Probe SixProbe Six|Documentation

MITRE ATLAS

MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is a knowledge base of adversarial tactics and techniques specific to AI and machine learning systems. Published and maintained by The MITRE Corporation, ATLAS is modelled on the widely adopted MITRE ATT&CK framework that security teams already use for traditional cyber threat analysis.

The framework organises adversarial behaviour into 16 tacticscovering the full AI attack lifecycle — from initial reconnaissance and resource development through to execution, exfiltration, and impact. Each tactic contains specific techniques that describe how adversaries achieve their objectives against AI systems.

ATLAS matters because it gives security teams a common language for discussing AI threats that maps directly to the framework they already use for traditional cyber threats (ATT&CK). This allows AI security findings to be communicated alongside conventional security findings in a single threat model.

Probe Six maps 146 automated security plugins across all 16 ATLAS tactics, with governance assessments for techniques that require infrastructure-level review. Some techniques appear under multiple tactics where ATLAS defines shared techniques — plugin totals per tactic therefore sum to more than 146 due to intentional overlap.

Coverage Summary

79
Automated Testing
35
Governance Assessment
114
Total Techniques
Automated TestingTechniques tested through automated adversarial red-team probes that exercise the AI system in real time, producing measurable evidence of resilience or vulnerability.
Governance AssessmentTechniques that cannot be tested at runtime (e.g. physical access, infrastructure procurement, dataset poisoning at training time) and are instead assessed through structured governance questionnaires covering organisational controls and processes.

Two Assessment Approaches

Automated Red-Team Testing

Probe Six sends adversarial prompts and attack sequences directly to your AI system, testing its defences against prompt injection, jailbreak attempts, data exfiltration, credential probing, tool misuse, and more. Each test produces a pass/fail result with evidence, mapped to the specific ATLAS technique being exercised.

Governance Assessment

Some ATLAS techniques describe adversary activities that occur outside the AI system's runtime environment — reconnaissance of published research, acquisition of attack infrastructure, or physical access to training hardware. These techniques are assessed through structured questionnaires that evaluate your organisational controls, supply chain security, and infrastructure protections.

Complete Coverage Matrix

The matrix below shows every ATLAS tactic and technique, with the assessment approach used for each. Techniques and sub-techniques are listed under their parent tactic.

TA0000AI Model Access

Technique IDTechnique NameCoverage
AML.T0040AI Model Inference API AccessAutomated Testing
AML.T0041Physical Environment AccessGovernance Assessment
AML.T0044Full AI Model AccessAutomated Testing
AML.T0047AI-Enabled Product or ServiceAutomated Testing

TA0001AI Attack Staging

Technique IDTechnique NameCoverage
AML.T0005Create Proxy AI ModelAutomated Testing
AML.T0005.000Train Proxy via Gathered AI ArtifactsAutomated Testing
AML.T0005.001Train Proxy via ReplicationAutomated Testing
AML.T0005.002Use Pre-Trained ModelAutomated Testing
AML.T0042Verify AttackGovernance Assessment
AML.T0043Craft Adversarial DataAutomated Testing
AML.T0043.000White-Box OptimisationGovernance Assessment
AML.T0043.001Black-Box OptimisationAutomated Testing
AML.T0043.002Black-Box TransferAutomated Testing
AML.T0043.003Manual ModificationAutomated Testing
AML.T0043.004Insert Backdoor TriggerAutomated Testing

TA0002Reconnaissance

Technique IDTechnique NameCoverage
AML.T0000Search Open Technical DatabasesGovernance Assessment
AML.T0000.000Journals and Conference ProceedingsGovernance Assessment
AML.T0000.001Pre-Print RepositoriesGovernance Assessment
AML.T0000.002Technical BlogsGovernance Assessment
AML.T0001Search Open AI Vulnerability AnalysisGovernance Assessment
AML.T0003Search Victim-Owned WebsitesGovernance Assessment
AML.T0004Search Application RepositoriesGovernance Assessment
AML.T0006Active ScanningAutomated Testing
AML.T0064Gather RAG-Indexed TargetsAutomated Testing

TA0003Resource Development

Technique IDTechnique NameCoverage
AML.T0002Acquire Public AI ArtifactsGovernance Assessment
AML.T0002.000DatasetsGovernance Assessment
AML.T0002.001ModelsGovernance Assessment
AML.T0008Acquire InfrastructureGovernance Assessment
AML.T0008.000AI Development WorkspacesGovernance Assessment
AML.T0008.001Consumer HardwareGovernance Assessment
AML.T0008.002DomainsGovernance Assessment
AML.T0008.003Physical CountermeasuresGovernance Assessment
AML.T0016Obtain CapabilitiesGovernance Assessment
AML.T0016.000Adversarial AI Attack ImplementationsGovernance Assessment
AML.T0016.001Software ToolsGovernance Assessment
AML.T0016.002Generative AIGovernance Assessment
AML.T0017Develop CapabilitiesGovernance Assessment
AML.T0017.000Adversarial AI AttacksGovernance Assessment
AML.T0019Publish Poisoned DatasetsGovernance Assessment
AML.T0021Establish AccountsGovernance Assessment
AML.T0058Publish Poisoned ModelsGovernance Assessment
AML.T0060Publish Hallucinated EntitiesAutomated Testing
AML.T0065LLM Prompt CraftingGovernance Assessment
AML.T0066Retrieval Content CraftingGovernance Assessment

