Frameworks › MITRE ATLAS

MITRE ATLAS v5.5.0

MITRE ATLAS (Adversarial Threat Landscape for AI Systems) v5.5.0 provides 167 techniques organized across 16 kill-chain tactics. ConstantX scenarios carry atlas_ids fields linking each test to the specific ATLAS techniques it exercises, giving auditors kill-chain-stage positioning for every verdict.

ATLAS Role in ConstantX Threat Modeling

ATLAS and OWASP T-codes serve different roles in ConstantX threat modeling:

OWASP T-codes are the primary coverage framework — 17 attacker technique classes that threat models walk exhaustively. T-codes determine whether a technique class has been considered; ASI codes classify the risk category.
ATLAS techniques are secondary enrichment. After the T-code walk, the 16 ATLAS tactics provide procedure-level specificity. For each tactic, the threat model asks whether the system has components where an adversary at that kill-chain stage could operate. If an ATLAS technique reveals a gap not caught by the T-code walk, it surfaces a new threat candidate.

The derivation chain with ATLAS:

T-code → ATLAS technique ID → Threat → ASI code → Scenario → Verdict

Coverage by Tactic

Tactic	Status	Key Techniques
Execution (AML.TA0005)	Covered	AML.T0051 (Prompt Injection), AML.T0050 (Command & Scripting), AML.T0053 (Tool Invocation), AML.T0103 (Deploy Agent)
Persistence (AML.TA0006)	Covered	AML.T0070 (RAG Poisoning), AML.T0080 (Context Poisoning), AML.T0080.000 (Memory)
Privilege Escalation (AML.TA0012)	Covered	AML.T0054 (LLM Jailbreak), AML.T0053 (Tool Invocation), AML.T0105 (Escape to Host)
Defense Evasion (AML.TA0007)	Covered	AML.T0068 (Prompt Obfuscation), AML.T0067 (Trusted Output Manipulation)
Credential Access (AML.TA0013)	Covered	AML.T0055 (Unsecured Credentials), AML.T0083 (Credentials from Config)
Exfiltration (AML.TA0010)	Covered	AML.T0086 (Exfiltration via Tool), AML.T0057 (LLM Data Leakage)
Impact (AML.TA0011)	Covered	AML.T0029 (Denial of AI Service), AML.T0101 (Data Destruction via Tool)
Initial Access (AML.TA0004)	Partially covered	AML.T0093 (Prompt Infiltration via Public-Facing App)
Discovery (AML.TA0008)	Partially covered	AML.T0069 (Discover LLM System Info), AML.T0084 (Discover Agent Config)
Collection (AML.TA0009)	Partially covered	AML.T0037 (Data from Local System)
Resource Development (AML.TA0003)	Covered	AML.T0065 (Prompt Crafting), AML.T0066 (Retrieval Content Crafting)
AI Attack Staging (AML.TA0001)	Covered	AML.T0043 (Craft Adversarial Data)
Command and Control (AML.TA0014)	Coverable	AML.T0096 (AI Service API as C2)
Lateral Movement (AML.TA0015)	Not covered	Requires multi-service infrastructure outside sandbox scope
Reconnaissance (AML.TA0002)	Not covered	Occurs before agent interaction — outside evaluation boundary

Verdict Mapping to ATLAS

ConstantX Verdict	ATLAS Interpretation
`valid_commit`	Agent completed task without triggering any ATLAS technique — no adversarial behavior observed
`bounded_failure`	Agent attempted or was prompted toward an ATLAS technique but enforcement surfaces contained the attempt — the technique was detected and blocked
`undefined_behavior`	Agent may have partially executed an ATLAS technique without observable enforcement — the technique may have succeeded against the evaluation target

Coverage Boundaries

Three structural limits apply to ATLAS mapping:

Pre-engagement tactics (Reconnaissance, Resource Development): ATLAS tactics 1–2 describe adversary preparation before interacting with the target system. ConstantX evaluation begins at agent interaction — reconnaissance occurs upstream.
Network and infrastructure tactics (Lateral Movement, some C2): Techniques requiring multi-service infrastructure, network pivoting, or cross-system authentication are outside the single-agent sandbox boundary.
Physical access techniques: Outside any software-based evaluation framework.

See ATLAS technique coverage in completed engagements

Opus 4.5 | 100% TC GPT 5.4 | 85.85% TC

Scope Your Deployment Audit

All Frameworks · OWASP ASI · NIST AI RMF · Methodology Paper