The most comprehensive taxonomy of adversarial attack vectors against AI systems.
15 Tactics · 240 Techniques · 2,152+ Attack Procedures · 4,980+ Prompts
AATMF is a structured threat modeling framework purpose-built for adversarial AI security. It does for AI systems what MITRE ATT&CK does for enterprise networks — provides a common language, complete taxonomy, and actionable procedures for identifying, testing, and defending against AI-specific attacks.
Traditional cybersecurity frameworks miss the attack surfaces unique to AI: prompt injection, training data poisoning, model extraction, agentic exploitation, RAG manipulation, and the human feedback loops that shape model behavior. AATMF fills that gap.
Core thesis: AI systems are vulnerable to social engineering because they were trained to respond like humans. This is the first technology where human manipulation techniques directly translate to technical exploitation.
The threat landscape shifted fundamentally in 2025–2026:
| Development | Impact |
|---|---|
| Policy Puppetry bypasses every frontier model | Jailbreaking is now a commodity |
| Reasoning models autonomously jailbreak other models at 97% ASR | AI-vs-AI attacks are real |
| GTG-1002: first state-sponsored AI-orchestrated cyberattack | Agentic AI is weaponized |
| MCP tool poisoning achieves 84% ASR on production agents | Tool ecosystems are attack surfaces |
| 250 poisoned documents backdoor any model regardless of size | Training poisoning is trivially cheap |
| PoisonedRAG hits 90% ASR with 5 injected texts | RAG security is fundamentally broken |
| Deepfake fraud tripled to $1.1 billion | Real-world harm at scale |
v3 integrates all of this. Every tactic updated. New operational volumes. Namespaced IDs. No more collisions.
I want to...
| Goal | Start Here |
|---|---|
| Understand the framework | Introduction → Architecture |
| Run an AI red team assessment | Red Team Operations → Assessment Checklist |
| Defend my AI system | Blue Team Defense → Mitigation Strategies |
| Respond to an AI incident | Incident Response |
| Map to compliance requirements | Compliance Mapping (EU AI Act, OWASP, MITRE ATLAS) |
| Browse specific attack techniques | Attack Catalog or jump to a tactic |
| Deploy detection signatures | Signatures Library |
| ID | Tactic | Tech | Objective | |
|---|---|---|---|---|
T1 | Prompt & Context Subversion | 16 | Manipulate model instructions and context | → |
T2 | Semantic & Linguistic Evasion | 20 | Bypass filters through language manipulation | → |
T3 | Reasoning & Constraint Exploitation | 19 | Exploit logical reasoning and constraints | → |
T4 | Multi-Turn & Memory Manipulation | 16 | Leverage conversation history and memory | → |
T5 | Model & API Exploitation | 16 | Attack model interfaces and APIs | → |
T6 | Training & Feedback Poisoning | 15 | Corrupt training data and feedback | → |
T7 | Output Manipulation & Exfiltration | 15 | Manipulate outputs and extract data | → |
T8 | External Deception & Misinformation | 15 | Generate deceptive content | → |
T9 | Multimodal & Cross-Channel Attacks | 17 | Attack across modalities | → |
T10 | Integrity & Confidentiality Breach | 15 | Extract data and breach integrity | → |
T11 | Agentic & Orchestrator Exploitation | 16 | Attack autonomous agents and orchestrators | → |
T12 | RAG & Knowledge Base Manipulation | 15 | Poison retrieval systems | → |
T13 | AI Supply Chain & Artifact Trust | 15 | Compromise model supply chain | → |
T14 | Infrastructure & Economic Warfare | 15 | Attack AI infrastructure | → |
T15 | Human Workflow Exploitation | 15 | Manipulate human reviewers and workflows | → |
AATMF v3
├── 15 Tactics (high-level adversarial objectives)
│ ├── 240 Techniques (specific attack methods)
│ │ ├── 2,152+ Attack Procedures (implementation variants)
│ │ │ └── 4,980+ Unique Prompts
│ │ ├── Detection Patterns
│ │ └── Mitigation Controls
│ └── Risk Scoring (AATMF-R v3)