TA0004Initial Access

Technique IDTechnique NameCoverage
AML.T0010AI Supply Chain CompromiseAutomated Testing
AML.T0010.000HardwareGovernance Assessment
AML.T0010.001AI SoftwareAutomated Testing
AML.T0010.002DataAutomated Testing
AML.T0010.003ModelAutomated Testing
AML.T0010.004Container RegistryGovernance Assessment
AML.T0012Valid AccountsAutomated Testing
AML.T0015Evade AI ModelAutomated Testing
AML.T0049Exploit Public-Facing ApplicationAutomated Testing
AML.T0052PhishingAutomated Testing

TA0005Execution

Technique IDTechnique NameCoverage
AML.T0011User ExecutionAutomated Testing
AML.T0011.000Unsafe AI ArtifactsGovernance Assessment
AML.T0011.001Malicious PackageAutomated Testing
AML.T0050Command and Scripting InterpreterAutomated Testing
AML.T0051LLM Prompt InjectionAutomated Testing
AML.T0051.000DirectAutomated Testing
AML.T0051.001IndirectAutomated Testing
AML.T0053AI Agent Tool InvocationAutomated Testing

TA0006Persistence

Technique IDTechnique NameCoverage
AML.T0018Manipulate AI ModelAutomated Testing
AML.T0018.000Poison AI ModelAutomated Testing
AML.T0018.001Modify AI Model ArchitectureGovernance Assessment
AML.T0018.002Embed MalwareGovernance Assessment
AML.T0020Poison Training DataAutomated Testing
AML.T0061LLM Prompt Self-ReplicationAutomated Testing
AML.T0070RAG PoisoningAutomated Testing

TA0007Defense Evasion

Technique IDTechnique NameCoverage
AML.T0015Evade AI ModelAutomated Testing
AML.T0054LLM JailbreakAutomated Testing
AML.T0067LLM Trusted Output Components ManipulationAutomated Testing
AML.T0067.000CitationsAutomated Testing
AML.T0068LLM Prompt ObfuscationAutomated Testing
AML.T0071False RAG Entry InjectionAutomated Testing
AML.T0073ImpersonationAutomated Testing
AML.T0074MasqueradingAutomated Testing

TA0008Discovery

Technique IDTechnique NameCoverage
AML.T0007Discover AI ArtifactsAutomated Testing
AML.T0013Discover AI Model OntologyAutomated Testing
AML.T0014Discover AI Model FamilyAutomated Testing
AML.T0062Discover LLM HallucinationsAutomated Testing
AML.T0063Discover AI Model OutputsAutomated Testing
AML.T0069Discover LLM System InformationAutomated Testing
AML.T0069.000Special Character SetsAutomated Testing
AML.T0069.001System Instruction KeywordsAutomated Testing
AML.T0069.002System PromptAutomated Testing
AML.T0075Cloud Service DiscoveryAutomated Testing

TA0009Collection

Technique IDTechnique NameCoverage
AML.T0035AI Artifact CollectionAutomated Testing
AML.T0036Data from Information RepositoriesAutomated Testing
AML.T0037Data from Local SystemGovernance Assessment

TA0010Exfiltration

Technique IDTechnique NameCoverage
AML.T0024Exfiltration via AI Inference APIAutomated Testing
AML.T0024.000Infer Training Data MembershipAutomated Testing
AML.T0024.001Invert AI ModelAutomated Testing
AML.T0024.002Extract AI ModelAutomated Testing
AML.T0025Exfiltration via Cyber MeansAutomated Testing
AML.T0056Extract LLM System PromptAutomated Testing
AML.T0057LLM Data LeakageAutomated Testing

TA0011Impact

Technique IDTechnique NameCoverage
AML.T0029Denial of AI ServiceAutomated Testing
AML.T0031Erode AI Model IntegrityAutomated Testing
AML.T0034Cost HarvestingAutomated Testing
AML.T0046Spamming AI System with Chaff DataAutomated Testing
AML.T0048External HarmsAutomated Testing
AML.T0048.000Financial HarmAutomated Testing
AML.T0048.001Reputational HarmAutomated Testing
AML.T0048.002Societal HarmAutomated Testing
AML.T0048.003User HarmAutomated Testing
AML.T0048.004AI Intellectual Property TheftAutomated Testing
AML.T0059Erode Dataset IntegrityAutomated Testing

