The most comprehensive taxonomy of adversarial attack vectors against AI systems.
15 Tactics Β· 240 Techniques Β· 2,152+ Attack Procedures Β· 4,980+ Prompts
Quick Start Β· The 15 Tactics Β· Who It's For Β· Start Reading β
π Table of Contents
AATMF is a structured threat modeling framework purpose-built for adversarial AI security. It does for AI systems what MITRE ATT&CK does for enterprise networks β provides a common language, complete taxonomy, and actionable procedures for identifying, testing, and defending against AI-specific attacks.
Traditional cybersecurity frameworks miss the attack surfaces unique to AI: prompt injection, training data poisoning, model extraction, agentic exploitation, RAG manipulation, and the human feedback loops that shape model behavior. AATMF fills that gap.
Core thesis: AI systems are vulnerable to social engineering because they were trained to respond like humans. This is the first technology where human manipulation techniques directly translate to technical exploitation.
The threat landscape shifted fundamentally in 2025β2026:
| Development | Impact |
|---|---|
| Policy Puppetry bypasses every frontier model | Jailbreaking is now a commodity |
| Reasoning models autonomously jailbreak other models at 97% ASR | AI-vs-AI attacks are real |
| GTG-1002: first state-sponsored AI-orchestrated cyberattack | Agentic AI is weaponized |
| MCP tool poisoning achieves 84% ASR on production agents | Tool ecosystems are attack surfaces |
| 250 poisoned documents backdoor any model regardless of size | Training poisoning is trivially cheap |
| PoisonedRAG hits 90% ASR with 5 injected texts | RAG security is fundamentally broken |
| Deepfake fraud tripled to $1.1 billion | Real-world harm at scale |
v3 integrates all of this. Every tactic updated. New operational volumes. Namespaced IDs. No more collisions.
| You are a⦠| Use AATMF to⦠| Start here |
|---|---|---|
| π΄ Red Teamer / Pentester | Plan and run structured adversarial AI assessments with reproducible procedure IDs | Red Team Ops Β· Attack Catalog |
| π΅ Blue Team / SOC | Build detections, harden defenses, and respond to AI-specific incidents | Blue Team Defense Β· Signatures |
| π§ AI / ML Engineer | Threat-model and harden models, RAG, and agents before they ship | Architecture Β· Mitigation |
| π¬ Security Researcher | Publish against a shared taxonomy with collision-free identifiers | Identifier System Β· Attack Catalog |
| π GRC / Compliance | Map AI risk to EU AI Act, NIST AI RMF, and OWASP | Compliance Mapping Β· Risk Management |
| ποΈ CISO / Leadership | Quantify, prioritize, and report AI risk to the board | Risk Scoring Β· Risk Management |
I want to...
