MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a structured knowledge framework that systematically catalogs the tactics, techniques, and procedures (TTPs) used to compromise AI-enabled systems. Modeled directly on the widely adopted MITRE ATT&CK framework for enterprise cybersecurity, ATLAS provides a common taxonomy for describing adversarial actions across the machine learning lifecycle, from data poisoning during training to evasion attacks and model theft at inference time.
Glossary
MITRE ATLAS

What is MITRE ATLAS?
MITRE ATLAS is a globally accessible, living knowledge base of adversarial tactics, techniques, and case studies for AI systems, modeled after the MITRE ATT&CK framework to standardize the taxonomy of AI security threats.
The framework documents real-world case studies and threat actor profiles, mapping specific vulnerabilities like prompt injection, backdoor attacks, and membership inference to standardized technique IDs. This enables AI security researchers and red teams to conduct structured threat modeling, assess defensive coverage, and communicate risk using a shared, vendor-neutral language that bridges the gap between traditional cybersecurity operations and specialized machine learning engineering.
Core Components of MITRE ATLAS
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base that adapts the proven ATT&CK framework to the unique attack surface of AI. It standardizes the taxonomy of tactics, techniques, and procedures (TTPs) used against machine learning systems.
Techniques & Sub-techniques
Each tactic in the ATLAS Matrix is broken down into specific techniques—the concrete actions an adversary takes to achieve a tactical goal. These are further refined into sub-techniques for granular precision.
- Technique Example: Under the 'ML Model Access' tactic, the technique 'ML-Enabled Product or Service' describes exploiting a public-facing AI service.
- Sub-technique Example: This technique includes 'Discover ML Model Ontology' (mapping the model's input/output structure) and 'Discover ML Model Family' (identifying the base architecture, like GPT or ResNet).
- Technique ID: Each technique receives a unique identifier (e.g.,
AML.T0000) for unambiguous cross-referencing, mirroring the ATT&CK ID system.
Integration with ATT&CK
ATLAS does not replace MITRE ATT&CK; it extends it. The framework explicitly maps AI-specific techniques to their traditional cybersecurity counterparts, acknowledging that AI systems run on conventional IT infrastructure.
- Dual-Use Techniques: A technique like 'Valid Accounts' applies to both cloud infrastructure (ATT&CK) and ML model registries (ATLAS).
- Bridging the Gap: An adversary might use a classic ATT&CK technique like 'Exploit Public-Facing Application' to gain initial access, then pivot to an ATLAS technique like 'Craft Adversarial Data' to achieve impact.
- Unified Defense: This integration allows Security Operations Centers (SOCs) to incorporate AI threat detection into their existing ATT&CK-based workflows and SIEM tools.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Frequently Asked Questions
Clear, technical answers to the most common questions about the MITRE ATLAS framework for adversarial AI threat intelligence.
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a globally accessible, living knowledge base of adversarial tactics, techniques, and case studies for AI systems, modeled directly after the MITRE ATT&CK framework. It works by providing a standardized taxonomy that security practitioners use to classify, report, and analyze attacks targeting machine learning pipelines. The framework is structured around a matrix that maps tactics (the adversary's goals, such as ML Model Access or Exfiltration via ML Inference API) to specific techniques (the methods used to achieve those goals, such as Evade ML Model or Craft Adversarial Data). Each technique entry includes detailed procedures, mitigations, and references to real-world incidents, enabling red teams and defenders to speak a common language when modeling threats to AI systems.
Related Terms
Explore the core components of the MITRE ATLAS framework and the adversarial techniques it standardizes for AI system security.
ML-Specific Tactics
While ATLAS inherits many tactics from traditional cybersecurity, it introduces unique categories specific to the AI lifecycle.
- ML Model Access: The adversary's method of interfacing with the model, categorized as White-Box, Black-Box, or Physical Access.
- Exfiltration via ML Model: Stealing sensitive training data through techniques like Model Inversion or Membership Inference.
- Evade ML Model: The classic adversarial example attack, where an input is perturbed to cause a misclassification at inference time.
Mitigations
For each adversarial technique, ATLAS provides a corresponding set of defensive mitigations to harden the AI system.
- Mitigations are mapped to the specific techniques they counter, such as using Adversarial Training to defend against Evade ML Model.
- Recommendations span the entire lifecycle, from robust data sanitization in the supply chain to runtime input validation.
- This mapping allows security architects to build a layered defense-in-depth strategy for their machine learning operations.
ATT&CK Integration
ATLAS is designed to complement, not replace, the existing MITRE ATT&CK enterprise framework.
- It extends ATT&CK by adding a dedicated machine learning domain to the existing enterprise matrix.
- Adversaries often chain traditional IT attacks (e.g., exploiting a web server) with ML-specific techniques (e.g., poisoning the retraining pipeline).
- This integration enables a unified threat model where a single intrusion can be tracked across both conventional and AI-specific attack surfaces.
Adversarial Threat Landscape
The ATLAS framework categorizes the primary threats to AI systems into a structured taxonomy.
- Evasion Attacks: Manipulating the input to cause incorrect model output at inference time, such as Adversarial Patches in the physical world.
- Poisoning Attacks: Compromising the training data to insert a Backdoor Trigger that activates malicious behavior.
- Oracle Attacks: Querying a model's API to steal intellectual property or reconstruct private training data.
- Exfiltration: Using the model itself as a channel to encode and leak sensitive information.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us