MITRE ATLAS (Adversarial Threat Landscape for AI Systems) is a knowledge base of adversarial techniques against AI. ai-blackteam maps every attack to specific ATLAS technique IDs from v5.4.0.

Viewing ATLAS mappings

ai-blackteam atlas
This prints a table of every attack with its ATLAS technique IDs and names: 
MITRE ATLAS Attack Mappings (v5.4.0)

Attack                    ATLAS Techniques              Technique Names
encoding-obfuscation      AML.T0051.000, AML.T0068     LLM Prompt Injection: Direct, LLM Prompt Obfuscation
dan-variants              AML.T0054, AML.T0051.000      LLM Jailbreak, LLM Prompt Injection: Direct
system-prompt-extraction  AML.T0056, AML.T0069.002      Extract LLM System Prompt, Discover LLM System Info
agent-credential-theft    AML.T0083, AML.T0086          Credentials from AI Agent Config, Exfiltration via Tool
xpia-document             AML.T0051.001                  LLM Prompt Injection: Indirect
mcp-tool-poisoning        AML.T0051.000, AML.T0054      LLM Prompt Injection: Direct, LLM Jailbreak
...

Key techniques mapped

ai-blackteam covers these ATLAS techniques across its attack library:
Technique IDNameTacticai-blackteam attacks
AML.T0051LLM Prompt InjectionInitial AccessSSRF probing, SQL injection
AML.T0051.000Prompt Injection: DirectInitial AccessEncoding, obfuscation, context manipulation, meta-prompting
AML.T0051.001Prompt Injection: IndirectInitial AccessXPIA (document, email, RAG), XML boundary injection
AML.T0054LLM JailbreakDefense EvasionDAN variants, skeleton key, role-play bypass
AML.T0056Extract LLM System PromptDiscoverySystem prompt extraction, prompt leaking
AML.T0061LLM Prompt Self-ReplicationPersistenceRecursive injection
AML.T0065LLM Prompt CraftingResource DevelopmentCrescendo, deceptive delight, many-shot, few-shot
AML.T0067Trusted Output Components ManipulationImpactMarkdown injection, XSS injection
AML.T0068LLM Prompt ObfuscationDefense EvasionAll encoding attacks, cipher attacks, multilingual
AML.T0069.002Discover System PromptDiscoverySystem prompt extraction
AML.T0080.002AI Agent Context Poisoning: ThreadPersistenceContext manipulation, progressive normalization
AML.T0043.003Craft Adversarial Data: ManualML Attack StagingBest-of-N, morse code, braille, emoji substitution
AML.T0050Command and Scripting InterpreterExecutionAgent command injection
AML.T0053LLM Plugin CompromiseExecutionAgent plugin hijack, MCP rug pull
AML.T0081Modify AI Agent ConfigurationPersistenceAgent config manipulation
AML.T0083Credentials from AI Agent ConfigCredential AccessAgent credential theft, API key extraction
AML.T0086Exfiltration via AI Agent ToolExfiltrationAgent data exfiltration, MCP data exfiltration
AML.T0098AI Agent Tool Credential HarvestingCredential AccessAgent tool credential harvest
AML.T0101Data Destruction via AI Agent ToolImpactAgent data destruction
AML.T0105Escape to HostImpactAgent command injection
AML.T0018Backdoor ML ModelML Attack StagingModel poisoning, finetune exploit
AML.T0020Poison Training DataML Attack StagingDataset poisoning, knowledge base poisoning
AML.T0040ML Model Inference API AccessInitial AccessMCP command injection

Using ATLAS in reports

Each attack’s metadata includes its ATLAS technique IDs. When you run ai-blackteam taxonomy, the MITRE ATLAS column shows these IDs alongside OWASP mappings. For threat modeling, you can use ai-blackteam’s ATLAS mappings to demonstrate which adversarial techniques you’ve tested against. This is useful for:
  • Red team reports - Reference specific ATLAS technique IDs your testing covered
  • Threat models - Map your model’s attack surface to ATLAS tactics
  • Security assessments - Show which techniques are blocked vs. which succeed

Viewing the full framework

For a complete view of all framework mappings (NIST, EU AI Act, MLCommons, ATLAS) for each harm category: 
ai-blackteam frameworks
This prints three tables: NIST AI RMF functions, EU AI Act risk classification, and a combined harm category alignment matrix.