MITRE ATT&CK vs. MITRE ATLAS: Two Frameworks, One Expanding Threat Landscape

Understand how MITRE ATT&CK and MITRE ATLAS differ, and why security teams need both to defend against AI-era threats. Read the full breakdown.

Erik Witkop
Director of Cybersecurity Practice
  • Read Time: 6-7 min
  • Published: July 1, 2026
  • Modified: June 30, 2026
  • 6-7 min read
  • July 1, 2026
  • June 30, 2026

Summary

As adversaries adopt AI-enabled attack techniques, traditional frameworks like MITRE ATT&CK no longer cover the full threat picture. MITRE ATLAS addresses the machine learning attack surface that ATT&CK was never designed to capture. This post explains what each framework covers, where they diverge, and why security programs need both.

  • MITRE ATT&CK documents adversary behavior against traditional IT infrastructure; MITRE ATLAS documents attacks against machine learning systems specifically.
  • ATLAS introduces techniques, including prompt injection, data poisoning, model inversion, and adversarial examples, that have no equivalent in ATT&CK.
  • The two frameworks are designed to complement each other; use ATT&CK for infrastructure threats and ATLAS for machine learning-layer threats.
  • Agencies deploying AI in high-stakes contexts face a materially different attack surface than traditional IT environments.
  • Adversaries can chain infrastructure-layer and machine learning-layer techniques, making joint use of both frameworks the most complete approach to threat modeling.

I have been in cyber security for over 25 years. And I have done my fair share of penetration testing/offensive security and I am quite familiar with the MITRE ATT&CK framework. Not long ago, I had the chance to dig into AI offensive security techniques hands-on. I assumed we would use the standard Kali-style hacking tools and follow the usual TTPs. I was wrong. We never fired up a Kali Linux instance or used a single tool from the past 30+ years. Instead, we learned how to trick the LLM into giving us information it was not supposed to. For example, you can’t just ask it for the root password to a server in a particular network or system. Instead, you are taught to tell it you are an IT auditor, and you need to validate the entropy of the password in question. It never occurred to me that you can change the context of an LLM interaction simply by masquerading as an IT Auditor, or a lawyer, or…etc…

Practitioners who came up on traditional offensive security tools — Kali, NMAP, exploit frameworks — are encountering a different kind of attack when they work with AI systems. Compromising an LLM does not require a single conventional tool. It requires understanding how the model interprets context. Tell it you are an IT auditor validating password entropy rather than asking for the password directly, and the model may comply. The attack surface has changed.

MITRE has long maintained a knowledge base of adversary tactics and techniques for traditional IT infrastructure. Security platforms, including Versa’s dashboards, use the ATT&CK matrix to categorize and visualize observed attacks. The ATT&CK framework, which dates to 2013, is shown below.


The paradigm has shifted. Using NMAP to enumerate services and software versions, escalating privileges, and clearing log trails describes how adversaries moved through traditional infrastructure. LLM systems introduce a different set of attack surfaces that those techniques do not address.

MITRE has built a framework specifically for this class of threats. MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) launched publicly in 2021, developed in collaboration with industry partners. Where ATT&CK documents how adversaries compromise traditional IT infrastructure, ATLAS documents how adversaries attack, manipulate, and abuse machine learning systems specifically.
 
The timing is not coincidental. As LLM/ML models have moved from research labs into production, powering fraud detection, medical diagnostics, content moderation, autonomous systems, and security tooling itself ‚ they’ve become high-value targets. ATLAS exists to document and provide hints about what attacking those targets looks like.
 
ATLAS uses ATT&CK’s structural vocabulary deliberately. It organizes adversary behavior into tactics and techniques, uses the same kind of case study format, and is designed to feel familiar to practitioners already working with ATT&CK. The intent is interoperability, not replacement.
 
ATLAS tactics include: Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Collection, ML Attack Staging, Exfiltration, and Impact.
 

MITRE took a deep look at almost 900 attacks in one particular model, and when the old framework didn’t fit, they made the new one above.  They observed real attacks in the ‘wild’ and made new categories in a brand-new framework.
The techniques under those tactics are where ATLAS gets specific to the ML domain.
Concepts like:

  • Adversarial examples (inputs crafted to fool a model),
  • Model inversion (extracting training data from a model’s outputs),
  • Data poisoning (corrupting training data to degrade or redirect model behavior),
  • Model stealing (replicating a model’s functionality through repeated queries), and

Prompt injection (manipulating large language model behavior through crafted inputs) have no meaningful equivalent in ATT&CK’s enterprise matrix.

Where do the two frameworks diverge?

The meaningful divergence begins where AI systems introduce genuinely novel attack surfaces that have no equivalent in traditional infrastructure.

