AATMF v3.1 vs MITRE ATLAS: Which AI Security Framework Wins?

Two frameworks now define how the security community thinks about adversarial AI threats. MITRE ATLAS — the Adversarial Threat Landscape for AI Systems — carries the institutional weight of MITRE Corporation and the ATT&CK ecosystem. The Adversarial AI Threat Modeling Framework (AATMF) v3.1 carries 240 techniques, 2,152+ attack procedures, and 4,980+ unique prompts built from hands-on GenAI red team research.

I created AATMF. So let me be direct about what that means for this comparison.

ATLAS is not a competitor to AATMF. It's a taxonomy. AATMF is an operational framework. The difference matters more than which has higher technique counts — and this article explains exactly where each belongs in a serious AI security program.

Framework origins: reference vs. operational

MITRE ATLAS was designed as an extension of ATT&CK, adapted for machine learning systems. It follows the ATT&CK philosophy: catalog observed adversarial tactics and techniques based on real-world incidents and published research. ATLAS v4.6.0, released October 2025, introduced 14 new agentic AI techniques and a Technique Maturity classification system — Feasible, Demonstrated, Realized — organizing threats across 15 tactics and 66 techniques with 46 sub-techniques.

AATMF v3.1 was released in February 2026, built from a different starting point entirely. Not from institutional cataloging of observed incidents, but from active red team testing of production AI systems — foundation models, autonomous agents, RAG pipelines, MCP infrastructure, multimodal systems. The design question wasn't "what have we observed?" but "what does a practitioner need to actually test and defend these systems?"

That difference in origin produces a fundamental difference in what each framework is useful for.

Scope: what 66 techniques vs. 240 techniques actually means

The raw numbers matter less than what they represent.

ATLAS's 66 techniques provide a high-level taxonomy covering broad categories: Reconnaissance, Resource Development, Initial Access, ML Model Access, Execution, Persistence, Exfiltration. For any organization coming from traditional ATT&CK-based security, this vocabulary is immediately accessible. The framework integrates cleanly with existing security programs.

AATMF's 240 techniques are organized in a four-tier hierarchy: Tactics (T1–T15), Techniques (240 total), Attack Procedures (2,152+), Unique Prompts (4,980+). Where ATLAS lists "LLM Prompt Injection" as a technique, AATMF breaks prompt injection across multiple tactics with specific attack procedures. T1 alone — Prompt and Context Subversion — contains 20 techniques: Dialogue Hijacking, System Prompt Extraction, Language Model Confusion, Instruction Prefix/Suffix, Permission Escalation Claims, Prompt Template Injection, Cognitive Overload, Boundary Testing, Simulation Requests, Session State Manipulation. Each with 10+ concrete attack procedures and associated prompts.

The choice between them is a choice between vocabulary and execution. ATLAS gives you the words. AATMF gives you the playbook.

Risk scoring: qualitative vs. quantitative

This is where the operational difference is sharpest.

ATLAS v4.6.0's Technique Maturity classification — Feasible / Demonstrated / Realized — is useful for understanding which threats have crossed from theory into production. It's a qualitative signal for prioritization.

AATMF-R v3 implements quantitative risk scoring across every technique using a six-factor formula:

Risk = (L × I × E) / 6 × (D / 6) × R × C

Where:

L — Likelihood (1–5)
I — Impact (1–5)
E — Exploitability (1–6)
D — Detectability (1–6, inverted — harder to detect scores higher)
R — Reversibility (0.8–1.2)
C — Cascading Potential (0.8–1.5)

This produces composite scores mapped to a seven-tier rating scale from INFO (0–49) through CRITICAL (250+). Browser Automation Hijacking (T11-AT-001) scores 265 (CRITICAL). Cognitive Overload (T1-AT-007) scores 215 (HIGH). Every technique carries a specific score enabling precise prioritization — not a judgment call, a calculation.

For security teams that need to communicate risk to non-technical leadership, defend resource allocation decisions, or demonstrate quantitative risk management for compliance purposes, this matters enormously. "This technique is Demonstrated" is not the same conversation as "this technique scores 265 CRITICAL because it is highly exploitable, nearly impossible to detect, and produces cascading compromise."

Emerging attack surfaces: acknowledgment vs. dedication

Both frameworks have recognized agentic AI as a priority. ATLAS v4.6.0 added 14 agentic techniques in October 2025. AATMF devotes entire dedicated tactics.

T11 — Agentic and Orchestrator Exploitation: 16 techniques, 160 attack procedures. Browser automation hijacking, tool chain exploitation, goal hijacking, planning corruption, multi-agent collision, reflection loop exploitation, environment manipulation, credential harvesting, persistence installation, lateral movement through agent networks.

T12 — RAG and Knowledge Base Manipulation: Dedicated tactic for retrieval-augmented generation attacks. The PoisonedRAG vulnerability — five documents compromising a corpus of millions — maps directly here.

