Summary
This proposal requests adding MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) as a named threat classification taxonomy in CycloneDX 2.0, alongside the existing STRIDE, LINDDUN, MAESTRO, and MITRE ATT&CK taxonomies.
This proposal follows the invitation in #956, where @stevespringett noted that ATLAS is the natural home for AI-specific attack techniques and invited input on the taxonomy addition.
Background
MITRE ATT&CK documents attack techniques against traditional software, networks, and infrastructure. MITRE ATLAS documents attack techniques against AI and machine learning systems specifically. The two are complementary, not substitutes.
As of ATLAS v5.4.0 (February 2026): 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, 42 real-world case studies. ATLAS data is available in STIX 2.1 format.
Without ATLAS in the taxonomy enumeration, AI-specific threats such as prompt injection (AML.T0051), model poisoning (AML.T0020), and agentic pipeline compromise (AML.T0052) cannot be formally classified in a CycloneDX BOM.
Proposed Change
Add ATLAS to the permitted threat classification taxonomy enumeration:
Current: STRIDE, LINDDUN, MAESTRO, MITRE ATT&CK
Proposed addition: ATLAS
Example threat object:
{
"threats": [{
"classification": "ATLAS",
"technique": "AML.T0051",
"name": "LLM Prompt Injection",
"description": "Adversary crafts input to manipulate LLM behavior"
}]
}
ATLAS to CWE to OWASP LLM Top 10 Mapping
| ATLAS Technique |
ID |
CWE |
OWASP LLM Top 10 |
| LLM Prompt Injection |
AML.T0051 |
CWE-1427 |
LLM01 |
| Indirect Prompt Injection |
AML.T0051.001 |
CWE-1427 |
LLM01 |
| Jailbreak |
AML.T0054 |
CWE-1427 |
LLM01 |
| Poison Training Data |
AML.T0020 |
CWE-1039 |
LLM03 |
| Backdoor ML Model |
AML.T0018 |
CWE-506 |
LLM03 |
| Steal ML Model |
AML.T0030 |
CWE-200 |
LLM10 |
| Invert ML Model |
AML.T0024 |
CWE-200 |
LLM06 |
| Evade ML Model |
AML.T0015 |
CWE-1039 |
LLM09 |
| Compromise Agentic Pipeline |
AML.T0052 |
None yet |
LLM08 |
| Manipulate LLM Tool Call |
AML.T0056 |
None yet |
LLM08 |
| Autonomous Workflow Chaining |
AML.T0058 |
None yet |
LLM08 |
Three agentic techniques (AML.T0052, AML.T0056, AML.T0058) have no formal CWE yet - documented as named weakness candidates in #333.
References
ATLAS_CWE_OWASP_Mapping_v0.1.xlsx
Summary
This proposal requests adding MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) as a named threat classification taxonomy in CycloneDX 2.0, alongside the existing STRIDE, LINDDUN, MAESTRO, and MITRE ATT&CK taxonomies.
This proposal follows the invitation in #956, where @stevespringett noted that ATLAS is the natural home for AI-specific attack techniques and invited input on the taxonomy addition.
Background
MITRE ATT&CK documents attack techniques against traditional software, networks, and infrastructure. MITRE ATLAS documents attack techniques against AI and machine learning systems specifically. The two are complementary, not substitutes.
As of ATLAS v5.4.0 (February 2026): 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, 42 real-world case studies. ATLAS data is available in STIX 2.1 format.
Without ATLAS in the taxonomy enumeration, AI-specific threats such as prompt injection (AML.T0051), model poisoning (AML.T0020), and agentic pipeline compromise (AML.T0052) cannot be formally classified in a CycloneDX BOM.
Proposed Change
Add
ATLASto the permitted threat classification taxonomy enumeration:Current:
STRIDE,LINDDUN,MAESTRO,MITRE ATT&CKProposed addition:
ATLASExample threat object:
{ "threats": [{ "classification": "ATLAS", "technique": "AML.T0051", "name": "LLM Prompt Injection", "description": "Adversary crafts input to manipulate LLM behavior" }] }ATLAS to CWE to OWASP LLM Top 10 Mapping
Three agentic techniques (AML.T0052, AML.T0056, AML.T0058) have no formal CWE yet - documented as named weakness candidates in #333.
References
ATLAS_CWE_OWASP_Mapping_v0.1.xlsx