Skip to content

SnailSploit/AATMF-Adversarial-AI-Threat-Modeling-Framework

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

55 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

AATMF v3

The most comprehensive taxonomy of adversarial attack vectors against AI systems.
15 Tactics Β· 240 Techniques Β· 2,152+ Attack Procedures Β· 4,980+ Prompts

Version 3 License PRs Welcome GitHub stars SnailSploit

15 Tactics 240 Techniques 2,152+ Procedures 4,980+ Prompts

Quick Start Β· The 15 Tactics Β· Who It's For Β· Start Reading β†’


πŸ“– Table of Contents

What is AATMF?

AATMF is a structured threat modeling framework purpose-built for adversarial AI security. It does for AI systems what MITRE ATT&CK does for enterprise networks β€” provides a common language, complete taxonomy, and actionable procedures for identifying, testing, and defending against AI-specific attacks.

Traditional cybersecurity frameworks miss the attack surfaces unique to AI: prompt injection, training data poisoning, model extraction, agentic exploitation, RAG manipulation, and the human feedback loops that shape model behavior. AATMF fills that gap.

Core thesis: AI systems are vulnerable to social engineering because they were trained to respond like humans. This is the first technology where human manipulation techniques directly translate to technical exploitation.

Why v3?

The threat landscape shifted fundamentally in 2025–2026:

Development Impact
Policy Puppetry bypasses every frontier model Jailbreaking is now a commodity
Reasoning models autonomously jailbreak other models at 97% ASR AI-vs-AI attacks are real
GTG-1002: first state-sponsored AI-orchestrated cyberattack Agentic AI is weaponized
MCP tool poisoning achieves 84% ASR on production agents Tool ecosystems are attack surfaces
250 poisoned documents backdoor any model regardless of size Training poisoning is trivially cheap
PoisonedRAG hits 90% ASR with 5 injected texts RAG security is fundamentally broken
Deepfake fraud tripled to $1.1 billion Real-world harm at scale

v3 integrates all of this. Every tactic updated. New operational volumes. Namespaced IDs. No more collisions.


Who Is This For?

You are a… Use AATMF to… Start here
πŸ”΄ Red Teamer / Pentester Plan and run structured adversarial AI assessments with reproducible procedure IDs Red Team Ops Β· Attack Catalog
πŸ”΅ Blue Team / SOC Build detections, harden defenses, and respond to AI-specific incidents Blue Team Defense Β· Signatures
🧠 AI / ML Engineer Threat-model and harden models, RAG, and agents before they ship Architecture · Mitigation
πŸ”¬ Security Researcher Publish against a shared taxonomy with collision-free identifiers Identifier System Β· Attack Catalog
πŸ“‹ GRC / Compliance Map AI risk to EU AI Act, NIST AI RMF, and OWASP Compliance Mapping Β· Risk Management
πŸ›οΈ CISO / Leadership Quantify, prioritize, and report AI risk to the board Risk Scoring Β· Risk Management

Quick Start

I want to...

Goal Start Here
Understand the framework Introduction β†’ Architecture
Run an AI red team assessment Red Team Operations β†’ Assessment Checklist
Defend my AI system Blue Team Defense β†’ Mitigation Strategies
Respond to an AI incident Incident Response
Map to compliance requirements Compliance Mapping (EU AI Act, OWASP, MITRE ATLAS)
Browse specific attack techniques Attack Catalog or jump to a tactic
Deploy detection signatures Signatures Library

The 15 Tactics

IDTacticTechObjective
T1Prompt & Context Subversion16Manipulate model instructions and context→
T2Semantic & Linguistic Evasion20Bypass filters through language manipulation→
T3Reasoning & Constraint Exploitation19Exploit logical reasoning and constraints→
T4Multi-Turn & Memory Manipulation16Leverage conversation history and memory→
T5Model & API Exploitation16Attack model interfaces and APIs→
T6Training & Feedback Poisoning15Corrupt training data and feedback→
T7Output Manipulation & Exfiltration15Manipulate outputs and extract data→
T8External Deception & Misinformation15Generate deceptive content→
T9Multimodal & Cross-Channel Attacks17Attack across modalities→
T10Integrity & Confidentiality Breach15Extract data and breach integrity→
T11Agentic & Orchestrator Exploitation16Attack autonomous agents and orchestrators→
T12RAG & Knowledge Base Manipulation15Poison retrieval systems→
T13AI Supply Chain & Artifact Trust15Compromise model supply chain→
T14Infrastructure & Economic Warfare15Attack AI infrastructure→
T15Human Workflow Exploitation15Manipulate human reviewers and workflows→