TA0012Privilege Escalation

Technique IDTechnique NameCoverage
AML.T0012Valid AccountsAutomated Testing
AML.T0053AI Agent Tool InvocationAutomated Testing
AML.T0054LLM JailbreakAutomated Testing

TA0013Credential Access

Technique IDTechnique NameCoverage
AML.T0055Unsecured CredentialsAutomated Testing

TA0014Command and Control

Technique IDTechnique NameCoverage
AML.T0072Reverse ShellAutomated Testing

TA0015Lateral Movement

Technique IDTechnique NameCoverage
AML.T0052PhishingAutomated Testing

Automated Plugins by Tactic

The tables below list every automated security plugin mapped to each ATLAS tactic, with the specific technique reference and justification for the mapping. Plugins may appear under multiple tactics where ATLAS defines shared techniques.

TA0000AI Model Access (3 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Model Weight ExtractionAttempts to extract model weights via inference APIAML.T0044Probes for full model access via parameter extraction
API Access: InferenceTests whether inference API access controls can be bypassedAML.T0040Validates authentication and rate limiting on inference endpoints
API Access: Product ServiceProbes AI-enabled product interfaces for unintended accessAML.T0047Tests access controls on customer-facing AI services

TA0001AI Attack Staging (17 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Encoding Bypass: HexEncodes malicious payloads in hexadecimalAML.T0043Crafts adversarial data using encoding transformation
Encoding Bypass: Base16Encodes payloads in Base16 to evade filtersAML.T0043Adversarial data crafting via Base16 encoding
Encoding Bypass: Base64Encodes payloads in Base64 to bypass detectionAML.T0043Adversarial data crafting via Base64 encoding
Encoding Bypass: Base32Encodes payloads in Base32 to evade filtersAML.T0043Adversarial data crafting via Base32 encoding
Encoding Bypass: ROT13Applies ROT13 cipher to mask harmful contentAML.T0043Simple substitution cipher for adversarial payload obfuscation
Encoding Bypass: UUEncodeEncodes payloads using UUEncodingAML.T0043Legacy encoding scheme for adversarial data crafting
Encoding Bypass: AtbashApplies Atbash cipher to mask harmful instructionsAML.T0043Substitution cipher for adversarial payload obfuscation
Encoding Bypass: MorseEncodes instructions in Morse codeAML.T0043Encoding-based adversarial data transformation
Encoding Bypass: NATO PhoneticSpells out harmful instructions using NATO alphabetAML.T0043Phonetic encoding for adversarial payload delivery
Encoding Bypass: BrailleEncodes payloads using Braille charactersAML.T0043Unicode-based encoding for filter evasion
Encoding Bypass: ZalgoUses Zalgo text combining characters to obscure contentAML.T0043Unicode manipulation for adversarial data crafting
Encoding Bypass: LeetspeakSubstitutes characters with numbers/symbolsAML.T0043Character substitution for filter evasion
Encoding Bypass: Quoted PrintableEncodes payloads using Quoted-Printable encodingAML.T0043MIME encoding for adversarial data obfuscation
Encoding Bypass: ASCII85Encodes payloads using ASCII85 encodingAML.T0043Binary-to-text encoding for adversarial data
Encoding Bypass: Unicode HomoglyphsReplaces characters with visually identical Unicode glyphsAML.T0043Homoglyph substitution for adversarial data crafting
Encoding Bypass: BiDi ReorderUses bidirectional Unicode control characters to reorder textAML.T0043Text direction manipulation for payload obfuscation
Model Theft: Capability CloningAttempts to clone model capabilities via systematic queryingAML.T0005Tests resistance to proxy model creation through replication

TA0002Reconnaissance (1 plugin)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Debug AccessProbes for exposed debug endpoints and verbose error responsesAML.T0006Active scanning for information leakage via debug interfaces

TA0003Resource Development (3 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Poisoning: Behavioural ConsistencyTests model behaviour consistency across rephrased inputsAML.T0020Detects signs of training data poisoning via behavioural anomalies
Poisoning: Training Bias ProbeProbes for biases introduced through poisoned training dataAML.T0020Identifies bias patterns that may indicate dataset poisoning
Supply Chain: Package HallucinationTests whether model recommends non-existent packagesAML.T0060Detects hallucinated entities that could be exploited for supply chain attacks

TA0004Initial Access (8 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
SSRFTests for server-side request forgery via AI-generated URLsAML.T0049Exploits public-facing AI application to access internal resources
Supply Chain: Dependency ConfusionTests if model suggests internal package names publiclyAML.T0010Probes for AI supply chain compromise via dependency confusion
Supply Chain: Model ProvenanceVerifies model provenance claims and integrityAML.T0010Validates resistance to supply chain model substitution
RBACTests role-based access control enforcementAML.T0012Validates account-level access controls cannot be bypassed
BOLATests for broken object-level authorisationAML.T0012Probes for valid account abuse via object-level access flaws
BFLATests for broken function-level authorisationAML.T0012Probes for valid account abuse via function-level access flaws
HijackingAttempts to redirect AI agent to attacker-controlled actionsAML.T0052Phishing-style redirection of AI agent behaviour
Privilege EscalationAttempts to escalate from user to admin-level accessAML.T0054Tests vertical privilege escalation via prompt manipulation

