16 tactics101 techniques35 mitigations

ATLASAdversarial ML attack surface

MITRE ATLAS · 16 tactics · 101 techniques · 69 sub-techniques · 35 mitigations. Authored by Adam Lundqvist.

Adversarial ML attack surface — designed for EU AI Act Art. 15 compliance pentesting.

SQUR ships annual TLPT against the ATLAS technique set as standard. Adversarial-ML coverage is not the same as IT-stack coverage — scope it explicitly when planning AI Act Art. 15 conformity.

Scope an AI pentest →

Coloured by sub-technique depth

sub-technique depth

0

1

2-3

4-5

6+

AML.TA0000AI Model Access4 techniques

AI Model Inference API Access

Physical Environment Access

Full AI Model Access

AI-Enabled Product or Service

AML.TA0001AI Attack Staging6 techniques

Craft Adversarial Data

Create Proxy AI Model

Manipulate AI Model

Generate Deepfakes

Generate Malicious Commands

AML.TA0002Reconnaissance8 techniques

Search Open Technical Databases

Search Open Websites/Domains

Search Open AI Vulnerability Analysis

Search Victim-Owned Websites

Search Application Repositories

Active Scanning

Gather RAG-Indexed Targets

Gather Victim Identity Information

AML.TA0003Resource Development13 techniques

Acquire Infrastructure

Acquire Public AI Artifacts

Obtain Capabilities

Develop Capabilities

Publish Poisoned Datasets

Poison Training Data

Establish Accounts

Publish Poisoned Models

Publish Hallucinated Entities

LLM Prompt Crafting

Retrieval Content Crafting

Stage Capabilities

Publish Poisoned AI Agent Tool

AML.TA0004Initial Access7 techniques

AI Supply Chain Compromise

Exploit Public-Facing Application

Drive-by Compromise

Prompt Infiltration via Public-Facing Application

AML.TA0005Execution6 techniques

LLM Prompt Injection

Command and Scripting Interpreter

AI Agent Tool Invocation

AI Agent Clickbait

Deploy AI Agent

AML.TA0006Persistence9 techniques

Manipulate AI Model

AI Agent Context Poisoning

Poison Training Data

LLM Prompt Self-Replication

Modify AI Agent Configuration

Prompt Infiltration via Public-Facing Application

AI Agent Tool Data Poisoning

AI Agent Tool Poisoning

AML.TA0007Defense Evasion15 techniques

LLM Trusted Output Components Manipulation

LLM Prompt Obfuscation

False RAG Entry Injection

Corrupt AI Model

Modify AI Agent Configuration

Manipulate User LLM Chat History

Delay Execution of LLM Instructions

Virtualization/Sandbox Evasion

Exploitation for Defense Evasion

AI Supply Chain Rug Pull

AI Supply Chain Reputation Inflation

AML.TA0008Discovery9 techniques

Discover AI Agent Configuration

Discover LLM System Information

Discover AI Artifacts

Discover AI Model Ontology

Discover AI Model Family

Discover LLM Hallucinations

Discover AI Model Outputs

Cloud Service Discovery

Process Discovery

AML.TA0009Collection4 techniques

Data from AI Services

AI Artifact Collection

Data from Information Repositories

Data from Local System

AML.TA0010Exfiltration6 techniques

Exfiltration via AI Inference API

Exfiltration via Cyber Means

Extract LLM System Prompt

LLM Data Leakage

LLM Response Rendering

Exfiltration via AI Agent Tool Invocation

AML.TA0011Impact9 techniques

Cost Harvesting

Machine Compromise

Denial of AI Service

Erode AI Model Integrity

Spamming AI System with Chaff Data

Erode Dataset Integrity

Data Destruction via AI Agent Tool Invocation

AML.TA0012Privilege Escalation4 techniques

AI Agent Tool Invocation

AML.TA0013Credential Access6 techniques

Unsecured Credentials

RAG Credential Harvesting

Credentials from AI Agent Configuration

OS Credential Dumping

AI Agent Tool Credential Harvesting

Exploitation for Credential Access

AML.TA0014Command and Control3 techniques

AML.TA0015Lateral Movement2 techniques

Use Alternate Authentication Material

Sourced from MITRE ATLAS (current release). Curated by Adam Lundqvist, Founder at SQUR.