How It Fits Together

Every attack maps to one of 15 tactics across three domains, scores against a single risk model, and resolves to concrete detection, mitigation, and response:

flowchart TB
    AI(["AI System Under Test"])
    AI --> CORE["Core Tactics β€” T1-T8<br/>Prompt Β· Semantic Β· Reasoning Β· Memory<br/>API Β· Training Β· Output Β· Deception"]
    AI --> ADV["Advanced Tactics β€” T9-T12<br/>Multimodal Β· Integrity Β· Agentic Β· RAG"]
    AI --> INFRA["Infrastructure & Human β€” T13-T15<br/>Supply Chain Β· Infrastructure Β· Human Workflow"]
    CORE --> R["AATMF-R v3 Risk Scoring<br/>L Γ— I Γ— E Γ· 6 Γ— D Γ· 6 Γ— R Γ— C"]
    ADV --> R
    INFRA --> R
    R --> DEF{"Detect Β· Mitigate Β· Respond"}
    classDef surface fill:#0D1B2A,stroke:#2E86AB,color:#fff;
    classDef group fill:#1B263B,stroke:#2E86AB,color:#fff;
    classDef score fill:#F39C12,stroke:#b9770e,color:#1a1a1a;
    classDef def fill:#27AE60,stroke:#1e8449,color:#fff;
    class AI surface;
    class CORE,ADV,INFRA group;
    class R score;
    class DEF def;
Loading

The same human-manipulation playbook that works on people works on models. AATMF catalogs that translation end to end β€” from initial access through detection and response.


Framework Structure

AATMF v3
β”œβ”€β”€ 15 Tactics (high-level adversarial objectives)
β”‚   β”œβ”€β”€ 240 Techniques (specific attack methods)
β”‚   β”‚   β”œβ”€β”€ 2,152+ Attack Procedures (implementation variants)
β”‚   β”‚   β”‚   └── 4,980+ Unique Prompts
β”‚   β”‚   β”œβ”€β”€ Detection Patterns
β”‚   β”‚   └── Mitigation Controls
β”‚   └── Risk Scoring (AATMF-R v3)
└── Supporting Infrastructure
    β”œβ”€β”€ Detection Signatures (YARA / Sigma / MCP)
    β”œβ”€β”€ Response Playbooks
    β”œβ”€β”€ Assessment Templates
    └── Compliance Mappings (OWASP Β· MITRE ATLAS Β· EU AI Act Β· NIST)

Identifier System

v3 uses namespaced IDs to eliminate collisions:

T{tactic}-AT-{sequence}     β†’  Technique ID      (e.g., T1-AT-001)
T{tactic}-AP-{sequence}{L}  β†’  Attack Procedure   (e.g., T1-AP-001A)

Risk Scoring (AATMF-R v3)

Risk = (L Γ— I Γ— E) / 6 Γ— (D / 6) Γ— R Γ— C
Factor Range Description
L Likelihood 1–5 Probability of successful exploitation
I Impact 1–5 Severity of successful attack
E Exploitability 1–5 Ease of execution
D Detectability 1–5 Difficulty of detection (5 = nearly invisible)
R Recoverability 1–5 Effort to recover (5 = irrecoverable)
C Cost Factor 0.5–2.0 Economic impact multiplier
Score Rating Action
250+ πŸ”΄ CRITICAL Immediate remediation required
200–249 🟠 HIGH Remediation within current sprint
150–199 🟑 MEDIUM Scheduled remediation
100–149 πŸ”΅ LOW Risk accepted or monitored
0–99 βšͺ INFO Documented, no action required