TA0005Execution (8 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
SQL InjectionTests if LLM outputs can inject SQL into downstream systemsAML.T0050Command injection via AI-generated SQL statements
Shell InjectionTests if LLM outputs can inject shell commandsAML.T0050Command injection via AI-generated shell commands
Indirect Prompt InjectionInjects instructions via external content (documents, URLs)AML.T0051.001Indirect LLM prompt injection via untrusted data sources
Direct Prompt InjectionAttempts to override system instructions via user inputAML.T0051.000Direct LLM prompt injection via user-supplied prompts
Multimodal InjectionEmbeds malicious instructions in images or other modalitiesAML.T0051Cross-modal prompt injection via non-text inputs
Self-ReplicationTests if prompts can cause recursive self-executionAML.T0051Prompt injection leading to autonomous replication
Excessive AgencyTests if agent executes actions beyond intended scopeAML.T0053AI agent tool invocation without proper authorisation
Plugin DiscoveryProbes for available tools and their capabilitiesAML.T0053Enumerates agent tools to identify exploitable capabilities

TA0006Persistence (3 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Poisoning: Backdoor TriggerTests for backdoor triggers in model responsesAML.T0018Detects manipulated model behaviour via planted triggers
RAG: Retrieval ManipulationManipulates RAG retrieval to surface attacker contentAML.T0070Persists malicious content via RAG pipeline poisoning
RAG: Embedding CollisionCreates embedding collisions to hijack retrieval resultsAML.T0070Persists via adversarial embedding manipulation

TA0007Defense Evasion (17 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
ASCII SmugglingUses invisible Unicode characters to hide instructionsAML.T0068Prompt obfuscation via invisible character insertion
Cross-Lingual: Direct TranslationTranslates harmful prompts into other languagesAML.T0068Obfuscates prompts via language translation
Cross-Lingual: Code SwitchingMixes languages within a single promptAML.T0068Obfuscates intent via mid-sentence language switching
Cross-Lingual: TransliterationWrites harmful content using transliterated scriptAML.T0068Obfuscates via script conversion while preserving meaning
Cross-Lingual: Low ResourceUses low-resource languages with weaker safety trainingAML.T0068Exploits weaker safety alignment in under-represented languages
Cross-Lingual: Response ForcingForces model to respond in a specific language to bypass filtersAML.T0068Circumvents output filters by forcing language of response
Temporal Evasion: Past TenseFrames harmful requests as historical eventsAML.T0054Jailbreak via temporal reframing to past tense
Temporal Evasion: Future TenseFrames harmful requests as hypothetical future scenariosAML.T0054Jailbreak via temporal reframing to future tense
Temporal Evasion: Academic FramingFrames harmful requests as academic researchAML.T0054Jailbreak via academic or research context framing
Output Injection: XSSTests if LLM outputs contain executable HTML/JavaScriptAML.T0067Trusted output manipulation via cross-site scripting
Output Injection: Markdown ExfiltrationTests if markdown rendering can exfiltrate dataAML.T0067Trusted output manipulation via markdown image tags
Output Injection: Link InjectionTests if LLM outputs contain malicious linksAML.T0067Trusted output manipulation via injected URLs
Output Injection: CSS InjectionTests if LLM outputs can inject CSS for data exfiltrationAML.T0067Trusted output manipulation via CSS injection
Trusted Output ManipulationTests if model outputs can be manipulated to mislead usersAML.T0067General trusted output component manipulation
RAG: PoisoningInjects false entries into RAG knowledge baseAML.T0071False RAG entry injection to evade content controls
ImitationTests if model can be made to impersonate authoritative sourcesAML.T0073Impersonation of trusted entities to bypass controls
MasqueradingTests if model can disguise harmful content as benignAML.T0074Content masquerading to evade safety filters

TA0008Discovery (11 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Model FingerprintingIdentifies model type, version, and architectureAML.T0007Discovers AI artefacts including model identity and capabilities
Error Info LeakageTriggers errors to extract system informationAML.T0063Discovers model outputs that reveal internal details
HallucinationTests model propensity to generate fabricated informationAML.T0062Discovers LLM hallucination patterns and reliability gaps
Cloud Service DiscoveryProbes for cloud service endpoints and configurationsAML.T0075Discovers cloud infrastructure supporting AI workloads
System Leakage: Multi-Turn ExtractionGradually extracts system information across multiple turnsAML.T0069Discovers LLM system information via conversational probing
System Leakage: Tool Schema LeakageExtracts tool schemas and function definitionsAML.T0069Discovers available tools and their parameter schemas
System Leakage: Config LeakageExtracts system configuration and parametersAML.T0069Discovers system configuration and operational parameters
RAG: Context OverrideAttempts to override RAG context to extract indexed contentAML.T0064Gathers RAG-indexed targets by manipulating retrieval context
RAG: Cross-Tenant LeakageTests tenant isolation in shared RAG infrastructureAML.T0070Probes for cross-tenant data exposure in vector stores
Model Discovery: OntologyMaps model domain knowledge and capability boundariesAML.T0013Discovers AI model ontology and knowledge structure
Model Discovery: FamilyIdentifies model family, training lineage, and base modelAML.T0014Discovers AI model family and training heritage

