How it works
Defenses
Attack Patterns MCP Attack Atlas What we catch Hardening manual OWASP LLM Top 10 MITRE ATLAS
Learn
Encyclopedia (new) Agent Security 101 Blog Reports CVP runs Thesis
Resources
Docs GitHub Action (live) vs Lakera vs Promptfoo Team
Theme
Compliance / MITRE ATLAS v5.5.0

MITRE ATLAS v5.5.0 — Sunglasses Technique Mapping

sunglasses://compliance/mitre-atlas
The mapping

Our 65 threat categories mapped to MITRE ATLAS v5.5.0 techniques — the standard knowledge base for adversarial threats against AI systems. 16 tactics, 101 techniques, 66 sub-techniques in ATLAS total; we map directly to the LLM and agent-focused subset.

22
ATLAS techniques mapped
9
Tactics covered
28
Our categories
1112
Detection patterns
sunglasses://compliance/mitre-atlas/legend
ATLAS vs other frameworks

ATLAS is behavior-and-adversary focused: each technique describes what an attacker does. Our mapping shows which ATLAS techniques a Sunglasses finding provides detection evidence for, at the content/input layer.

Priority technique mappings

AML.T0051 · LLM Prompt Injection (incl. sub-techniques .000 Direct, .001 Indirect, .002 Triggered)
Tactic: Execution

Core prompt-injection detection surface

prompt_injectionindirect_prompt_injectionparasitic_injectionhidden_instruction
AML.T0068 · LLM Prompt Obfuscation
Tactic: Defense Evasion

Encoding and obfuscation evasion

encoded_payloadencoding_evasioninvisible_unicodertl_obfuscationunicode_evasioncode_switching
AML.T0093 · Prompt Infiltration via Public-Facing Application
Tactic: Initial Access / Persistence

Parasitic and indirect injection via public surfaces

parasitic_injectionindirect_prompt_injection
AML.T0056 · Extract LLM System Prompt
Tactic: Exfiltration

System-prompt extraction probes

prompt_extractionprompt_leak
AML.T0057 · LLM Data Leakage · AML.T0025 · Exfiltration via Cyber Means · AML.T0086 · Exfiltration via AI Agent Tool Invocation · AML.T0077 · LLM Response Rendering
Tactic: Exfiltration

Data-exfiltration detection

exfiltrationprompt_leakdns_tunneling
AML.T0080 · AI Agent Context Poisoning (incl. .000 Memory, .001 Thread)
Tactic: Persistence

Context and memory poisoning

memory_poisoningparasitic_injection
AML.T0104 · Publish Poisoned AI Agent Tool · AML.T0110 · AI Agent Tool Poisoning · AML.T0099 · AI Agent Tool Data Poisoning
Tactic: Resource Development / Persistence

Tool-metadata poisoning (MCP + tool layer)

tool_poisoningmcp_threat
AML.T0010 · AI Supply Chain Compromise · AML.T0109 · AI Supply Chain Rug Pull · AML.T0111 · AI Supply Chain Reputation Inflation
Tactic: Initial Access / Defense Evasion

Supply-chain runtime signals

supply_chainmcp_threattool_poisoning
AML.T0053 · AI Agent Tool Invocation · AML.T0081 · Modify AI Agent Configuration · AML.T0103 · Deploy AI Agent
Tactic: Execution / Privilege Escalation

Agent workflow and configuration attacks

agent_securityagent_workflowagent_workflow_security
AML.T0054 · LLM Jailbreak · AML.T0105 · Escape to Host
Tactic: Privilege Escalation / Defense Evasion

Jailbreak and sandbox-escape attempts

privilege_escalationsandbox_escapeauth_bypassauthorization_bypass
AML.T0050 · Command and Scripting Interpreter
Tactic: Execution

Command injection and code execution payloads

command_injection
AML.T0098 · AI Agent Tool Credential Harvesting · AML.T0082 · RAG Credential Harvesting · AML.T0055 · Unsecured Credentials · AML.T0083 · Credentials from AI Agent Configuration
Tactic: Credential Access

Credential and secret detection

secret_detection
AML.T0100 · AI Agent Clickbait · AML.T0067 · LLM Trusted Output Components Manipulation · AML.T0073 · Impersonation · AML.T0074 · Masquerading
Tactic: Defense Evasion / Execution