└── Supporting Infrastructure
├── Detection Signatures (YARA / Sigma / MCP)
├── Response Playbooks
├── Assessment Templates
└── Compliance Mappings (OWASP · MITRE ATLAS · EU AI Act · NIST)
v3 uses namespaced IDs to eliminate collisions:
T{tactic}-AT-{sequence} → Technique ID (e.g., T1-AT-001)
T{tactic}-AP-{sequence}{L} → Attack Procedure (e.g., T1-AP-001A)
Risk = (L × I × E) / 6 × (D / 6) × R × C
| Factor | Range | Description |
|---|---|---|
| L Likelihood | 1–5 | Probability of successful exploitation |
| I Impact | 1–5 | Severity of successful attack |
| E Exploitability | 1–5 | Ease of execution |
| D Detectability | 1–5 | Difficulty of detection (5 = nearly invisible) |
| R Recoverability | 1–5 | Effort to recover (5 = irrecoverable) |
| C Cost Factor | 0.5–2.0 | Economic impact multiplier |
| Score | Rating | Action |
|---|---|---|
| 250+ | 🔴 CRITICAL | Immediate remediation required |
| 200–249 | 🟠 HIGH | Remediation within current sprint |
| 150–199 | 🟡 MEDIUM | Scheduled remediation |
| 100–149 | 🔵 LOW | Risk accepted or monitored |
| 0–99 | ⚪ INFO | Documented, no action required |
| Part | Title |
|---|---|
| 1 | Introduction and Methodology |
| 2 | Risk Assessment Methodology |
| 3 | Framework Architecture |
| Part | Tactic | Tech |
|---|---|---|
| 12 | T9 — Multimodal & Cross-Channel | 17 |
| 13 | T10 — Integrity & Confidentiality Breach | 15 |
| 14 | T11 — Agentic & Orchestrator Exploitation | 16 |
| 15 | T12 — RAG & Knowledge Base Manipulation | 15 |
| Part | Tactic | Tech |
|---|---|---|
| 16 | T13 — AI Supply Chain & Artifact Trust | 15 |
| 17 | T14 — Infrastructure & Economic Warfare | 15 |
| 18 | T15 — Human Workflow Exploitation | 15 |
| Part | Title |
|---|---|
| 19 | Detection Engineering |
| 20 | Mitigation Strategies |
| 21 | Incident Response for AI Systems |
| 22 | Red Team Operations |
| 23 | Blue Team Defense |
| Part | Title |
|---|---|
| 24 | Risk Management Framework |
| 25 | Compliance and Standards Mapping |
| 26 | Training and Awareness Programs |
| Appendix | Title |
|---|---|
| A | Complete Attack Catalog |
| B | Detection Signatures Library |
| C | Tools and Scripts Reference |
| D | Templates and Checklists |
| E | Case Studies |
| F | Glossary and References |
| Framework | Alignment |
|---|---|
| MITRE ATLAS v4.6.0 | Full mapping — 15 tactics, 66 techniques, 46 sub-techniques |
| OWASP LLM Top 10 2025 | Direct coverage of LLM01–LLM10 including new LLM07, LLM08 |
| OWASP Agentic Top 10 | Mapping to agentic-specific threats (Dec 2025) |
| NIST AI RMF / IR 8596 | Control overlays per Cyber AI Profile |
| EU AI Act | Risk category mapping, prohibited practice identification |
| CWE/CVE | Specific vulnerability cross-references |
Pre-built rules in signatures/:
signatures/
├── yara/
│ ├── t01-prompt-injection.yar
│ ├── t02-encoding-evasion.yar
│ ├── t09-multimodal-injection.yar
│ ├── t11-mcp-tool-poisoning.yar
│ └── t13-supply-chain.yar
├── sigma/
│ ├── t05-model-extraction.yml
│ ├── t07-data-exfiltration.yml
│ ├── t11-agent-anomaly.yml
│ └── t14-infrastructure.yml
└── README.md
This framework is published for defensive and authorized security research purposes only.
- Test only systems you own or have explicit written permission to test
- Practice responsible disclosure
- Comply with applicable laws and regulations
The dual-use nature is acknowledged: documenting attacks enables defense. Every technique includes detection patterns and mitigation controls.
See CONTRIBUTING.md. High-value contributions: new techniques with mitigations, detection signatures, cross-framework mappings, case studies.
@misc{aizen2026aatmf,
title = {AATMF v3: Adversarial AI Threat Modeling Framework},
author = {Aizen, Kai},
year = {2026},
url = {https://github.com/snailsploit/aatmf},
note = {15 tactics, 240 techniques, 2,152+ procedures}
}
Created by Kai Aizen (SnailSploit) · GenAI Security Research
Start Reading →