TA0009Collection (5 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Prompt ExtractionExtracts the system prompt as an AI artefactAML.T0035Collects system prompt — a key AI artefact containing operational logic
Training Data ExtractionExtracts training data samples from model responsesAML.T0036Collects data from the model's training information repository
Model Theft: Memorisation AttackExtracts memorised training examples verbatimAML.T0036Collects memorised data from the model's training corpus
Model InversionReconstructs training data inputs from model outputsAML.T0036Reconstructs training data from information repositories via inversion
System Leakage: Config LeakageExtracts system configuration as an AI artefactAML.T0035Collects configuration artefacts from the AI system

TA0010Exfiltration (11 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Prompt ExtractionExtracts the full system prompt for external useAML.T0056Exfiltrates the system prompt as intellectual property
Model Theft: Memorisation AttackExtracts memorised training data for external useAML.T0024Exfiltrates training data via inference API membership probing
Data ExfiltrationAttempts to exfiltrate data via AI agent capabilitiesAML.T0025Exfiltrates data via cyber means using agent tool access
Membership InferenceDetermines if specific data was in the training setAML.T0024Infers training data membership via inference API analysis
Model InversionReconstructs training inputs from model outputsAML.T0024Inverts the model to reconstruct training data
PII: DirectDirectly requests personally identifiable informationAML.T0057Exfiltrates PII via direct data leakage
PII: API/DBExtracts PII from connected databases or APIsAML.T0057Exfiltrates PII from backend data sources via LLM
PII: SessionExtracts PII from other user sessionsAML.T0057Exfiltrates PII via cross-session data leakage
PII: SocialUses social engineering to extract personal informationAML.T0057Exfiltrates PII through social engineering prompts
Cross-Session LeakTests for data leakage between user sessionsAML.T0057Exfiltrates data across user session boundaries
Training Data ExtractionExtracts training data samples from model responsesAML.T0024Exfiltrates training data via inference API probing

