Complete crosswalk: every ATLAS tactic mapped to cryptographic witness procedures. Prove your AI systems are defended, not just tested.
Who this is for: C3PAOs, ISSMs, red team leads, AI security engineers, and compliance officers at defense contractors, intelligence community organizations, and federal agencies deploying AI/ML systems. Assumes familiarity with MITRE ATT&CK and a need to produce compliance evidence for CMMC, FedRAMP, NIST 800-53, or EO 14110.
First-of-kind: This is the first published mapping between MITRE ATLAS adversarial AI tactics and cryptographic compliance evidence. ATLAS tells you what can go wrong. This crosswalk tells you how to prove you addressed it.
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the ATT&CK framework for AI and machine learning. It catalogs real-world adversarial tactics, techniques, and procedures (TTPs) specific to AI systems.
Where ATT&CK maps how adversaries attack networks and endpoints, ATLAS maps how adversaries attack AI models, training pipelines, and inference systems. It organizes attacks into 12 tactics:
| # | ATLAS Tactic | Description |
|---|---|---|
| 1 | Reconnaissance | Gathering information about the target AI system (model architecture, training data, API endpoints) |
| 2 | Resource Development | Acquiring resources to attack AI systems (poisoned datasets, adversarial toolkits, stolen model weights) |
| 3 | Initial Access | Gaining access to the AI system (prompt injection, API exploitation, supply chain compromise) |
| 4 | ML Model Access | Obtaining access to interact with or query the model (API access, physical access, insider threat) |
| 5 | Execution | Running adversarial code or inputs through the AI system (malicious tool calls, code injection via agent) |
| 6 | Persistence | Maintaining access to the AI system across retraining cycles (backdoor insertion, adapter poisoning) |
| 7 | Evasion | Avoiding detection by the AI system or its monitoring (adversarial examples, model evasion) |
| 8 | Discovery | Exploring the AI system's capabilities and boundaries (model probing, architecture inference) |
| 9 | Collection | Gathering training data or model outputs for attack purposes (data poisoning, output harvesting) |
| 10 | ML Attack Staging | Preparing the attack payload (crafting adversarial inputs, building shadow models) |
| 11 | Exfiltration | Stealing model weights, training data, or intellectual property (model extraction, membership inference) |
| 12 | Impact | Disrupting AI system behavior (output manipulation, denial of service, decision corruption) |
ATLAS is gaining rapid adoption in the DoD and intelligence community. The Defense AI Security Working Group references it. CMMC assessors are learning it. If you operate AI systems in a federal environment, you will encounter ATLAS in your next assessment.
ATLAS tells you what can go wrong. It does not tell you how to prove you defended against it.
This is the evidence gap. Red teams can run adversarial campaigns against your AI systems and document findings. But when the C3PAO arrives and asks "show me evidence that your AI models are resilient to prompt injection, model evasion, and supply chain attacks," you need more than a penetration test report. You need:
SWT3 provides this evidence layer. It does not perform the red team testing (that is your security team's job). It witnesses the results cryptographically so auditors can verify them independently.
Each ATLAS tactic maps to one or more SWT3 procedures that produce cryptographic evidence of defensive measures.
| ATLAS Tactic | SWT3 Procedures | What Gets Witnessed |
|---|---|---|
| Reconnaissance | AI-SBOM.1, AI-SUPPLY.1 |
Component inventory documented, supplier risk assessed (reduces attack surface visibility) |
| Resource Development | AI-SBOM.1, AI-MDL.1 |
Model weight integrity verified, dependency manifests locked (detects tampered resources) |
| Initial Access (Prompt Injection) |
AI-SEC.1, AI-SEC.2, AI-REDTEAM.1 |
Input validation active, adversarial threats blocked, injection tests executed (fc=0) |
| ML Model Access | AI-ACC.1, AI-MDL.1 |
Access control enforced, model identity verified before every query |
| Execution | AI-TOOL.1, AI-INF.1 |
Every tool call witnessed, every inference anchored with prompt/response hashes |
| Persistence | AI-DRIFT.1, AI-MDL.6 |
Model drift detected across retraining, adapter stack changes witnessed |
| Evasion (Adversarial Examples) |
AI-ROBUST.1, AI-REDTEAM.1 |
Robustness testing against perturbations, adversarial example campaigns (fc=5) |
| Discovery | AI-AUDIT.1, AI-CYBER.1 |
Tamper-evident audit trail, cybersecurity framework compliance attested |
| Collection (Data Poisoning) |
AI-REDTEAM.1, AI-DATA.1 |
Data poisoning campaigns executed and witnessed (fc=2), data governance documented |
| ML Attack Staging | AI-REDTEAM.1, AI-SEC.1 |
Attack staging scenarios tested, adversarial detection active and witnessed |
| Exfiltration (Model Theft) |
AI-REDTEAM.1, AI-MDL.5 |
Model extraction attempts tested (fc=3), weight file integrity continuously verified |
| Impact (Output Manipulation) |
AI-GRD.1, AI-REDTEAM.1 |
Guardrail decisions witnessed, output manipulation tests executed (fc=8) |
Witnesses the execution and results of adversarial test campaigns. Factor A = tests executed, Factor B = tests passed, Factor C = coverage category code (0-10, mapping directly to ATLAS technique classes). Supports optional metadata: attack taxonomy (e.g. "MITRE-ATLAS-v4"), campaign ID, model under test, framework, pass rate, and duration.
