Volume I: Framework Foundations

AATMF v3 methodology, quantitative risk assessment, threat actor taxonomy, and framework architecture.

Introduction & Methodology

AI systems are probabilistic, context-dependent, and trained on human language — making them susceptible to the same manipulation techniques used against humans for millennia. Traditional cybersecurity frameworks miss the attack surfaces unique to AI: prompt injection, training data poisoning, model extraction, agentic exploitation, RAG manipulation, and the human feedback loops that shape model behavior.

AATMF fills that gap. Each technique is documented with a unique namespaced identifier, risk score (AATMF-R v3), attack procedures with example prompts, detection patterns, mitigation controls, and cross-framework references to MITRE ATLAS, OWASP, NIST, and EU AI Act.

Scope

+ Large Language Models (LLMs) and Large Reasoning Models (LRMs)

+ Multimodal models (vision, audio, video)

+ Retrieval-Augmented Generation (RAG) systems

+ Autonomous AI agents and multi-agent orchestrators

+ AI development and deployment infrastructure

+ Human-in-the-loop workflows

+ AI supply chains (models, datasets, tools, libraries)

Threat Actor Taxonomy

Actor	Motivation	Tactics	Sophistication
Script kiddies	Curiosity, clout	T1, T2	Low
Bug bounty hunters	Financial reward	T1–T5, T10	Medium–High
Cybercriminals	Financial gain	T1–T3, T7–T8, T13	Medium
Corporate espionage	Competitive advantage	T5, T10, T13–T14	High
Nation-state actors	Strategic advantage	T6, T11, T13–T15	Very High
AI red teams	Security improvement	All	Very High
Insiders	Various	T6, T15	Variable

Evolution

v1.0

2024

Initial framework, 8 tactics

v2.0

Late 2024

Expanded to 12 tactics, added risk scoring

February 2026

20 tactics, 240 techniques, 2,152+ procedures, namespaced IDs, Volumes V–VII

AATMF-R v3 Risk Assessment

AATMF-R v3 uses a six-factor formula to quantify risk. Each factor is scored independently and combined to produce a final risk rating.


Risk = (L × I × E) / 6 × (D / 6) × R × C

Scoring Guidelines

Likelihood (L) — 1 to 5

1	Rare	Requires novel research, no known PoC
2	Unlikely	Requires specialized knowledge
3	Possible	Known technique, moderate skill required
4	Likely	Well-documented, readily available tools
5	Almost Certain	Automated, commodity attack

Impact (I) — 1 to 5

1	Negligible	Minor policy violation, no data exposure
2	Minor	Limited harmful content, no sensitive data
3	Moderate	Sensitive data exposure, service degradation
4	Major	Critical data breach, safety bypass, service outage
5	Catastrophic	Physical harm potential, mass data breach, systemic compromise

Exploitability (E) — 1 to 5

1	Theoretical	Requires custom research and novel techniques
2	Difficult	Needs deep expertise and specific conditions
3	Moderate	Documented approach, some skill required
4	Easy	Copy-paste attacks, minimal customization
5	Trivial	Automated tools, zero skill required

Detectability (D) — 1 to 5

1	Obvious	Trivially detected by basic filters
2	Easy	Standard monitoring catches it
3	Moderate	Requires specialized detection
4	Difficult	Advanced analysis needed
5	Nearly Invisible	No reliable detection method exists

Recoverability (R) — 1 to 5

1	Immediate	Auto-recoverable, no intervention needed
2	Quick	Simple rollback or reset
3	Moderate	Requires investigation and manual remediation
4	Difficult	Extended downtime, data loss possible
5	Irrecoverable	Permanent damage, no full recovery path

Cost Factor (C) — 0.5 to 2.0

0.5	Minimal economic impact, internal only
1.0	Standard business impact
1.5	Significant financial or reputational damage
2.0	Catastrophic economic consequences

Interactive Calculator

Adjust the six factors below to calculate a risk score for your threat scenario. Scores vary based on deployment context — a chatbot and an autonomous financial agent score very differently on Impact and Cost Factor.

AATMF-R v3 Risk Calculator

Formula: (L × I × E) / 6 × (D / 6) × R × C

Likelihood (L)3 — Possible

Probability of successful exploitation

Impact (I)3 — Moderate

Severity of successful attack

Exploitability (E)3 — Moderate

Ease of execution

Detectability (D)3 — Moderate

Difficulty of detection (5 = nearly invisible)

Recoverability (R)3 — Moderate

Effort to recover (5 = irrecoverable)

Cost Factor (C)1 — Standard

Economic impact multiplier

6.8⚪ Info

Critical

250+

High

200–249

Medium

150–199

Low

100–149

Info

0–99

Calculation

(3 × 3 × 3) / 6 × (3 / 6) × 3 × 1

= 6.8

Framework Architecture

AATMF organizes adversarial threats in a four-level hierarchy. Each level adds specificity, from strategic objectives (tactics) down to executable attack strings (prompts).

15 Tactics          → High-level adversarial objectives
└── 240 Techniques   → Specific attack methods
    ├── 2,152+ Procedures → Implementation variants
    │   └── 4,980+ Prompts  → Actual attack examples
    ├── Detection Patterns
    └── Mitigation Controls

v3 uses namespaced identifiers (T1-AT-001) that eliminate the 43 ID collisions present in earlier versions. Every identifier is globally unique with tactic membership visible at a glance.