What Is MITRE ATLAS? The AI ATT&CK

In 2020, Microsoft's red team ran an attack against an internal machine-learning model that auto-provisioned cloud resources. They never touched the code. They queried the model's API enough to rebuild a working copy, found inputs the copy mishandled, and used those to make the production model approve resources it should have denied. Evasion against a stolen extraction. That case, and dozens like it, is now a numbered entry in a public knowledge base.

That knowledge base is MITRE ATLAS. It is the field map for attacks on AI and machine-learning systems, built in the exact shape of MITRE ATT&CK so that a defender who already thinks in tactics and techniques can point the same mental model at a model instead of a host. As SOCs wire ML into detection and the business wires large language models into everything else, the model becomes an attack surface, and ATLAS is the catalog of how that surface gets hit.

This guide defines MITRE ATLAS, walks its 16-tactic matrix and how it extends ATT&CK, shows the real case studies it documents, and covers how a blue team actually uses it for threat modeling and red-teaming. It is written for SOC analysts, detection engineers, and DFIR practitioners who now have to defend AI systems, not just the infrastructure under them.

What is MITRE ATLAS?

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a public, living knowledge base of the tactics, techniques, and real-world case studies that adversaries use against AI-enabled systems. It is structured the same way as MITRE ATT&CK: adversary goals across the top as tactics, the methods to achieve each goal underneath as techniques, and documented incidents tying those techniques to systems that were actually attacked.

The point of ATLAS is shared language. Before it, attacks on ML systems were scattered across academic papers, vendor blogs, and conference talks, each with its own vocabulary. ATLAS gives them ATT&CK-style IDs, so a finding like "the attacker queried our fraud model's API to clone it" becomes a specific technique a team can name, map, and defend, rather than a one-off war story.

MITRE built ATLAS in collaboration with Microsoft and a community of industry and academic contributors. It started in 2020 as the Adversarial ML Threat Matrix and was relaunched as ATLAS in 2021, with the matrix created on October 23, 2020. It is maintained as open data on GitHub and rendered at atlas.mitre.org, and it is updated on a release cadence. The current release is ATLAS 2026.05, last modified May 27, 2026.

Two things make ATLAS distinct from a generic AI-risk checklist. First, it is adversary-centric: it describes what attackers do, not what controls you should buy. Second, it is evidence-based: every technique is backed by published research or a documented incident, and the case studies are real attacks on real systems, not hypotheticals.

The MITRE ATLAS matrix: 16 tactics

ATLAS is laid out as a matrix, exactly like ATT&CK. The columns are tactics, the adversary's objective at each stage. Reading left to right traces an attack on an AI system from early reconnaissance through to impact. Under each tactic sit the techniques that accomplish it.

The current release defines 16 tactics. Most are ATT&CK tactics reused verbatim, because once an attacker is inside an environment, moving toward an AI system looks like any other intrusion. Two are unique to ATLAS, and they are the ones that matter most for AI defense.

The two ATLAS-native tactics carry the AI-specific logic. AI Model Access describes the levels of access an attacker can have to a model, which is the central variable in ML attacks: querying a public API is a very different position from holding the model's weights, and the techniques available scale with it. AI Attack Staging covers the preparation unique to ML attacks: crafting adversarial examples, training a proxy model offline to develop an evasion against, or building the backdoor that a poisoning attack will implant. Those two tactics are where a host-and-network threat model has nothing useful to say and ATLAS earns its place.

As of the 2026.05 release, the matrix holds roughly 101 techniques (about 170 counting sub-techniques) across those 16 tactics. The counts grow with each release as new attacks are documented, which is why you cite a release version rather than a fixed number.

How ATLAS extends MITRE ATT&CK

ATLAS is deliberately not a replacement for ATT&CK. It is an extension that fills the gap ATT&CK was never built to cover: the model itself.

ATT&CK describes how adversaries operate against enterprise systems, hosts, networks, identities, cloud. It says nothing about poisoning a training set, crafting an adversarial example, or extracting a model through its API, because those are not attacks on the operating system or the network. They are attacks on the statistical artifact the system depends on. ATLAS adds exactly that layer and reuses ATT&CK for everything else.

In practice the two interlock. A real attack on an AI system usually starts with ordinary intrusion, phishing for credentials, lateral movement toward the ML infrastructure, all of which ATT&CK already describes, and then pivots into the ATLAS-native tactics once the attacker reaches the model. ATLAS maps its shared tactics back to their ATT&CK identifiers precisely so a team can stitch the two halves of an attack into one chain.

The takeaway for a blue team: if you can read an ATT&CK matrix, you can read ATLAS on day one. The difference is two new columns and a technique set written for models instead of machines.

Real-world AI attacks documented in ATLAS

What separates ATLAS from a taxonomy is its case studies. Each one is a documented attack on an AI system, mapped to the ATLAS techniques it used, so a team can study how an abstract technique played out in reality. The 2026.05 release documents 57 case studies. A few illustrate the range.

• Evasion of an ML malware classifier. Researchers and red teams have repeatedly shown that a malware sample can be modified to keep its malicious behavior while flipping a static ML classifier's verdict to benign. The behavior survives; the model's label does not.
• Model extraction against a cloud ML service. The Microsoft internal red-team exercise that opens this guide: query a model's API enough to train a functional copy, then use the copy to develop evasions against the original. Extraction feeds evasion.
• Data poisoning through an open feedback loop. Microsoft's Tay chatbot in 2016 learned from live user interactions, users fed it coordinated abuse, and Microsoft pulled it within about a day. It is the clearest public demonstration of what happens when untrusted input becomes training input.
• Prompt injection and jailbreaks against LLMs. Hidden instructions in content an LLM reads, or crafted prompts that talk a model out of its safety rules, turn an assistant into a tool for the attacker. This is the dominant technique class for any LLM wired to tools or external data.