Regulatory basis: EO 14110 Sec. 4.2; EU AI Act Art. 9(7); NIST AI 100-2
Request all AI-REDTEAM.1 anchors for the assessment period. Filter by factor_c to see which ATLAS technique categories were tested. A comprehensive campaign should cover codes 0-9. Factor B / Factor A gives the pass rate per category.
Witnesses the active detection of adversarial inputs in real-time inference. Factor A = threats checked (volume of inputs scanned), Factor B = threats detected (adversarial inputs identified), Factor C = blocked flag (1 = blocked before reaching model, 0 = allowed through). This is the runtime defense that catches what the red team simulates.
Regulatory basis: EU AI Act Art. 15(4); NIST AI RMF MANAGE 2.3
Compare AI-SEC.1 anchor volume to AI-INF.1 anchor volume. The ratio shows what percentage of inferences are being scanned for adversarial content. Factor C = 1 means the system is actively blocking, not just detecting.
Witnesses model robustness testing against perturbations. Factor A = perturbations tested, Factor B = perturbations survived, Factor C = perturbation type code (0=noise, 1=corruption, 2=missing data, 3=out-of-distribution, 4=edge case, 5=adversarial input). Directly addresses ATLAS Evasion tactic.
Regulatory basis: EU AI Act Art. 15(3); NIST AI RMF MEASURE 2.6
For ATLAS Evasion defense, look for factor_c = 5 (adversarial input). Factor B / Factor A is the survival rate. A model that survives fewer than 90% of adversarial perturbations may require POA&M remediation.
Witnesses cybersecurity framework compliance for the AI system. Factor A = controls assessed, Factor B = controls compliant, Factor C = framework code (0=NIST CSF, 1=ISO 27001, 2=OWASP, 3=CIS, 4=custom). Provides the broader security posture context that ATLAS threat defense sits within.
Regulatory basis: EU AI Act Art. 15(4); NIST Cybersecurity Framework
AI-CYBER.1 anchors demonstrate that the AI system's security posture is assessed against a recognized framework. Cross-reference with AI-REDTEAM.1 to verify that red team findings feed back into the cybersecurity assessment cycle.
The AI-REDTEAM.1 procedure uses Factor C to encode which category of adversarial attack was tested. These map directly to ATLAS technique classes:
| Code | Category | ATLAS Tactic Alignment | Example Techniques |
|---|---|---|---|
| 0 | prompt_injection | Initial Access | Direct injection, indirect injection, system prompt extraction |
| 1 | jailbreak | Initial Access | Role play, DAN, encoding tricks, multi-turn manipulation |
| 2 | data_poisoning | Collection | Training data manipulation, label flipping, backdoor insertion |
| 3 | model_extraction | Exfiltration | Query-based extraction, side-channel, distillation attacks |
| 4 | membership_inference | Exfiltration | Determine if specific data was in training set (privacy attack) |
| 5 | adversarial_examples | Evasion | Perturbed inputs that fool the model (FGSM, PGD, C&W) |
| 6 | supply_chain | Resource Development | Poisoned packages, compromised model registries, typosquatting |
| 7 | denial_of_service | Impact | Sponge examples, resource exhaustion, inference flooding |
| 8 | output_manipulation | Impact | Hallucination forcing, decision corruption, confidence manipulation |
| 9 | privilege_escalation | Execution | Agent tool abuse, sandbox escape, unauthorized capability access |
| 10 | comprehensive | All Tactics | Full-scope campaign covering multiple categories |
A complete ATLAS-aligned red team campaign should produce anchors with factor_c values spanning 0 through 9. Use code 10 ("comprehensive") for full-scope campaigns that cover all categories in a single engagement.
