML.T0051 page — https://atlas.mitre.org/techniques/AML.T0051
  • ATLAS Case Studies — https://atlas.mitre.org/studies
  • Johann Rehberger's blog (research write-ups using ATLAS framing) — https://embracethered.com/

Quiz items

  1. Q: You're writing a finding for an indirect prompt injection via a poisoned retrieved document. What ATLAS ID is most appropriate? A: AML.T0051.001 (Indirect Prompt Injection).
  2. Q: What's the value of multi-framework tagging on a single finding? A: It lets the same finding speak the language of engineers (OWASP), threat modelers/red-teamers (ATLAS), governance (NIST AI RMF), and regulators (EU AI Act) without re-writing for each audience.

Video script (~620 words, ~4.5 min)

[SLIDE 1 — Title]

Reading ATLAS techniques and case studies. Five minutes. By the end you'll know how to read a technique page, what's in a case study, and how to label findings in your reports.

[SLIDE 2 — Anatomy of a technique page]

Every ATLAS technique page follows the same structure. Take AML.T0051 — LLM Prompt Injection — as the running example. Header: technique ID, name, parent tactic, sub-techniques. Description: a few paragraphs explaining what the technique is and why it works. Procedure examples: specific known instances in the wild. Mitigations: defenses that reduce effectiveness, each with its own ID. Related techniques: cross-references for chains.

[SLIDE 3 — What to extract]

When you're using the page in real work, extract three things. The ID for citation in your findings. The mitigations list to inform defense planning. The related techniques to identify pivot chains. That's it. The technique pages have more detail; in operational work, those three fields are what you'll actually use.

[SLIDE 4 — Anatomy of a case study]

Case studies are real-world incident reconstructions. Each one names the incident, describes it briefly, lists the chain of tactics and techniques the attacker walked, and cites the original source. Three I'd recommend reading carefully before you start the L2.6 lab. PoisonGPT — supply-chain plus staging chain. Microsoft Tay — data-poisoning at runtime. VirusTotal Eclipse — extraction plus evasion against an ML-based malware classifier. The pattern recognition transfers.

[SLIDE 5 — Using ATLAS IDs in reports]

Using ATLAS IDs in your reports. A finding in a red-team or pentest report should reference techniques by ID. Here's the shape. Finding R2-04, Indirect Prompt Injection via Retrieved Document, severity high. ATLAS: AML.T0051.001 chained with AML.T0048. OWASP LLM: LLM01, LLM02. NIST AI RMF: Measure 2.7. EU AI Act: Article 15.

Multi-framework tagging in a single line. This is the deliverable shape we'll use throughout the course, the capstone, and any client-facing red-team work. Different stakeholders read different framework languages. Tagging once and pointing at all of them lets the finding speak to all stakeholders without re-writing.

[SLIDE 6 — Where to actually look it up]

Where to look it up. ATLAS Matrix view — atlas.mitre.org/matrices — visual table of tactics by techniques. Technique lookup — atlas.mitre.org/techniques/AML.T-something — substitute the ID. Case studies — atlas.mitre.org/studies. The ATLAS GitHub repo — github.com/mitre-atlas — where you file issues if you find new techniques worth submitting upstream.

[SLIDE 7 — One real-world anchor]

One real-world anchor. In 2024, security researcher Johann Rehberger publicly documented a chain against Microsoft Copilot involving indirect prompt injection and tool abuse, with every step mapped to ATLAS IDs. The map turned a long discovery narrative into a single-page summary that engineering teams could action. That's the operational value of ATLAS. A shared shorthand that compresses a complex incident into something a stakeholder can read in a minute.

[SLIDE 8 — Up next]

ATLAS is done. Next four lessons walk the OWASP Top 10 for LLMs in detail. Then NIST and EU AI Act. Then your first threat-modeling lab. See you there.

Slide outline

  1. Title — "Reading ATLAS techniques and case studies".
  2. Anatomy of a technique page — annotated screenshot of an ATLAS technique page.
  3. What to extract — three callouts: ID · mitigations · related techniques.
  4. Anatomy of a case study — annotated screenshot of an ATLAS case-study page.
  5. Using IDs in reports — full-text finding mockup with multi-framework tagging.
  6. Where to look it up — URLs as quick-reference card.
  7. Rehberger anchor — link to write-up + short summary.
  8. Up next — "L2.4.1 — OWASP LLM Top 10 overview, ~4 min."

Production notes

  • Recording: ~4.5 min. Cap 5.
  • Slides 2 and 4 need real ATLAS screenshots — refresh annually as ATLAS updates.