Coverage Matrix: MITRE ATLAS Techniques → MLASVS Controls¶
✅ All ATLAS technique IDs verified against the official MITRE ATLAS taxonomy. Only techniques that exist in the official ATLAS framework are listed below.
Technique Coverage Map¶
Reconnaissance (AML.TA0001)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| — | ML Model Inventory Discovery | 🔴 Unguided | No dedicated control. Red team exercises (GOV-016) and pen testing (INFRA-021) provide indirect coverage. | — | — |
Resource Development (AML.TA0003)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0003 | Acquire ML Model | 🟡 Partial | SUPPLY-002, SUPPLY-006, SUPPLY-009, SUPPLY-012 | TEST-SUPPLY-002 | MLASWE-0009 |
| AML.TA0003 | Compromise ML Supply Chain | 🟢 Full | SUPPLY-001 through SUPPLY-022 | TEST-SUPPLY-001, TEST-SUPPLY-002 | MLASWE-0009 |
Initial Access (AML.TA0002)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0002 | Exploit Public-Facing ML Application | 🟢 Full | INFRA-002, INFRA-003, INFRA-004, INFRA-009 | TEST-INFRA-002 | — |
| AML.TA0002 | Valid Accounts | 🟡 Partial | DATA-003, DATA-007, PIPELINE-001 | TEST-DATA-004, TEST-PIPELINE-001 | — |
| AML.TA0002 | ML Pipeline Access | 🟢 Full | PIPELINE-001, PIPELINE-003, PIPELINE-004, PIPELINE-008 | TEST-PIPELINE-001 | — |
| AML.TA0002 | Supply Chain Compromise | 🟢 Full | SUPPLY-002, SUPPLY-011, SUPPLY-012, SUPPLY-020 | TEST-SUPPLY-002 | MLASWE-0009 |
Execution (AML.TA0005)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0005 | ML Model Execution | 🟢 Full | PIPELINE-005, INFRA-012, INFRA-017, PIPELINE-011, PIPELINE-012 | TEST-PIPELINE-001, TEST-INFRA-001, TEST-INFRA-004 | — |
| AML.TA0005 | Malicious Code in ML Pipeline | 🟢 Full | PIPELINE-014, PIPELINE-020 | TEST-PIPELINE-001 | — |
Persistence (AML.TA0006)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0006 | ML Registry Manipulation | 🟢 Full | PIPELINE-008, PIPELINE-009, PIPELINE-010, PIPELINE-013 | TEST-PIPELINE-001 | — |
| AML.TA0006 | ML Artifact Tampering | 🟢 Full | PIPELINE-002, MODEL-007, MODEL-008, MODEL-015, MODEL-005, INFRA-022 | TEST-PIPELINE-001, TEST-MODEL-005, TEST-INFRA-004 | — |
Defense Evasion (AML.TA0008)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| — | Adversarial Evasion | 🟢 Full | MODEL-001, MODEL-002, MODEL-003, MODEL-010, MODEL-024, INFRA-013 | TEST-MODEL-001 | MLASWE-0001 |
Credential Access (AML.TA0007)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0007 | ML Credential Access | 🟢 Full | PIPELINE-005, INFRA-002 | TEST-PIPELINE-001, TEST-INFRA-002 | — |
Discovery (AML.TA0009)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0009 | Discover ML Models | 🟢 Full | DATA-001, DATA-006, INFRA-007, GOV-001 | TEST-DATA-001, TEST-INFRA-001, TEST-GOV-001 | — |
| AML.TA0009 | Discover ML Data | 🟢 Full | DATA-001, DATA-006, DATA-020, DATA-030 | TEST-DATA-001 | — |