The defense-govcon profile pre-configures all ATLAS-relevant procedures as mandatory. When loaded, the SDK will not flush anchors unless these procedures are covered:
# defense-govcon.yaml (excerpt)
clearing_level: 3 # Classified (CUI / FOUO / Secret)
policy:
require_agent_id: true
require_signing: true
min_clearing_level: 3
required_procedures:
# Security (adversarial threat landscape)
- AI-SEC.1 # Adversarial threat detection
- AI-SEC.2 # Input validation and sanitization
# Supply chain (EO 14028)
- AI-SBOM.1 # AI bill of materials
- AI-SUPPLY.1 # Supply chain risk assessment
# Testing and validation
- AI-REDTEAM.1 # Adversarial test campaigns
- AI-DRIFT.1 # Model drift detection
# Safety and audit
- AI-AUDIT.1 # Audit log integrity
trust_mesh:
mode: strict
min_trust_level: 4
require_signature: trueLoad the profile with: swt3 init --profile defense-govcon or set SWT3_PROFILE=defense-govcon in your environment.
from swt3_ai import Witness
witness = Witness.from_dsn()
# Witness a prompt injection test campaign
result = witness.witness_red_team(
tests_executed=200,
tests_passed=190,
coverage_category="prompt_injection", # factor_c = 0
attack_taxonomy="MITRE-ATLAS-v4",
campaign_id="rt-2026-Q2-injection",
model_under_test="llama-3.1-70b",
pass_rate=0.95,
duration_seconds=7200,
)
print(f"Anchor: {result.anchor_fingerprint}")
# Anchor: 7a3f1b9c2e04# Run all 10 categories for comprehensive ATLAS coverage
categories = [
("prompt_injection", 200, 190),
("jailbreak", 150, 142),
("data_poisoning", 50, 48),
("model_extraction", 30, 30),
("membership_inference", 40, 38),
("adversarial_examples", 500, 465),
("supply_chain", 20, 20),
("denial_of_service", 25, 24),
("output_manipulation", 100, 94),
("privilege_escalation", 75, 72),
]
for category, executed, passed in categories:
witness.witness_red_team(
executed, passed, category,
attack_taxonomy="MITRE-ATLAS-v4",
campaign_id="rt-2026-Q2-full",
)import { Witness } from '@tenova/swt3-ai';
const witness = Witness.fromDSN();
// Witness adversarial example robustness test
const result = await witness.witnessRedTeam(
500, // tests_executed
465, // tests_passed
'adversarial_examples', // coverage_category (factor_c = 5)
{
attackTaxonomy: 'MITRE-ATLAS-v4',
campaignId: 'rt-2026-Q2-evasion',
modelUnderTest: 'claude-opus-4-6',
passRate: 0.93,
}
);ATLAS-aligned adversarial testing satisfies requirements across multiple regulatory frameworks simultaneously:
| Regulation | Requirement | ATLAS Relevance | SWT3 Evidence |
|---|---|---|---|
| EU AI Act Art. 9(7) | Testing for adversarial robustness | All ATLAS Evasion techniques | AI-REDTEAM.1 + AI-ROBUST.1 anchors |
| EU AI Act Art. 15(3) | Resilience against errors, faults, inconsistencies | ATLAS Impact + Evasion tactics | AI-ROBUST.1 perturbation coverage |
| EU AI Act Art. 15(4) | Cybersecurity measures against manipulation | All 12 ATLAS tactics | AI-CYBER.1 + AI-SEC.1 anchors |
| EO 14110 Sec. 4.2 | Red-teaming dual-use foundation models | Comprehensive (code 10) | AI-REDTEAM.1 with full category sweep |
| NIST AI 100-2 | Adversarial ML attack taxonomy | Direct ATLAS alignment | AI-REDTEAM.1 with attack_taxonomy field |
| NIST AI RMF MANAGE 2.3 | Adversarial testing and evaluation | ATLAS-structured campaigns | AI-SEC.1 + AI-REDTEAM.1 |
| CMMC SC.L2-3.13.2 | Employ architectural designs to restrict communications | ATLAS Initial Access, Execution | AI-SEC.2 input validation |
| CMMC SI.L2-3.14.6 | Monitor for unauthorized access | ATLAS Discovery, ML Model Access | AI-AUDIT.1 + AI-ACC.1 anchors |
# Install SDK
pip install swt3-ai
# Configure with defense-govcon profile
export SWT3_DSN=https://axm_live_xxx@sovereign.tenova.io/MY_ENCLAVE
swt3 init --profile defense-govconfrom swt3_ai import Witness
witness = Witness.from_dsn()
# After your red team tool completes a prompt injection test:
witness.witness_red_team(
100, 95, "prompt_injection",
attack_taxonomy="MITRE-ATLAS-v4",
)
# Produces: AI-REDTEAM.1 anchor with factor_c=0After a full ATLAS-aligned campaign, check your coverage on the dashboard or via the API:
# Check which ATLAS categories have evidence
curl -H "Authorization: Bearer axm_live_xxx" \
"https://sovereign.tenova.io/api/v1/ai-witness?procedure=AI-REDTEAM.1"