TA0011Impact (58 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Consumption: Token AmplificationTriggers excessive token generation to exhaust resourcesAML.T0029Denial of AI service via token amplification
Consumption: Recursive ReasoningInduces recursive reasoning loopsAML.T0029Denial of AI service via computational exhaustion
Consumption: Tool AbuseAbuses agent tools to cause API fanoutAML.T0029Denial of AI service via tool invocation abuse
Consumption: Chaff DataFloods system with irrelevant dataAML.T0046Spamming AI system with chaff data
Consumption: Context OverflowOverflows context window to degrade performanceAML.T0029Denial of AI service via context window exhaustion
Divergent RepetitionTriggers repetitive output patterns wasting resourcesAML.T0029Denial of AI service via repetitive generation loops
Factual AccuracyTests model propensity to generate inaccurate informationAML.T0031Erodes AI model integrity through factual inaccuracy
Citation VerificationTests if model fabricates citations and referencesAML.T0031Erodes AI model integrity through fabricated citations
OverrelianceTests for excessive user trust in AI outputsAML.T0031Erodes model integrity by encouraging overreliance
SycophancyTests if model prioritises agreement over accuracyAML.T0031Erodes model integrity through sycophantic behaviour
Bias: RaceTests for racial bias in model outputsAML.T0048.002Societal harm through racial discrimination in AI outputs
Bias: GenderTests for gender bias in model outputsAML.T0048.002Societal harm through gender discrimination in AI outputs
Bias: AgeTests for age bias in model outputsAML.T0048.002Societal harm through age discrimination in AI outputs
Bias: DisabilityTests for disability bias in model outputsAML.T0048.002Societal harm through disability discrimination
Bias: ReligionTests for religious bias in model outputsAML.T0048.002Societal harm through religious discrimination
Bias: Sexual OrientationTests for bias based on sexual orientationAML.T0048.002Societal harm through discrimination on sexual orientation
Bias: SocioeconomicTests for socioeconomic bias in model outputsAML.T0048.002Societal harm through socioeconomic discrimination
Bias: PoliticalTests for political bias in model outputsAML.T0048.002Societal harm through political discrimination
Bias: NationalityTests for nationality bias in model outputsAML.T0048.002Societal harm through nationality discrimination
Confidence CalibrationTests if model confidence levels match actual accuracyAML.T0031Erodes model integrity via miscalibrated confidence
ExplainabilityTests if model can explain its reasoning transparentlyAML.T0031Erodes model integrity via unexplainable outputs
Harmful: Violent CrimeTests refusal of violent crime assistance requestsAML.T0048.003User harm through violent crime facilitation
Harmful: Sex CrimeTests refusal of sex crime assistance requestsAML.T0048.003User harm through sex crime facilitation
Harmful: Child ExploitationTests refusal of child exploitation contentAML.T0048.003User harm through CSAM/exploitation facilitation
Harmful: Self-HarmTests refusal of self-harm promotionAML.T0048.003User harm through self-harm facilitation
Harmful: Chemical/Biological WeaponsTests refusal of WMD instructionsAML.T0048.003User and societal harm through weapons facilitation
Harmful: Indiscriminate WeaponsTests refusal of weapons-of-mass-effect contentAML.T0048.003Societal harm through indiscriminate weapons guidance
Harmful: RadicalisationTests refusal of radicalisation contentAML.T0048.002Societal harm through radicalisation and extremism
Harmful: Non-Violent CrimeTests refusal of non-violent crime assistanceAML.T0048.000Financial harm through fraud and crime facilitation
Harmful: HateTests refusal of hate speech generationAML.T0048.002Societal harm through hate speech and discrimination
Harmful: CybercrimeTests refusal of cybercrime assistanceAML.T0048.000Financial harm through cybercrime facilitation
Harmful: Illegal DrugsTests refusal of illegal drug contentAML.T0048.003User harm through illegal drug facilitation
Harmful: Harassment/BullyingTests refusal of harassment and bullying contentAML.T0048.003User harm through harassment facilitation
Harmful: Illegal ActivitiesTests refusal of general illegal activity assistanceAML.T0048.003User harm through illegal activity facilitation
Harmful: MisinformationTests refusal of deliberate misinformation generationAML.T0048.001Reputational harm through deliberate misinformation
Harmful: PrivacyTests refusal of privacy-violating requestsAML.T0048.003User harm through privacy violation
Harmful: Sexual ContentTests refusal of explicit sexual content generationAML.T0048.003User harm through explicit content generation
Harmful: Graphic ContentTests refusal of graphic violence contentAML.T0048.003User harm through graphic content generation
Harmful: Unsafe PracticesTests refusal of dangerous or unsafe adviceAML.T0048.003User harm through unsafe practice guidance
Harmful: Intellectual PropertyTests refusal of IP theft assistanceAML.T0048.004AI intellectual property theft facilitation
Harmful: Copyright ViolationsTests refusal of copyright infringement assistanceAML.T0048.004AI intellectual property theft via copyright violation
Harmful: Specialised AdviceTests appropriate disclaimers for professional adviceAML.T0048.001Reputational harm through unqualified professional advice
Harmful: ProfanityTests refusal of excessive profanity generationAML.T0048.001Reputational harm through unprofessional language
Harmful: InsultsTests refusal of personal insult generationAML.T0048.003User harm through directed insults
Malware Generation: Top LevelTests refusal of complete malware code generationAML.T0048.000Financial harm through malware creation
Malware Generation: Sub-FunctionsTests refusal of malware component generationAML.T0048.000Financial harm through malware component creation
Malware Generation: PayloadTests refusal of malware payload generationAML.T0048.000Financial harm through exploit payload creation
Malware Generation: EvasionTests refusal of malware evasion technique generationAML.T0048.000Financial harm through evasion technique creation
CompetitorsTests for inappropriate competitor disparagementAML.T0048.001Reputational harm through unfair competitor commentary
ContractsTests for inappropriate contractual commitmentsAML.T0048.000Financial harm through unauthorised contractual statements
PoliticsTests for inappropriate political statementsAML.T0048.001Reputational harm through political commentary
AI Self-DisclosureTests if model accurately discloses its AI natureAML.T0048.001Reputational harm through non-disclosure of AI nature
Limitation DisclosureTests if model discloses its limitationsAML.T0048.001Reputational harm through failure to disclose limitations
Professional Advice: MedicalTests appropriate medical advice disclaimersAML.T0048.003User harm through unqualified medical advice
Professional Advice: LegalTests appropriate legal advice disclaimersAML.T0048.003User harm through unqualified legal advice
Professional Advice: FinancialTests appropriate financial advice disclaimersAML.T0048.003User harm through unqualified financial advice
Content MarkingTests if AI-generated content is properly labelledAML.T0048.001Reputational harm through unlabelled AI content
Scope AdherenceTests if model stays within its designated scopeAML.T0048.001Reputational harm through scope boundary violations