| Goal | Start Here |
|---|---|
| Understand the framework | Introduction β Architecture |
| Run an AI red team assessment | Red Team Operations β Assessment Checklist |
| Defend my AI system | Blue Team Defense β Mitigation Strategies |
| Respond to an AI incident | Incident Response |
| Map to compliance requirements | Compliance Mapping (EU AI Act, OWASP, MITRE ATLAS) |
| Browse specific attack techniques | Attack Catalog or jump to a tactic |
| Deploy detection signatures | Signatures Library |
| ID | Tactic | Tech | Objective | |
|---|---|---|---|---|
T1 | Prompt & Context Subversion | 16 | Manipulate model instructions and context | β |
T2 | Semantic & Linguistic Evasion | 20 | Bypass filters through language manipulation | β |
T3 | Reasoning & Constraint Exploitation | 19 | Exploit logical reasoning and constraints | β |
T4 | Multi-Turn & Memory Manipulation | 16 | Leverage conversation history and memory | β |
T5 | Model & API Exploitation | 16 | Attack model interfaces and APIs | β |
T6 | Training & Feedback Poisoning | 15 | Corrupt training data and feedback | β |
T7 | Output Manipulation & Exfiltration | 15 | Manipulate outputs and extract data | β |
T8 | External Deception & Misinformation | 15 | Generate deceptive content | β |
T9 | Multimodal & Cross-Channel Attacks | 17 | Attack across modalities | β |
T10 | Integrity & Confidentiality Breach | 15 | Extract data and breach integrity | β |
T11 | Agentic & Orchestrator Exploitation | 16 | Attack autonomous agents and orchestrators | β |
T12 | RAG & Knowledge Base Manipulation | 15 | Poison retrieval systems | β |
T13 | AI Supply Chain & Artifact Trust | 15 | Compromise model supply chain | β |
T14 | Infrastructure & Economic Warfare | 15 | Attack AI infrastructure | β |
T15 | Human Workflow Exploitation | 15 | Manipulate human reviewers and workflows | β |
Every attack maps to one of 15 tactics across three domains, scores against a single risk model, and resolves to concrete detection, mitigation, and response:
flowchart TB
AI(["AI System Under Test"])
AI --> CORE["Core Tactics β T1-T8<br/>Prompt Β· Semantic Β· Reasoning Β· Memory<br/>API Β· Training Β· Output Β· Deception"]
AI --> ADV["Advanced Tactics β T9-T12<br/>Multimodal Β· Integrity Β· Agentic Β· RAG"]
AI --> INFRA["Infrastructure & Human β T13-T15<br/>Supply Chain Β· Infrastructure Β· Human Workflow"]
CORE --> R["AATMF-R v3 Risk Scoring<br/>L Γ I Γ E Γ· 6 Γ D Γ· 6 Γ R Γ C"]
ADV --> R
INFRA --> R
R --> DEF{"Detect Β· Mitigate Β· Respond"}
classDef surface fill:#0D1B2A,stroke:#2E86AB,color:#fff;
classDef group fill:#1B263B,stroke:#2E86AB,color:#fff;
classDef score fill:#F39C12,stroke:#b9770e,color:#1a1a1a;
classDef def fill:#27AE60,stroke:#1e8449,color:#fff;
class AI surface;
class CORE,ADV,INFRA group;
class R score;
class DEF def;
The same human-manipulation playbook that works on people works on models. AATMF catalogs that translation end to end β from initial access through detection and response.
AATMF v3
βββ 15 Tactics (high-level adversarial objectives)
β βββ 240 Techniques (specific attack methods)
β β βββ 2,152+ Attack Procedures (implementation variants)
β β β βββ 4,980+ Unique Prompts
β β βββ Detection Patterns
β β βββ Mitigation Controls
β βββ Risk Scoring (AATMF-R v3)
βββ Supporting Infrastructure
βββ Detection Signatures (YARA / Sigma / MCP)
βββ Response Playbooks
βββ Assessment Templates
βββ Compliance Mappings (OWASP Β· MITRE ATLAS Β· EU AI Act Β· NIST)
v3 uses namespaced IDs to eliminate collisions:
T{tactic}-AT-{sequence} β Technique ID (e.g., T1-AT-001)
T{tactic}-AP-{sequence}{L} β Attack Procedure (e.g., T1-AP-001A)
Risk = (L Γ I Γ E) / 6 Γ (D / 6) Γ R Γ C
| Factor | Range | Description |
|---|---|---|
