Mapping LLM app threats from ATT&CK to MITRE ATLAS
Author Uzy maps 100 detection signatures in open-source firewall InferenceWall to MITRE ATLAS technique IDs, arguing that any AI security tool that can't show ATLAS coverage is "hiding something."
Score breakdown
Security teams defending LLM apps face a taxonomy gap: MITRE ATT&CK, the industry standard for threat classification, doesn't cover AI-specific attacks like prompt injection or jailbreaks. MITRE ATLAS fills that gap with the same matrix structure as ATT&CK — `AML.T0051` for prompt injection, `AML.T0054` for jailbreaks, `AML.T0068` for prompt obfuscation, and more. Author Uzy documents mapping all 100 detection signatures in their open-source LLM firewall `InferenceWall` to ATLAS technique IDs, a process that took three days and transformed the project's legibility with security teams. The post includes a concrete before-and-after YAML signature example and a `grep`-able catalog structure for auditable coverage analysis.
Security practitioners shipping LLM features in 2026 face a classification problem: their existing tooling — WAFs, SOC dashboards, Jira tickets — all speak MITRE ATT&CK, but ATT&CK has no entries for prompt injection, jailbreaks, or LLM data leakage. MITRE ATLAS was built to close exactly this gap, using the same tactics-techniques-procedures matrix structure as ATT&CK but scoped to AI/ML systems. Author Uzy argues that for teams already fluent in ATT&CK, ATLAS is immediately readable — the tactic columns map to familiar phases like Reconnaissance, Initial Access, Execution, and Exfiltration, while the technique rows cover AI-specific attacks with stable IDs.
The post shows a concrete YAML signature (`INJ-D-001`, a role-play persona jailbreak rule) before and after the mapping, where adding `atlas: ["AML.T0054", "AML.T0051.000"]` makes the rule's coverage machine-auditable.
The nine ATLAS techniques Uzy identifies as most critical for production LLM apps are: `AML.T0051` (LLM Prompt Injection, with `.000` for direct and `.001` for indirect/RAG-based), `AML.T0054` (LLM Jailbreak), `AML.T0065` (LLM Prompt Crafting), `AML.T0068` (LLM Prompt Obfuscation — base64, ROT13, homoglyphs, emoji encoding), `AML.T0057` (LLM Data Leakage), `AML.T0053` (LLM Plugin Compromise), `AML.T0055` (Unsecured Credentials), `AML.T0077` (LLM Response Rendering), and `AML.T0080` (Public Prompt Tuning).
Uzy walked through the practical exercise of annotating all 100 detection signatures in `InferenceWall` — their open-source LLM firewall — with ATLAS IDs, a task that took three days rather than the expected afternoon. The post shows a concrete YAML signature (`INJ-D-001`, a role-play persona jailbreak rule) before and after the mapping, where adding `atlas: ["AML.T0054", "AML.T0051.000"]` makes the rule's coverage machine-auditable. With the full catalog annotated, teams can run a simple `grep` against the signature directory to generate a real coverage heatmap — turning vague "we cover prompt injection" claims into verifiable, gap-analyzable data that holds up to scrutiny from ATT&CK-trained security engineers.
Topics
Summary and scoring are generated automatically from the original article. We always link back to the publisher and never republish images or paywalled content. Last processed Apr 19, 2026 · 11:33 UTC. How this works →