Mapping LLM app threats from ATT&CK to MITRE ATLAS
Author Uzy maps 100 detection signatures in open-source firewall InferenceWall to MITRE ATLAS technique IDs, arguing that any AI security tool that can't show ATLAS coverage is "hiding something."
Score breakdown
Security teams defending LLM apps face a taxonomy gap: MITRE ATT&CK, the industry standard for threat classification, doesn't cover AI-specific attacks like prompt injection or jailbreaks. MITRE ATLAS fills that gap with the same matrix structure as ATT&CK — `AML.T0051` for prompt injection, `AML.T0054` for jailbreaks, `AML.T0068` for prompt obfuscation, and more. Author Uzy documents mapping all 100 detection signatures in their open-source LLM firewall `InferenceWall` to ATLAS technique IDs, a process that took three days and transformed the project's legibility with security teams. The post includes a concrete before-and-after YAML signature example and a `grep`-able catalog structure for auditable coverage analysis.
Security practitioners shipping LLM features in 2026 face a classification problem: their existing tooling — WAFs, SOC dashboards, Jira tickets — all speak MITRE ATT&CK, but ATT&CK has no entries for prompt injection, jailbreaks, or LLM data leakage. MITRE ATLAS was built to close exactly this gap, using the same tactics-techniques-procedures matrix structure as ATT&CK but scoped to AI/ML systems. Author Uzy argues that for teams already fluent in ATT&CK, ATLAS is immediately readable — the tactic columns map to familiar phases like Reconnaissance, Initial Access, Execution, and Exfiltration, while the technique rows cover AI-specific attacks with stable IDs.
The post shows a concrete YAML signature (`INJ-D-001`, a role-play persona jailbreak rule) before and after the mapping, where adding `atlas: ["AML.T0054", "AML.T0051.000"]` makes the rule's coverage machine-auditable.
The nine ATLAS techniques Uzy identifies as most critical for production LLM apps are: `AML.T0051` (LLM Prompt Injection, with `.000` for direct and `.001` for indirect/RAG-based), `AML.T0054` (LLM Jailbreak), `AML.T0065` (LLM Prompt Crafting), `AML.T0068` (LLM Prompt Obfuscation — base64, ROT13, homoglyphs, emoji encoding), `AML.T0057` (LLM Data Leakage), `AML.T0053` (LLM Plugin Compromise), `AML.T0055` (Unsecured Credentials), `AML.T0077` (LLM Response Rendering), and `AML.T0080` (Public Prompt Tuning).
Uzy walked through the practical exercise of annotating all 100 detection signatures in `InferenceWall` — their open-source LLM firewall — with ATLAS IDs, a task that took three days rather than the expected afternoon. The post shows a concrete YAML signature (`INJ-D-001`, a role-play persona jailbreak rule) before and after the mapping, where adding `atlas: ["AML.T0054", "AML.T0051.000"]` makes the rule's coverage machine-auditable. With the full catalog annotated, teams can run a simple `grep` against the signature directory to generate a real coverage heatmap — turning vague "we cover prompt injection" claims into verifiable, gap-analyzable data that holds up to scrutiny from ATT&CK-trained security engineers.