I have been in cyber security for over 25 years. And I have done my fair share of penetration testing/offensive security and I am quite familiar with the MITRE ATT&CK framework. Not long ago, I had the chance to dig into AI offensive security techniques hands-on. I assumed we would use the standard Kali-style hacking tools and follow the usual TTPs. I was wrong. We never fired up a Kali Linux instance or used a single tool from the past 30+ years. Instead, we learned how to trick the LLM into giving us information it was not supposed to. For example, you can’t just ask it for the root password to a server in a particular network or system. Instead, you are taught to tell it you are an IT auditor, and you need to validate the entropy of the password in question. It never occurred to me that you can change the context of an LLM interaction simply by masquerading as an IT Auditor, or a lawyer, or…etc…
Practitioners who came up on traditional offensive security tools — Kali, NMAP, exploit frameworks — are encountering a different kind of attack when they work with AI systems. Compromising an LLM does not require a single conventional tool. It requires understanding how the model interprets context. Tell it you are an IT auditor validating password entropy rather than asking for the password directly, and the model may comply. The attack surface has changed.
MITRE has long maintained a knowledge base of adversary tactics and techniques for traditional IT infrastructure. Security platforms, including Versa’s dashboards, use the ATT&CK matrix to categorize and visualize observed attacks. The ATT&CK framework, which dates to 2013, is shown below.

The paradigm has shifted. Using NMAP to enumerate services and software versions, escalating privileges, and clearing log trails describes how adversaries moved through traditional infrastructure. LLM systems introduce a different set of attack surfaces that those techniques do not address.
MITRE has built a framework specifically for this class of threats. MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) launched publicly in 2021, developed in collaboration with industry partners. Where ATT&CK documents how adversaries compromise traditional IT infrastructure, ATLAS documents how adversaries attack, manipulate, and abuse machine learning systems specifically.
The timing is not coincidental. As LLM/ML models have moved from research labs into production, powering fraud detection, medical diagnostics, content moderation, autonomous systems, and security tooling itself ‚ they’ve become high-value targets. ATLAS exists to document and provide hints about what attacking those targets looks like.
ATLAS uses ATT&CK’s structural vocabulary deliberately. It organizes adversary behavior into tactics and techniques, uses the same kind of case study format, and is designed to feel familiar to practitioners already working with ATT&CK. The intent is interoperability, not replacement.
ATLAS tactics include: Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Collection, ML Attack Staging, Exfiltration, and Impact.

MITRE took a deep look at almost 900 attacks in one particular model, and when the old framework didn’t fit, they made the new one above. They observed real attacks in the ‘wild’ and made new categories in a brand-new framework.
The techniques under those tactics are where ATLAS gets specific to the ML domain.
Concepts like:
- Adversarial examples (inputs crafted to fool a model),
- Model inversion (extracting training data from a model’s outputs),
- Data poisoning (corrupting training data to degrade or redirect model behavior),
- Model stealing (replicating a model’s functionality through repeated queries), and
Prompt injection (manipulating large language model behavior through crafted inputs) have no meaningful equivalent in ATT&CK’s enterprise matrix.

Where do the two frameworks diverge?
The meaningful divergence begins where AI systems introduce genuinely novel attack surfaces that have no equivalent in traditional infrastructure.
The model itself is an attack surface. In traditional security, the attack surface is infrastructure: servers, endpoints, network devices, credentials. In ML security, the trained model‚ its weights, its decision boundaries, its training data‚ is itself something that can be probed, manipulated, and stolen. Techniques like model inversion, membership inference, and model extraction have no ATT&CK analog because they presuppose a target that doesn’t exist in traditional environments.
Attacks can be semantic, not just technical. An adversarial example is a valid input ‚a stop sign, an image, a sentence ‚ that has been perturbed in ways imperceptible to humans but catastrophically misclassified by a model. There’s no malware, no exploit, no CVE. The attack lives entirely in the model’s learned representation of the world. ATT&CK has no framework for this because traditional software doesn’t fail this way.
The training pipeline is a persistent vulnerability. Data poisoning attacks target the training process itself, not the deployed system. An adversary who contaminates training data can embed backdoors, degrade performance on specific inputs, or redirect classification behavior‚ and the effect persists as long as the model remains in production. This is a fundamentally different threat model from anything ATT&CK addresses.
LLM-specific techniques are emerging rapidly. Prompt injection‚ manipulating an LLM’s behavior by embedding adversarial instructions in user input or retrieved context ‚has become one of the most practically relevant attack techniques in AI security, particularly as LLMs are deployed as agents with tool access. ATLAS is actively incorporating this category of techniques; ATT&CK has no natural home for them.
Who Should Use Each (and When to Use Both?)
ATT&CK remains the essential foundation for any security program. If your threat model includes adversaries targeting your infrastructure, and it does‚ ATT&CK provides the vocabulary, detection guidance, and adversary intelligence you need. It’s also the framework with the mature tooling, the large community, and the integration into most commercial security platforms.
ATLAS is essential if your organization develops, deploys, or relies on ML systems in high-stakes contexts. That includes financial services using ML for fraud detection, healthcare organizations using AI in clinical workflows, autonomous systems, content moderation platforms, and any security tooling that incorporates ML — because an adversary who can manipulate your security ML has effectively neutralized a portion of your defense.
The more interesting question is how to use both together. ATLAS is explicitly designed to complement ATT&CK, not replace it. Organizations building threat models for AI-integrated systems need both: ATT&CK to model the infrastructure-layer threats, ATLAS to model the ML-layer threats, and clear thinking about how an adversary might chain the two.