T13 — AI Supply Chain and Artifact Trust: Covers the threat class behind the 100+ malicious models found on Hugging Face, LockBit delivery via AI repositories, namespace squatting against Google Vertex AI and Azure.

T11 also explicitly covers MCP (Model Context Protocol) infrastructure: tool servers, tool registries, inter-agent communication as distinct attack surfaces. This specificity doesn't exist in ATLAS, which treats these vectors within broader technique categories.

T9 addresses multimodal attacks. T6 covers training and feedback poisoning. T15 — Human Workflow Exploitation — addresses the attack surface that emerges when AI outputs influence human decisions without adequate verification. This last category reflects the core thesis running through all of my research: social engineering and prompt injection are the same attack class, executed against different substrates. Humans and LLMs share inherited trust vulnerabilities.

Operational utility: where each framework lives in practice

For red teams: AATMF's 4,980+ unique prompts and 2,152+ attack procedures function as a live playbook. Every technique contains concrete examples adapted for foundation models (GPT-4, Claude, Gemini, LLaMA, DeepSeek, Qwen, Mistral), autonomous agents, RAG systems, MCP infrastructure, and training infrastructure. ATLAS provides the category. AATMF provides the execution.

For blue teams: AATMF Volume V includes a five-layer detection architecture — input analysis, behavioral monitoring, output validation, system telemetry, feedback loop analysis — with detection patterns organized by tactic group, YARA-style rules, Sigma rules for audit logs, and MCP server audit detection signatures. ATLAS does not include defensive tooling at this depth. It describes what attacks exist. AATMF describes how to detect them.

For compliance: AATMF Volume VI provides complete crosswalks to the EU AI Act, OWASP LLM Top 10 2025, OWASP Agentic Top 10, NIST AI RMF, and NIST CSF 2.0. This multi-framework alignment matters as the AI breach detection gap becomes regulatory exposure — Article 73 EU AI Act reporting obligations take effect August 2026, and organizations will need to demonstrate they assessed the actual attack surface, not just passed a SOC 2 audit.

For threat actor modeling: AATMF recognizes five adversary categories: nation-state actors, organized cybercriminals, hacktivists, AI-automated attackers (LRMs autonomously attacking other models, rated CRITICAL), and opportunistic attackers using jailbreak-as-a-service infrastructure. The fifth category — AI attacking AI — is the threat class that most organizational risk models haven't priced in yet.

Comparing strengths directly

MITRE ATLAS strengths:

Institutional backing and industry recognition
Seamless ATT&CK integration for teams already on that ecosystem
Community-driven contribution model
Accessible web-based navigator
Lightweight entry point for AI threat awareness
Shared vocabulary for stakeholder communication

AATMF v3.1 strengths:

240 techniques vs. 66 — 3.6× more granular coverage
Quantitative risk scoring enabling precise prioritization
Operational tooling for both red and blue teams
Dedicated tactics for agentic, RAG, MCP, and multimodal surfaces
Built-in compliance mapping across regulatory frameworks
4,980+ unique prompts as executable test cases
Practitioner-driven design from active GenAI red team research
Seven-volume structure spanning framework foundations through governance

How to use both

The recommended approach isn't a choice. It's a stack.

Use ATLAS as the strategic reference framework for threat awareness and stakeholder communication. Its ATT&CK lineage means existing security programs can extend naturally. Its vocabulary is industry-recognized and useful for reporting to boards, regulators, and partners who already speak ATT&CK.

Use AATMF as the operational layer for everything that requires execution: red team engagements, detection engineering, blue team defense builds, compliance demonstration, and risk quantification. Where ATLAS identifies that a threat class exists, AATMF provides the procedures to test for it, the signatures to detect it, the controls to mitigate it, and the scoring to prioritize it.

Together they represent the most complete picture available of the adversarial AI threat landscape. ATLAS tells you what the map looks like. AATMF tells you how to navigate it.

The bigger picture

Neither framework is the last word. As AI systems grow in capability and deployment scope — as agentic architectures become the default, as MCP infrastructure scales, as AI-to-AI attacks mature — frameworks must evolve with them.

AATMF v3.1's February 2026 release reflects the current state: autonomous agents, multi-model systems, RAG pipelines, and MCP infrastructure are no longer edge cases. They're the attack surface. Frameworks built primarily on historical incident cataloging will always lag behind adversaries who are actively probing what's new.

The question for any security organization deploying AI isn't which framework to pick. It's whether their security program has moved past threat awareness into active defense — detection signatures, quantitative risk scoring, red team playbooks, incident response procedures for AI-specific compromise.

If the answer is no, that's where to start.

Kai Aizen is a GenAI Security Researcher and creator of the Adversarial AI Threat Modeling Framework (AATMF). He publishes offensive AI security research as The Jailbreak Chef and writes for Hakin9 Magazine.