Full Table of Contents

Part Title
1 Introduction and Methodology
2 Risk Assessment Methodology
3 Framework Architecture
Part Tactic Tech
4 T1 β€” Prompt & Context Subversion 16
5 T2 β€” Semantic & Linguistic Evasion 20
6 T3 β€” Reasoning & Constraint Exploitation 19
7 T4 β€” Multi-Turn & Memory Manipulation 16
8 T5 β€” Model & API Exploitation 16
9 T6 β€” Training & Feedback Poisoning 15
10 T7 β€” Output Manipulation & Exfiltration 15
11 T8 β€” External Deception & Misinformation 15
Part Tactic Tech
12 T9 β€” Multimodal & Cross-Channel 17
13 T10 β€” Integrity & Confidentiality Breach 15
14 T11 β€” Agentic & Orchestrator Exploitation 16
15 T12 β€” RAG & Knowledge Base Manipulation 15
Part Tactic Tech
16 T13 β€” AI Supply Chain & Artifact Trust 15
17 T14 β€” Infrastructure & Economic Warfare 15
18 T15 β€” Human Workflow Exploitation 15
Part Title
19 Detection Engineering
20 Mitigation Strategies
21 Incident Response for AI Systems
22 Red Team Operations
23 Blue Team Defense
Part Title
24 Risk Management Framework
25 Compliance and Standards Mapping
26 Training and Awareness Programs
Appendix Title
A Complete Attack Catalog
B Detection Signatures Library
C Tools and Scripts Reference
D Templates and Checklists
E Case Studies
F Glossary and References

Cross-Framework Mapping

Framework Alignment
MITRE ATLAS v4.6.0 Full mapping β€” 15 tactics, 66 techniques, 46 sub-techniques
OWASP LLM Top 10 2025 Direct coverage of LLM01–LLM10 including new LLM07, LLM08
OWASP Agentic Top 10 Mapping to agentic-specific threats (Dec 2025)
NIST AI RMF / IR 8596 Control overlays per Cyber AI Profile
EU AI Act Risk category mapping, prohibited practice identification
CWE/CVE Specific vulnerability cross-references

Detection Signatures

Pre-built rules in signatures/:

signatures/
β”œβ”€β”€ yara/
β”‚   β”œβ”€β”€ t01-prompt-injection.yar
β”‚   β”œβ”€β”€ t02-encoding-evasion.yar
β”‚   β”œβ”€β”€ t09-multimodal-injection.yar
β”‚   β”œβ”€β”€ t11-mcp-tool-poisoning.yar
β”‚   └── t13-supply-chain.yar
β”œβ”€β”€ sigma/
β”‚   β”œβ”€β”€ t05-model-extraction.yml
β”‚   β”œβ”€β”€ t07-data-exfiltration.yml
β”‚   β”œβ”€β”€ t11-agent-anomaly.yml
β”‚   └── t14-infrastructure.yml
└── README.md

Ethical Use

This framework is published for defensive and authorized security research purposes only.

  • Test only systems you own or have explicit written permission to test
  • Practice responsible disclosure
  • Comply with applicable laws and regulations

The dual-use nature is acknowledged: documenting attacks enables defense. Every technique includes detection patterns and mitigation controls.


Contributing

See CONTRIBUTING.md. High-value contributions: new techniques with mitigations, detection signatures, cross-framework mappings, case studies.


Citation

@misc{aizen2026aatmf,
  title   = {AATMF v3: Adversarial AI Threat Modeling Framework},
  author  = {Aizen, Kai},
  year    = {2026},
  url     = {https://github.com/SnailSploit/AATMF-Adversarial-AI-Threat-Modeling-Framework},
  note    = {15 tactics, 240 techniques, 2,152+ procedures}
}

Created by Kai Aizen (SnailSploit) Β· GenAI Security Research

Start Reading β†’


πŸ“š Documentation & Author

This project's full writeup, methodology, and related research lives at:

https://snailsploit.com/aatmf

Created by Kai Aizen β€” independent offensive security researcher.

snailsploit.com Β· Research Β· Frameworks Β· GitHub Β· LinkedIn Β· ResearchGate Β· X/Twitter

Same attack. Different substrate.