MITRE ATLAS, Explained: The Threat Matrix for AI Systems
By Chris Rees
If OWASP's LLM Top 10 tells you what can go wrong and the NIST AI RMF tells you how to govern it, MITRE ATLAS tells you how attackers actually operate against AI systems. It's the adversarial playbook — and it's exactly the threat-modeling lens CompTIA SecAI+ wants you to have.
What ATLAS is
ATLAS — Adversarial Threat Landscape for Artificial-Intelligence Systems — is a MITRE knowledge base of real-world tactics and techniques used to attack machine-learning systems. If you know MITRE ATT&CK, ATLAS is its AI-native counterpart: same structure, same tactic-and-technique grammar, but aimed at the ML attack surface instead of traditional enterprise IT.
It matters because it is grounded in observed attacks and red-team results, not hypotheticals. That makes it a common language for describing an AI incident: instead of "someone messed with the model," you can say precisely which tactic and technique were used.
The shape: tactics and techniques
ATLAS is organized as a matrix. The columns are tactics — the attacker's goal at each step (the "why"). Inside each tactic sit techniques — the specific ways to achieve it (the "how"). Read left to right and you get the arc of an attack, from studying the target to causing impact.
The tactics that make ATLAS AI-specific
ATLAS shares much of ATT&CK's vocabulary, but a handful of tactics and techniques exist because the target is a model. These are the ones worth knowing cold:
| ATLAS-flavored tactic | Representative techniques |
|---|---|
| Reconnaissance | Discover model family, gather published research, probe the API |
| ML Model Access | Query-only (inference API) vs. full white-box access to weights |
| ML Attack Staging | Craft adversarial examples, train a proxy model, build a backdoor |
| Exfiltration | Model theft via extraction, training-data inference, prompt leakage |
| Impact | Evasion, denial of ML service, integrity attacks on outputs |
Notice how these line up with attacks you already know: data poisoning is staged in the pipeline, prompt injection rides in through model access, model extraction is exfiltration. ATLAS gives them a shared coordinate system.
How ATLAS fits with OWASP and NIST
Newcomers ask which framework is "the right one." They're not competitors — they answer different questions, and SecAI+ expects you to know which tool does which job.
You use ATLAS to threat-model: walk the tactics against your own AI system and ask, at each step, "could an attacker do this to us, and would we see it?" That exercise turns an abstract risk list into a concrete list of gaps.
Key takeaways
- ATLAS is ATT&CK for AI — a knowledge base of real adversarial tactics and techniques against ML systems.
- Tactics = goals, techniques = methods. Read the matrix left to right as the arc of an attack.
- ML-specific tactics — model access, attack staging, model extraction — are what set it apart from ATT&CK.
- Frameworks compose: OWASP lists risks, ATLAS maps the adversary, NIST governs the response.
- Use ATLAS to threat-model your own system, tactic by tactic, to find real gaps.
Threat modeling with ATLAS is core to the governance and defense domains of SecAI+. Start with our SecAI+ Domain 1 study guide, or get All-Access for every domain as we release it.
Ready to study?
Get the interactive SecAI+ Domain 1 guide — practice questions and a PDF.
Browse study guides