Collection (AML.TA0010)¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.TA0010 | ML Artifact Collection | 🟢 Full | DATA-002, DATA-005, DATA-008, DATA-009, DATA-010, DATA-012 | TEST-DATA-001, TEST-DATA-004 | MLASWE-0012 |
| AML.TA0010 | ML Training Data Exfiltration | 🟡 Partial | LLM-008, DATA-015, DATA-019 | TEST-LLM-002, TEST-DATA-003 | MLASWE-0012 |
ML-Specific Techniques¶
| ATLAS ID | Technique | Coverage | MLASVS Controls | MLASTG Tests | MLASWE |
|---|---|---|---|---|---|
| AML.T0043 | Input Manipulation | 🟢 Full | MODEL-003, DATA-004 | TEST-MODEL-001, TEST-DATA-002 | MLASWE-0001 |
| AML.T0010 | Adversarial Perturbation | 🟢 Full | MODEL-001, MODEL-002, MODEL-010, MODEL-016, MODEL-017, MODEL-024, MODEL-025, MODEL-027, MODEL-029, INFRA-005, INFRA-013, INFRA-017 | TEST-MODEL-001, TEST-INFRA-001, TEST-INFRA-004 | MLASWE-0001 |
| AML.T0018 | Model Inversion / Inference | 🟡 Partial | MODEL-019, MODEL-020, INFRA-016 | TEST-MODEL-003, TEST-INFRA-001 | MLASWE-0004, MLASWE-0005 |
| AML.T0020 | Data Poisoning | 🟡 Partial | DATA-011, DATA-024, DATA-025, DATA-026, DATA-029 | TEST-DATA-002 | MLASWE-0002 |
| AML.T0020.001 | Label Poisoning | 🟡 Partial | DATA-011, DATA-013 | TEST-DATA-002 | MLASWE-0002 |
| AML.T0020.002 | Backdoor Poisoning | 🟡 Partial | MODEL-021, MODEL-022, SUPPLY-019 | TEST-MODEL-004, TEST-SUPPLY-002 | MLASWE-0007 |
| AML.T0024.002 | Model Extraction | 🟢 Full | MODEL-004, MODEL-005, MODEL-006, MODEL-018, MODEL-023, INFRA-009 | TEST-MODEL-002, TEST-INFRA-002 | MLASWE-0003 |
| AML.T0029 | Model Denial of Service | 🟢 Full | LLM-005, LLM-011, LLM-012, LLM-013, MODEL-012, INFRA-010 | TEST-LLM-003, TEST-MODEL-001, TEST-INFRA-002 | MLASWE-0008 |
| AML.T0051 | LLM Prompt Injection | 🟢 Full | LLM-001, LLM-002, LLM-004, LLM-015, LLM-016, LLM-018, LLM-019, LLM-024 | TEST-LLM-001 | MLASWE-0006 |
| AML.T0057 | LLM Data Leakage | 🟢 Full | LLM-003, LLM-008, LLM-009, LLM-014 | TEST-LLM-002 | MLASWE-0010 |
| AML.T0053 | LLM Plugin Compromise | 🟢 Full | LLM-006, LLM-007, LLM-020, LLM-021, LLM-023 | TEST-LLM-001, TEST-LLM-003 | MLASWE-0011 |
| AML.T0056 | ML Model Behavioral Manipulation | 🟢 Full | MODEL-013, INFRA-012, INFRA-014, INFRA-016, INFRA-017, INFRA-018, INFRA-022 | TEST-MODEL-003, TEST-INFRA-001, TEST-INFRA-004 | — |
Coverage Statistics¶
| Metric | Count |
|---|---|
| Total ATLAS techniques mapped | 18 (covering 12 unique technique IDs + 6 tactic-level mappings) |
| 🟢 Full coverage | 13 (72%) |
| 🟡 Partial coverage | 4 (22%) |
| 🔴 No coverage | 1 (6%) |
| Unique MLASVS controls referenced | 68 of 168 (40%) |
| Unique MLASTG test cases referenced | 16 of 16 (100%) |
| MLASWE weaknesses connected | 9 of 12 (75%) |
Notes on Methodology¶
- Only official MITRE ATLAS technique IDs are used. Where no official ID exists for a documented attack path, it is noted as "—" and tracked in the Gap Analysis.
- Tactic-level mappings (AML.TA####) indicate general coverage across multiple techniques under that tactic.
- Sub-techniques (AML.T0020.001, .002) are counted separately for precision.