The value is not the headline, it is the mapping. Each case study lists the techniques in sequence, so a defender can ask: do we have any visibility into this step, and what would catch the next one? That is the same question ATT&CK case studies prompt for host intrusions, now asked about the model.

How to use MITRE ATLAS

ATLAS is a reference, not a product. The value comes from putting it to work in the processes a security team already runs. Four uses carry the weight.

Threat modeling for AI systems. Walk the matrix against your own AI deployment. For each tactic, ask what an attacker could do given the access your system exposes: a public API invites extraction and evasion; a model retrained on user-submitted data invites poisoning; an LLM wired to tools invites prompt injection that drives real actions. The matrix turns a blank-page exercise into a structured checklist of adversary objectives.

Red-teaming and AI security testing. ATLAS gives a red team a technique library to plan and scope an exercise against an AI system, and a shared vocabulary to report findings the blue team can act on. MITRE also maintains companion tooling, including the Arsenal plugin and adversarial-ML resources, to operationalize these tests.

Detection and monitoring gaps. Map your existing telemetry against the techniques. Most teams find the AI-native tactics are blind spots: nobody is logging model queries to catch extraction, watching for low-confidence spikes that signal evasion, or auditing prompts and tool calls on an LLM. ATLAS names the gap so you can close it with the same telemetry discipline you give any production system that makes decisions.

Governance, compliance, and shared language. Because ATLAS techniques have stable IDs, they give risk, audit, and engineering teams one vocabulary for AI threats, and a way to reference specific adversary behaviors in policy and assessments rather than vague "AI risk."

A practical starting sequence: get the team fluent in the matrix, map your AI systems end to end, run a threat-modeling pass per system, test the high-risk findings with a red-team exercise, instrument the gaps the test exposes, and re-run as the matrix and your systems change.

ATLAS and generative AI

ATLAS grew up alongside generative AI, and recent releases lean into it. LLMs and the agents built on them expand the attack surface, and ATLAS has added techniques and case studies for prompt injection, jailbreaks, retrieval-augmented-generation manipulation, and the abuse of AI assistants and copilots.

The shift that matters is from manipulating a model's output to driving its actions. A classifier that misfires returns a wrong label. An agentic AI system that can call tools, send email, or run code turns a successful prompt injection into a real action in the environment. ATLAS tracks that escalation, and it pairs with adjacent standards, NIST's adversarial-ML taxonomy and the OWASP Top 10 for LLM Applications, that name the same attacks from different angles. Use ATLAS for the technique catalog and real cases; use NIST and OWASP for the vocabulary and the risk framing.

Frequently Asked Questions

What is MITRE ATLAS?

MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a public knowledge base of adversary tactics, techniques, and real-world case studies targeting AI and machine-learning systems. It is structured like MITRE ATT&CK, with tactics as adversary goals and techniques as the methods to achieve them, and it is maintained by MITRE with community contributions.

What does MITRE ATLAS stand for?

ATLAS stands for Adversarial Threat Landscape for Artificial-Intelligence Systems. The name signals its purpose: a map of the adversarial threats that target AI systems, built in the style of MITRE ATT&CK.

How is MITRE ATLAS different from MITRE ATT&CK?

ATT&CK describes adversary behavior against enterprise IT: hosts, networks, cloud, and identity. ATLAS extends that model to the AI system itself, adding tactics and techniques for attacks on the model such as data poisoning, evasion, model extraction, and prompt injection. ATLAS reuses most ATT&CK tactics and adds two AI-native ones, AI Model Access and AI Attack Staging.

How many tactics does MITRE ATLAS have?

The current ATLAS release (2026.05) defines 16 tactics. Most are reused from ATT&CK, while two are unique to ATLAS: AI Model Access, which describes the attacker's level of access to the model, and AI Attack Staging, which covers preparing an attack such as crafting adversarial examples or embedding a backdoor.

What are ATLAS case studies?

ATLAS case studies are documented real-world attacks on AI systems, each mapped to the ATLAS techniques it used. They let defenders see how an abstract technique played out against an actual system and reason about detection and mitigation. The 2026.05 release documents 57 case studies.

How do you use MITRE ATLAS?

Teams use ATLAS to threat-model AI deployments tactic by tactic, to plan and scope red-team exercises against AI systems, to find detection and monitoring gaps in the AI layer, and to give risk and engineering teams a shared vocabulary with stable technique IDs. It is a reference framework, not a tool you install.

Is MITRE ATLAS free?

Yes. ATLAS is open and free to use, rendered at atlas.mitre.org and maintained as open data on GitHub. MITRE also publishes companion resources and tooling to help teams operationalize it.

The bottom line

MITRE ATLAS is ATT&CK pointed at the model. It takes the framework defenders already use, reuses most of it, and adds the two tactics that a host-and-network threat model cannot express: how an attacker gains access to a model, and how they stage an attack against it. Behind the matrix sit 16 tactics, roughly 101 techniques, and 57 documented case studies of real attacks on real AI systems, as of the 2026.05 release.

For a blue team, ATLAS is the on-ramp to defending AI. Walk the matrix against your own deployments, find the AI-native tactics nobody is watching, test them, and instrument them. As more of detection and the business runs on models, the model becomes a target with its own attack surface, and ATLAS is the map of how that surface gets hit and how to defend it.