The model itself is an attack surface. In traditional security, the attack surface is infrastructure: servers, endpoints, network devices, credentials. In ML security, the trained model‚ its weights, its decision boundaries, its training data‚ is itself something that can be probed, manipulated, and stolen. Techniques like model inversion, membership inference, and model extraction have no ATT&CK analog because they presuppose a target that doesn’t exist in traditional environments.

Attacks can be semantic, not just technical. An adversarial example is a valid input ‚a stop sign, an image, a sentence ‚ that has been perturbed in ways imperceptible to humans but catastrophically misclassified by a model. There’s no malware, no exploit, no CVE. The attack lives entirely in the model’s learned representation of the world. ATT&CK has no framework for this because traditional software doesn’t fail this way.

The training pipeline is a persistent vulnerability. Data poisoning attacks target the training process itself, not the deployed system. An adversary who contaminates training data can embed backdoors, degrade performance on specific inputs, or redirect classification behavior‚ and the effect persists as long as the model remains in production. This is a fundamentally different threat model from anything ATT&CK addresses.

LLM-specific techniques are emerging rapidly. Prompt injection‚ manipulating an LLM’s behavior by embedding adversarial instructions in user input or retrieved context ‚has become one of the most practically relevant attack techniques in AI security, particularly as LLMs are deployed as agents with tool access. ATLAS is actively incorporating this category of techniques; ATT&CK has no natural home for them.

Who Should Use Each (and When to Use Both?)

ATT&CK remains the essential foundation for any security program. If your threat model includes adversaries targeting your infrastructure, and it does‚ ATT&CK provides the vocabulary, detection guidance, and adversary intelligence you need. It’s also the framework with the mature tooling, the large community, and the integration into most commercial security platforms.

ATLAS is essential if your organization develops, deploys, or relies on ML systems in high-stakes contexts. That includes financial services using ML for fraud detection, healthcare organizations using AI in clinical workflows, autonomous systems, content moderation platforms, and any security tooling that incorporates ML — because an adversary who can manipulate your security ML has effectively neutralized a portion of your defense.

The more interesting question is how to use both together. ATLAS is explicitly designed to complement ATT&CK, not replace it. Organizations building threat models for AI-integrated systems need both: ATT&CK to model the infrastructure-layer threats, ATLAS to model the ML-layer threats, and clear thinking about how an adversary might chain the two.

Erik Witkop

By Erik Witkop

Director of Cybersecurity Practice

Security architect with over 25 years experience, starting in the MSS space at Sprint to building security products at Cisco Systems. Erik holds two CCIE certifications along with CISSP, GIAC certs and many more.

FAQs

MITRE ATT&CK documents how adversaries compromise traditional IT infrastructure, including servers, endpoints, and networks. MITRE ATLAS documents how adversaries attack, manipulate, and abuse machine learning systems. ATT&CK dates to 2013 and covers conventional attack techniques; ATLAS launched in 2021 specifically to address the novel attack surfaces introduced by machine learning and large language model deployments. The two frameworks share a structural vocabulary and are designed to be used together, not as alternatives.

Prompt injection is a technique in which adversarial instructions are embedded in user input or retrieved context to manipulate the behavior of a large language model. It has no equivalent in ATT&CK because traditional software does not interpret natural language instructions as executable logic. ATT&CK was designed for infrastructure-layer attacks involving malware, credential theft, and network exploitation. Prompt injection is a semantic attack that operates entirely within a model's learned representation, which is why MITRE ATLAS was developed to capture this and related machine learning-specific techniques.

Federal agencies should use both. ATT&CK remains the essential foundation for any security program and provides the vocabulary, detection guidance, and adversary intelligence needed to address infrastructure-layer threats. ATLAS is essential for any agency that develops, deploys, or relies on machine learning systems in operational or high-stakes contexts. The more important question is how to use the frameworks together: ATT&CK for the infrastructure layer, ATLAS for the machine learning layer, and careful analysis of how adversaries might chain techniques across both.

MITRE ATLAS introduces tactics specific to machine learning systems, including Machine Learning Model Access and Machine Learning Attack Staging, which have no counterpart in ATT&CK. Within those tactics, ATLAS documents techniques such as adversarial examples, model inversion, data poisoning, model stealing, and prompt injection. These techniques presuppose a target, specifically a trained model with decision boundaries and training data, that does not exist in traditional IT environments. ATLAS also documents how attacks against the training pipeline itself can embed persistent effects that survive into production deployment.

Versa integrates ATT&CK framework categorization directly into its dashboards, enabling security teams to visualize and respond to observed attacks mapped to recognized adversary tactics and techniques. As artificial intelligence becomes embedded in both threat activity and defensive tooling, the ability to model and detect machine learning-layer threats becomes equally important. Versa's unified platform, with AI-driven visibility across users, network, and applications, is positioned to support the kind of integrated threat modeling that both frameworks require, particularly for agencies operating across enterprise, tactical, and mission environments.

Subscribe to the Versa Blog

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.