UI-layer deception and trust-component manipulation

ui_injectionsocial_engineering_ui
AML.T0052 · Phishing (incl. .000 Spearphishing via Social Engineering LLM)
Tactic: Initial Access / Lateral Movement

Social engineering patterns

social_engineering
AML.T0108 · AI Agent · AML.T0096 · AI Service API · AML.T0072 · Reverse Shell
Tactic: Command and Control

C2 and back-channel indicators

c2_indicator

Full quick-reference table

ATLAS Technique
Tactic
Sunglasses Categories
AML.T0051 LLM Prompt Injection
Execution
prompt_injection, indirect_prompt_injection, parasitic_injection, hidden_instruction
AML.T0068 LLM Prompt Obfuscation
Defense Evasion
encoded_payload, encoding_evasion, invisible_unicode, rtl_obfuscation, unicode_evasion, code_switching
AML.T0093 Prompt Infiltration via Public-Facing App
Initial Access
parasitic_injection, indirect_prompt_injection
AML.T0056 Extract LLM System Prompt
Exfiltration
prompt_extraction, prompt_leak
AML.T0057 LLM Data Leakage
Exfiltration
prompt_leak, exfiltration
AML.T0025 Exfiltration via Cyber Means
Exfiltration
exfiltration, dns_tunneling
AML.T0086 Exfiltration via AI Agent Tool Invocation
Exfiltration
exfiltration
AML.T0077 LLM Response Rendering
Exfiltration
exfiltration, ui_injection
AML.T0080 AI Agent Context Poisoning
Persistence
memory_poisoning, parasitic_injection
AML.T0104 Publish Poisoned AI Agent Tool
Resource Development
tool_poisoning, mcp_threat
AML.T0110 AI Agent Tool Poisoning
Persistence
tool_poisoning, mcp_threat
AML.T0099 AI Agent Tool Data Poisoning
Persistence
tool_poisoning
AML.T0010 AI Supply Chain Compromise
Initial Access
supply_chain, mcp_threat
AML.T0109 AI Supply Chain Rug Pull
Defense Evasion
supply_chain, tool_poisoning
AML.T0111 AI Supply Chain Reputation Inflation
Defense Evasion
supply_chain
AML.T0053 AI Agent Tool Invocation
Execution, Privilege Escalation
agent_workflow, agent_security
AML.T0081 Modify AI Agent Configuration
Persistence, Defense Evasion
agent_workflow_security
AML.T0054 LLM Jailbreak
Privilege Escalation
privilege_escalation, auth_bypass, authorization_bypass
AML.T0105 Escape to Host
Privilege Escalation
sandbox_escape, privilege_escalation
AML.T0050 Command and Scripting Interpreter
Execution
command_injection
AML.T0098 AI Agent Tool Credential Harvesting
Credential Access
secret_detection
AML.T0082 RAG Credential Harvesting
Credential Access
secret_detection
AML.T0055 Unsecured Credentials
Credential Access
secret_detection
AML.T0100 AI Agent Clickbait
Execution
ui_injection, social_engineering_ui
AML.T0067 LLM Trusted Output Components Manipulation
Defense Evasion
ui_injection
AML.T0073 Impersonation · AML.T0074 Masquerading
Defense Evasion
social_engineering_ui
AML.T0052 Phishing
Initial Access
social_engineering
AML.T0108 AI Agent (C2)
Command and Control
c2_indicator
AML.T0096 AI Service API (C2)
Command and Control
c2_indicator
AML.T0072 Reverse Shell
Command and Control
c2_indicator, command_injection

Non-ATLAS categories (traditional AppSec)

These Sunglasses categories catch attacks that aren’t AI-specific and therefore don’t have ATLAS techniques — they’re traditional AppSec payloads that agents may be manipulated into executing:

sunglasses://compliance/mitre-atlas/non-atlas
path_traversal

maps to CWE-22, not ATLAS

deserialization

maps to CWE-502, not ATLAS

ssrf

maps to CWE-918, not ATLAS

dns_tunneling

maps to MITRE ATT&CK T1572, not ATLAS

These are still first-class detection categories — they just live on the ATT&CK / CWE side of the taxonomy.

Official source: atlas.mitre.org · Data: github.com/mitre-atlas/atlas-data (v5.5.0 as of Apr 2026).

← Back to compliance mappings