Skip to content
All articles
July 1, 2026 10 min read

MITRE ATLAS, Explained: The Threat Matrix for AI Systems

By Chris Rees

If OWASP's LLM Top 10 tells you what can go wrong and the NIST AI RMF tells you how to govern it, MITRE ATLAS tells you how attackers actually operate against AI systems. It's the adversarial playbook — and it's exactly the threat-modeling lens CompTIA SecAI+ wants you to have.

What ATLAS is

ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems — is a MITRE knowledge base of real-world tactics and techniques used to attack machine-learning systems. If you know MITRE ATT&CK, ATLAS is its AI-native counterpart: same structure, same tactic-and-technique grammar, but aimed at the ML attack surface instead of traditional enterprise IT.

It matters because it is grounded in observed attacks and red-team results, not hypotheticals. That makes it a common language for describing an AI incident: instead of "someone messed with the model," you can say precisely which tactic and technique were used.

ATT&CK vs. ATLAS in one line: ATT&CK maps how adversaries move through networks and endpoints; ATLAS maps how they move against models, training data, and ML pipelines. ATLAS deliberately reuses ATT&CK's format so the two compose into one threat picture.

The shape: tactics and techniques

ATLAS is organized as a matrix. The columns are tactics — the attacker's goal at each step (the "why"). Inside each tactic sit techniques — the specific ways to achieve it (the "how"). Read left to right and you get the arc of an attack, from studying the target to causing impact.

MITRE ATLAS tactics progress from reconnaissance and resource development through initial access and model access to attack staging, exfiltration and impact Reconnaissance Study the model & data Resource Dev Build tooling & data Initial Access Reach the system ML Model Access Query or reach the model ML Attack Staging Craft the exploit Exfiltration & Impact Steal, evade or disrupt
A representative ATLAS progression. The real matrix has more tactics, but the arc is the point: reconnaissance leads to access, access enables staging, staging enables impact.

The tactics that make ATLAS AI-specific

ATLAS shares much of ATT&CK's vocabulary, but a handful of tactics and techniques exist because the target is a model. These are the ones worth knowing cold:

ATLAS-flavored tactic Representative techniques
Reconnaissance Discover model family, gather published research, probe the API
ML Model Access Query-only (inference API) vs. full white-box access to weights
ML Attack Staging Craft adversarial examples, train a proxy model, build a backdoor
Exfiltration Model theft via extraction, training-data inference, prompt leakage
Impact Evasion, denial of ML service, integrity attacks on outputs

Notice how these line up with attacks you already know: data poisoning is staged in the pipeline, prompt injection rides in through model access, model extraction is exfiltration. ATLAS gives them a shared coordinate system.

How ATLAS fits with OWASP and NIST

Newcomers ask which framework is "the right one." They're not competitors — they answer different questions, and SecAI+ expects you to know which tool does which job.

Three frameworks answer three questions: OWASP lists the risks, ATLAS maps attacker behavior, and NIST AI RMF governs the response OWASP LLM Top 10 "What can go wrong?" A prioritized risk list MITRE ATLAS "How do attackers act?" Tactics & techniques NIST AI RMF "How do we govern it?" Govern · Map · Measure · Manage
Use them together: OWASP names the risks, ATLAS describes the adversary, and NIST frames the program that manages both.

You use ATLAS to threat-model: walk the tactics against your own AI system and ask, at each step, "could an attacker do this to us, and would we see it?" That exercise turns an abstract risk list into a concrete list of gaps.

Key takeaways

  • ATLAS is ATT&CK for AI — a knowledge base of real adversarial tactics and techniques against ML systems.
  • Tactics = goals, techniques = methods. Read the matrix left to right as the arc of an attack.
  • ML-specific tactics — model access, attack staging, model extraction — are what set it apart from ATT&CK.
  • Frameworks compose: OWASP lists risks, ATLAS maps the adversary, NIST governs the response.
  • Use ATLAS to threat-model your own system, tactic by tactic, to find real gaps.

Threat modeling with ATLAS is core to the governance and defense domains of SecAI+. Start with our SecAI+ Domain 1 study guide, or get All-Access for every domain as we release it.

Share this article

Ready to study?

Get the interactive SecAI+ Domain 1 guide — practice questions and a PDF.

Browse study guides