What is the difference between AATMF and MAESTRO?

AATMF is a procedure-level adversarial-AI taxonomy (20 tactics, 240+ techniques, 2,152+ procedures, 4,980+ prompts). MAESTRO is a 7-layer architectural threat-modeling framework for multi-agent systems. They are complementary: MAESTRO for design-time threat enumeration, AATMF for testing-time technique catalog.

Which framework should I use for agentic AI red teaming?

Use both. MAESTRO gives you the architectural threat picture per layer of your agent stack. AATMF gives you the specific procedures and prompts to test against. AATMF's Tactic 11 (Agentic & Orchestrator Exploitation) maps directly into MAESTRO's L3 Agent Frameworks layer.

Are AATMF and MAESTRO open source?

Yes, both. AATMF is published under a permissive open-source license on GitHub. MAESTRO is open methodology published by Cloud Security Alliance. Both are free to use commercially.

AATMF vs MAESTRO — AI Threat Frameworks Compared

TL;DR

AATMF is a procedure-level taxonomy: 20 tactics × 240+ techniques × 2,152+ procedures × 4,980+ adversarial prompts. MAESTRO is a 7-layer architectural threat-modeling lens for multi-agent systems. They are complementary, not competitive. Use MAESTRO to identify where in your agent architecture threats live; use AATMF to identify which specific techniques realize those threats.

Side-by-side

Dimension	AATMF v3.1	MAESTRO
Author	Kai Aizen (independent)	Ken Huang (Cloud Security Alliance, Distinguished Fellow)
Published	v1 2023, v3.1 2026	February 2025
Type	Procedure-level attack taxonomy	Architectural threat-modeling framework
Granularity	20 tactics · 240+ techniques · 2,152+ procedures · 4,980+ prompts	7 layers (Foundation Models, Data Operations, Agent Frameworks, Deployment, Observability, Compliance, Agent Ecosystem)
Risk scoring	AATMF-R: Likelihood × Impact × Detectability × Recoverability — quantitative	Layer-based qualitative risk assessment
Detection	YARA + Sigma signatures included	Recommends detection per layer, no signatures
Mapping to existing frameworks	NIST AI RMF · MITRE ATLAS · OWASP LLM Top-10 · EU AI Act	Aligned with NIST AI RMF, MITRE ATLAS, OWASP
Agentic AI coverage	Tactic 11 (Agentic & Orchestrator Exploitation) — 16 techniques	Native focus — entire framework built for multi-agent systems
RAG / supply-chain	Tactic 12 (RAG manipulation) + Tactic 13 (Supply chain)	Data Operations layer + Agent Ecosystem layer
Human-layer attacks	Tactic 15 (Human Workflow) + companion SEF + P.R.O.M.P.T frameworks	Implicit in Compliance + Agent Ecosystem
Operationalization	AATMF Toolkit (Python CLI), Claude-Red skills library, Playbook	Reference architectures + threat-modeling templates
License / availability	Open source, permissive license	Open methodology; documentation across CSA + arXiv
Suitable for	Red teamers, AI safety engineers, CTI analysts who need executable test cases	Security architects, governance teams threat-modeling multi-agent deployments

When to use which

Use MAESTRO when…

You're designing a multi-agent architecture and need to systematically enumerate threats per layer before implementation
Your audience is governance / security architecture / risk management — people who think in layered models
You need a threat-modeling discussion starter for cross-functional design reviews

Use AATMF when…

You're red-teaming an existing AI system and need executable test cases mapped to specific techniques
You want quantitative risk scoring (AATMF-R) per finding for prioritization
You need detection signatures (YARA / Sigma) to deploy alongside the test cases
You're building an internal AI red-team program and need a taxonomy with procedure-level depth

Use both when…

You're standing up an enterprise AI security program. MAESTRO gives you the architectural lens for system design + governance; AATMF gives you the testing depth for ongoing red-team operations.

The substantive differences

Depth vs breadth

MAESTRO is a framework — a way of thinking. AATMF is a catalog — a body of named, indexed, scored procedures. A MAESTRO threat-modeling session lasts a meeting; an AATMF assessment is a multi-week engagement. They operate at different levels of abstraction; neither replaces the other.

Coverage of agentic threats

MAESTRO is purpose-built for multi-agent systems — the entire framework is structured around that surface. AATMF treats agentic exploitation as one of 20 tactics (T11). If your scope is exclusively agent-based, MAESTRO is more economical. If your scope is broader (model API, training, fine-tuning, RAG, supply chain, human workflow, plus agents), AATMF's wider net catches more.

Operational artifacts

This is AATMF's strongest differentiation: AATMF ships with operational tooling — the AATMF Toolkit (Python CLI for systematic LLM safety testing), Claude-Red (38 SKILL.md files for the Claude skills system), and the LLM Red Teamer's Playbook. MAESTRO is a methodology; AATMF is a methodology + a stack of tools you can run today.

Human layer

AATMF treats the human layer as a first-class concern (T15 + the companion SEF and P.R.O.M.P.T frameworks). MAESTRO addresses humans inside the Compliance and Agent Ecosystem layers but doesn't have a dedicated tactic for human-workflow exploitation.

Crosswalk: MAESTRO layer → AATMF tactic

MAESTRO Layer	Primary AATMF Tactics
L1 Foundation Models	T5 (Model & API Exploitation) · T6 (Training Poisoning) · T10 (Integrity Breach)
L2 Data Operations	T6 (Training Poisoning) · T12 (RAG Manipulation) · T13 (Supply Chain)
L3 Agent Frameworks	T11 (Agentic Exploitation) · T4 (Multi-Turn) · T7 (Output Manipulation)
L4 Deployment	T14 (Infrastructure) · T13 (Supply Chain) · T5 (Model API)
L5 Observability	T7 (Output Manipulation) · T10 (Integrity & Confidentiality Breach)
L6 Compliance	T15 (Human Workflow) · T8 (Deception)
L7 Agent Ecosystem	T11 (Agentic) · T13 (Supply Chain) · T15 (Human Workflow)

Recommendation

If you are a security architect doing system design, start with MAESTRO. If you are a red teamer doing testing, start with AATMF. If you are running a mature AI security program, use both — MAESTRO at design time, AATMF during testing and continuous validation.

References

AATMF v3.1 — full spec (Aizen 2026, snailsploit.com)
MAESTRO — Cloud Security Alliance announcement (Huang 2025)
MITRE ATLAS — sister taxonomy both frameworks crosswalk to
AATMF vs MITRE ATLAS — full comparison
AI Security Wiki — definitions of the terms used here

Cite this comparison

Aizen, K. (2026). AATMF vs MAESTRO: Adversarial AI Threat Modeling Compared.
snailsploit.com. https://snailsploit.com/aatmf-vs-maestro

AATMF vs MAESTRO — adversarial AI threat modeling, compared.