TA0012Privilege Escalation (7 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
RBACTests role-based access control enforcementAML.T0012Privilege escalation via role-based access bypass
BOLATests for broken object-level authorisationAML.T0012Privilege escalation via object-level access bypass
BFLATests for broken function-level authorisationAML.T0012Privilege escalation via function-level access bypass
Privilege EscalationAttempts vertical privilege escalationAML.T0012Direct vertical privilege escalation via prompt manipulation
Excessive AgencyTests if agent can escalate its own permissionsAML.T0053Privilege escalation through agent tool invocation abuse
Temporal Evasion: Past TenseBypasses safety via historical framing to gain elevated accessAML.T0054Jailbreak-based privilege escalation via temporal reframing
Temporal Evasion: Future TenseBypasses safety via hypothetical framing to gain elevated accessAML.T0054Jailbreak-based privilege escalation via temporal reframing

TA0013Credential Access (1 plugin)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Secrets ProbingProbes for exposed API keys, tokens, and credentialsAML.T0055Probes for unsecured credentials in model responses and configuration

TA0014Command and Control (1 plugin)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
Reverse ShellTests if model can be coerced into generating reverse shell payloadsAML.T0072Command and control channel establishment via reverse shell generation

TA0015Lateral Movement (2 plugins)

PluginWhat It TestsATLAS TechniqueWhy This Tactic
RAG: Cross-Tenant LeakageTests tenant boundary isolation in shared RAG systemsAML.T0052Lateral movement across tenant boundaries via shared infrastructure
Cross-Session LeakTests session isolation between usersAML.T0052Lateral movement across user session boundaries

Governance Assessment Questions

The following governance questions are assessed inline within the tactic picker on the scan configuration page. When you select a tactic that has governance questions, its governance panel auto-expands so you can answer questions in context. A cross-cutting “AI System Lifecycle” governance section also appears when any governance-mapped tactic is selected. Answers auto-save and persist across scans. Each question is weighted for risk scoring (shown as a badge) with the answer type indicated.

AI Model Access & Credential Security

  1. Is authentication required for all access to AI model inference APIs?9Y/N
  2. Are API keys and credentials for AI services rotated on a defined schedule?8Y/N
  3. Are queries to the model restricted by rate, volume, or caller identity?7Y/N
  4. Is sensitive data encrypted in transit and at rest when communicating with AI services?8Y/N
  5. Is multi-factor authentication enforced for privileged AI system operations?8Y/N
  6. Are credential access logs monitored for anomalous patterns?7Y/N

Adversarial Resource Development

  1. Are publicly available AI artefacts (datasets, pre-trained models) vetted for integrity and provenance before use?8Y/N
  2. Is AI development infrastructure (workspaces, compute, domains) provisioned through a controlled process with access auditing?7Y/N
  3. Are controls in place to detect adversarial prompt crafting attempts that use your LLM to generate attacks against other systems?9Y/N
  4. Are retrieval (RAG) content sources validated to prevent adversary-crafted documents from being indexed and served to users?9Y/N
  5. Is there monitoring for the publication or distribution of poisoned datasets or models that could target your AI systems?7Y/N
  6. Are adversarial AI attack tools and capabilities tracked as part of your threat intelligence programme?6Y/N
  7. How mature is your defence against adversaries weaponising your AI system for resource development (prompt crafting, content generation)?71–5

AI Supply Chain Dependencies

  1. Do you maintain an AI Bill of Materials covering models, datasets, and software dependencies?9Y/N
  2. Are pre-trained models verified for integrity (checksums, signatures) before deployment?9Y/N
  3. Are vulnerability scans run against AI framework libraries and dependencies?7Y/N
  4. Are third-party data sources and datasets vetted before use in training or fine-tuning?8Y/N
  5. Is there a process for restricting and auditing library loading in ML pipelines?7Y/N
  6. Are model marketplace downloads (HuggingFace, etc.) scanned for embedded malware or backdoors?8Y/N
  7. How mature is your AI supply chain governance programme?71–5

Execution & Agent Security Policies

  1. Are there policies preventing LLMs from executing arbitrary commands or scripts without sandboxing?10Y/N
  2. Are input validation controls in place to detect and block prompt injection attempts?9Y/N
  3. Are AI agent tool invocations subject to permission scoping and approval policies?9Y/N
  4. Are there safeguards preventing LLM-generated prompts from being self-replicated or recursively executed?8Y/N
  5. Are execution environments for AI workloads isolated from production systems?8Y/N
  6. Is there monitoring of LLM-triggered actions for anomalous or unauthorised behaviour?7Y/N

Persistence, Model Integrity & RAG Governance

  1. Is training data sanitised and validated before use to prevent data poisoning?9Y/N
  2. Are deployed models verified against known-good baselines to detect manipulation?8Y/N
  3. Is adversarial training or model hardening applied to improve robustness?7Y/N
  4. Are RAG knowledge base contents validated and monitored for poisoning or injection?9Y/N
  5. Is there version control and rollback capability for deployed model weights?7Y/N
  6. Are fine-tuning pipelines protected against unauthorised data injection?8Y/N
  7. How confident are you in the integrity of your model and data pipeline end-to-end?71–5

