An open taxonomy of 168 AI/LLM attack vectors, mapped to the OWASP LLM Top 10 and MITRE ATLAS.
A structured, machine-readable catalog of every documented technique for attacking AI systems. Each attack has an ID, name, category, description, severity rating, and mapping to industry frameworks (OWASP LLM Top 10, MITRE ATLAS).
This is the what — what attacks exist and how to defend against them. It does not include payloads, detection logic, or model-specific data.
This repository implements Phases 1-3 of the Evolutionary Security Framework (ESF) — the open maturity model for progressively hardening AI security systems. See ESF.md for details.
Most AI security discussions focus on a handful of well-known attacks. In reality, there are over 160 distinct techniques across 16 categories. A system that blocks a naive instruction override might still fall to an encoding bypass, a multi-turn escalation, or an indirect injection through retrieved content.
This taxonomy gives you:
- A checklist — do your defenses cover all 16 categories?
- A common language — reference specific attack IDs (e.g., PI-007, JB-015) in security discussions
- Framework mappings — OWASP LLM Top 10 and MITRE ATLAS for compliance and audits
- Remediation guidance — defensive strategies per category with code examples
- ESF Phase 1-3 foundation — the naming, relating, and initial heuristics that all downstream hardening depends on
| Category | ID Prefix | Count | OWASP LLM Top 10 |
|---|---|---|---|
| Prompt Injection | PI | 20 | LLM01 |
| System Prompt Leakage | SPL | 12 | LLM07 |
| Jailbreaks | JB | 22 | LLM01 |
| Vision/Multimodal | VI | 12 | LLM01 |
| Excessive Agency / Tool Abuse | EA | 20 | LLM06 |
| Multi-Turn Manipulation | MT | 10 | LLM01 |
| Sensitive Information Disclosure | SID | 10 | LLM02 |
| Supply Chain | SC | 12 | LLM03 |
| Vector/Embedding Attacks | VE | 10 | LLM08 |
| Improper Output Handling | IOH | 8 | LLM05 |
| Unbounded Consumption | UC | 2 | LLM10 |
| Misinformation | MIS | 6 | LLM09 |
| Memory/Context Poisoning | CTX | 6 | ASI06 |
| Unexpected Code Execution | UCE | 6 | ASI05 |
| Inter-Agent Communication | IAC | 6 | ASI07 |
| Human Trust Exploitation | HTE | 6 | ASI09 |
| Total | 168 |
taxonomy/ ← repo root (tachyonic-sh/taxonomy)
├── taxonomy/ ← ESF Phase 1: Name
│ ├── attack_catalog.yaml # All 168 attacks (IDs, names, descriptions, severity)
│ ├── owasp_mapping.yaml # Attack → OWASP LLM Top 10 mapping
│ └── atlas_mapping.yaml # Attack → MITRE ATLAS mapping
├── schema/
│ └── attack_schema.yaml # YAML schema for attack definitions
├── remediation/ ← ESF Phase 3: Guess
│ ├── by_owasp.yaml # Defensive guidance per OWASP category
│ └── code_examples/
│ ├── input_validation.py # Input sanitization patterns
│ └── output_sanitization.py # Output filtering patterns
├── research/
│ └── papers.yaml # Academic references index
├── examples/
│ └── sample_attacks.yaml # Basic public examples
├── ESF.md # How this repo implements ESF Phases 1-3
├── README.md
├── LICENSE # Apache 2.0
└── CONTRIBUTING.md
# taxonomy/attack_catalog.yaml
- id: PI-001
name: Direct Instruction Override
category: prompt_injection
description: >
Attacker provides input that directly instructs the model to ignore
its system prompt and follow new instructions instead.
severity: critical
owasp: LLM01- Clone the repo
- Review
taxonomy/attack_catalog.yamlfor the full attack surface - Check
remediation/by_owasp.yamlfor defensive guidance - Use the schema in
schema/attack_schema.yamlto add your own attack definitions
# taxonomy/owasp_mapping.yaml
LLM01_prompt_injection:
attacks: [PI-001, PI-002, ..., PI-020, MT-001, ..., MT-008]
total: 28
description: Direct and indirect prompt injection techniquesUse the ESF Quick Start to score your system against the ten-phase maturity model. This taxonomy provides the foundation for Phases 1-3.
This repository is the Phases 1-3 reference implementation of the ESF.
The ESF defines how security knowledge matures through ten phases — from naming threats (Phase 1, this repo) to mathematically proving defenses (Phase 9). OWASP tells you what the risks are. The ESF tells you how to progressively harden against them.
| ESF Phase | This Repo | What It Does |
|---|---|---|
| Phase 1: Name | taxonomy/ |
Classifies 168 attacks with stable IDs and framework mappings |
| Phase 2: Relate | taxonomy/*_mapping.yaml |
Maps relationships to OWASP and MITRE ATLAS |
| Phase 3: Guess | remediation/ |
Defensive heuristics and code examples |
See ESF.md for the full mapping and growth roadmap.
This taxonomy deliberately excludes:
- Attack payloads — the specific prompts/content that execute attacks
- Detection logic — how to identify if an attack succeeded
- Model-specific success rates — which attacks work against which models
- Confidence scoring — how to rate vulnerability severity programmatically
These are the difference between knowing attacks exist and being able to systematically test for them.
See CONTRIBUTING.md for guidelines. We welcome:
- New attack technique descriptions
- Additional framework mappings (NIST, ISO 27001, etc.)
- Remediation guidance improvements
- Research paper references
Want to test your AI system against all 168 attack vectors? Tachyonic offers 48-hour red team assessments with full reporting, resistance scoring, and ESF maturity assessment.
Apache 2.0 — see LICENSE.
@misc{tachyonic-taxonomy,
title={Tachyonic Taxonomy: AI/LLM Attack Vectors},
author={Tachyonic},
year={2026},
url={https://github.com/tachyonic-sh/taxonomy}
}