| L Likelihood | 1β5 | Probability of successful exploitation |
| I Impact | 1β5 | Severity of successful attack |
| E Exploitability | 1β5 | Ease of execution |
| D Detectability | 1β5 | Difficulty of detection (5 = nearly invisible) |
| R Recoverability | 1β5 | Effort to recover (5 = irrecoverable) |
| C Cost Factor | 0.5β2.0 | Economic impact multiplier |
| Score | Rating | Action |
|---|---|---|
| 250+ | π΄ CRITICAL | Immediate remediation required |
| 200β249 | π HIGH | Remediation within current sprint |
| 150β199 | π‘ MEDIUM | Scheduled remediation |
| 100β149 | π΅ LOW | Risk accepted or monitored |
| 0β99 | βͺ INFO | Documented, no action required |
| Part | Title |
|---|---|
| 1 | Introduction and Methodology |
| 2 | Risk Assessment Methodology |
| 3 | Framework Architecture |
| Part | Tactic | Tech |
|---|---|---|
| 12 | T9 β Multimodal & Cross-Channel | 17 |
| 13 | T10 β Integrity & Confidentiality Breach | 15 |
| 14 | T11 β Agentic & Orchestrator Exploitation | 16 |
| 15 | T12 β RAG & Knowledge Base Manipulation | 15 |
| Part | Tactic | Tech |
|---|---|---|
| 16 | T13 β AI Supply Chain & Artifact Trust | 15 |
| 17 | T14 β Infrastructure & Economic Warfare | 15 |
| 18 | T15 β Human Workflow Exploitation | 15 |
| Part | Title |
|---|---|
| 19 | Detection Engineering |
| 20 | Mitigation Strategies |
| 21 | Incident Response for AI Systems |
| 22 | Red Team Operations |
| 23 | Blue Team Defense |
| Part | Title |
|---|---|
| 24 | Risk Management Framework |
| 25 | Compliance and Standards Mapping |
| 26 | Training and Awareness Programs |
| Appendix | Title |
|---|---|
| A | Complete Attack Catalog |
| B | Detection Signatures Library |
| C | Tools and Scripts Reference |
| D | Templates and Checklists |
| E | Case Studies |
| F | Glossary and References |
| Framework | Alignment |
|---|---|
| MITRE ATLAS v4.6.0 | Full mapping β 15 tactics, 66 techniques, 46 sub-techniques |
| OWASP LLM Top 10 2025 | Direct coverage of LLM01βLLM10 including new LLM07, LLM08 |
| OWASP Agentic Top 10 | Mapping to agentic-specific threats (Dec 2025) |
| NIST AI RMF / IR 8596 | Control overlays per Cyber AI Profile |
| EU AI Act | Risk category mapping, prohibited practice identification |
| CWE/CVE | Specific vulnerability cross-references |
Pre-built rules in signatures/:
signatures/
βββ yara/
β βββ t01-prompt-injection.yar
β βββ t02-encoding-evasion.yar
β βββ t09-multimodal-injection.yar
β βββ t11-mcp-tool-poisoning.yar
β βββ t13-supply-chain.yar
βββ sigma/
β βββ t05-model-extraction.yml
β βββ t07-data-exfiltration.yml
β βββ t11-agent-anomaly.yml
β βββ t14-infrastructure.yml
βββ README.md
This framework is published for defensive and authorized security research purposes only.
- Test only systems you own or have explicit written permission to test
- Practice responsible disclosure
- Comply with applicable laws and regulations
The dual-use nature is acknowledged: documenting attacks enables defense. Every technique includes detection patterns and mitigation controls.
See CONTRIBUTING.md. High-value contributions: new techniques with mitigations, detection signatures, cross-framework mappings, case studies.
@misc{aizen2026aatmf,
title = {AATMF v3: Adversarial AI Threat Modeling Framework},
author = {Aizen, Kai},
year = {2026},
url = {https://github.com/SnailSploit/AATMF-Adversarial-AI-Threat-Modeling-Framework},
note = {15 tactics, 240 techniques, 2,152+ procedures}
}
Created by Kai Aizen (SnailSploit) Β· GenAI Security Research
Start Reading β
This project's full writeup, methodology, and related research lives at:
Created by Kai Aizen β independent offensive security researcher.
snailsploit.com Β· Research Β· Frameworks Β· GitHub Β· LinkedIn Β· ResearchGate Β· X/Twitter
Same attack. Different substrate.