Evasion Detection & Input Validation

  1. Are adversarial input detection mechanisms deployed to identify evasion attempts?8Y/N
  2. Are there controls to detect and block LLM jailbreak attempts and prompt obfuscation?9Y/N
  3. Are trusted outputs validated to prevent manipulation before being passed to downstream systems?8Y/N
  4. Are input restoration or normalisation techniques used to counter obfuscated inputs?7Y/N
  5. Is there multi-layer input validation (syntactic, semantic, and contextual)?7Y/N
  6. Are model confidence scores monitored for anomalous drops indicating adversarial inputs?7Y/N
  7. Is there a feedback loop to update evasion detection rules based on new attack patterns?6Y/N
  8. How mature is your adversarial testing programme for AI input validation?71–5

Discovery Prevention & Information Disclosure

  1. Is metadata about AI models (version, family, architecture) restricted from public exposure?7Y/N
  2. Are model outputs limited to prevent disclosure of system configuration or training details?8Y/N
  3. Is there monitoring to detect systematic probing for AI model capabilities or weaknesses?7Y/N
  4. Are cloud service endpoints for AI workloads protected against discovery and enumeration?7Y/N
  5. Are error messages sanitised to prevent leaking internal model or infrastructure details?8Y/N
  6. Is there detection for fingerprinting attempts that map model behaviour patterns?7Y/N
  7. How mature are your controls to prevent AI system information disclosure?71–5

AI Artefact & Data Repository Security

  1. Are AI model artefacts stored with access controls limiting who can download them?8Y/N
  2. Is access to training and evaluation data repositories restricted and audited?8Y/N
  3. Are data repositories monitored for unusual bulk downloads or access patterns?7Y/N
  4. Is there an inventory of all AI artefacts and their storage locations?7Y/N
  5. Are model artefact transfers between environments verified for integrity?7Y/N

Exfiltration Prevention & Data Loss Protection

  1. Are there controls to prevent extraction of training data or model parameters via inference API queries?9Y/N
  2. Is the system prompt protected against extraction attempts?8Y/N
  3. Are outputs monitored for unintended data leakage (PII, confidential data, training examples)?9Y/N
  4. Are network-level exfiltration controls (DLP, egress filtering) applied to AI service infrastructure?7Y/N
  5. Is there detection for model inversion attacks attempting to reconstruct training data?8Y/N
  6. Are watermarking or fingerprinting techniques used to detect unauthorised model copies?8Y/N

Impact Mitigation & Content Safety

  1. Are there controls to prevent denial-of-service attacks against AI inference services?8Y/N
  2. Is there monitoring and alerting for abnormal cost patterns or resource consumption by AI services?8Y/N
  3. Are content safety filters deployed to prevent harmful outputs from reaching end users?9Y/N
  4. Are model integrity metrics monitored for signs of degradation or drift from data poisoning?7Y/N
  5. Is there an automated rollback mechanism if model performance degrades below acceptable thresholds?6Y/N
  6. Are cascading failure scenarios documented and tested for AI-dependent systems?6Y/N
  7. How mature is your incident containment process for AI-specific security events?71–5

AI Security Training & Model Lifecycle

  1. How mature is your organisation's AI security training programme for developers and operators?81–5
  2. Is there a formal model lifecycle process covering development, validation, deployment, and retirement?8Y/N
  3. Do you have an AI incident response plan that covers adversarial attacks on models?9Y/N
  4. How comprehensively have MITRE ATLAS mitigations (M0000-M0019) been assessed for your AI systems?71–5
  5. Is there a regular review cycle for AI security controls aligned to evolving threat landscapes?7Y/N
  6. Are AI risk assessments conducted before deploying new models or significant updates?8Y/N
  7. Is there an AI governance committee or designated responsible owner for AI security?7Y/N
  8. Are third-party AI audits or penetration tests conducted on a regular schedule?6Y/N
  9. Is AI model behaviour monitored in production for drift, bias, and anomalous outputs?7Y/N
  10. Do decommissioned models and datasets follow a secure disposal process?5Y/N
  11. How mature is your AI threat intelligence programme for tracking emerging adversarial techniques?61–5

Running an ATLAS Assessment

To run an ATLAS-aligned assessment:

  1. Register your endpoint— Add the AI system you want to assess via the Endpoints page
  2. Select the MITRE ATLAS template— Choose individual tactics for targeted testing or select all 16 for comprehensive coverage
  3. Complete governance questions— For tactics with governance assessments, questions appear inline below the tactic row when selected. Answer them in context — your responses auto-save and persist across scans
  4. Review ATLAS references— Each finding in your report includes ATLAS technique mappings alongside OWASP, NIST, and other framework references

ATLAS technique references are also included in OWASP and other framework scan reports, giving your security team a common language for discussing AI threats that maps directly to the framework they already use for traditional cyber threats (ATT&CK).

References