MLASTG Testing Methodology 1. Overview This document defines the methodology for conducting a structured security assessment of machine learning systems using the MLASVS (ML Application Security Verification Standard) and MLASWE (ML Application Security Weakness Enumeration).
The methodology follows a phased approach adapted from the Penetration Testing Execution Standard (PTES) and OWASP Testing Guide, and extended to address the unique attack surface of ML systems.
2. The ML Security Assessment Lifecycle Phase 1: Planning & Scoping
│
▼
Phase 2: Intelligence Gathering & Threat Modeling
│
▼
Phase 3: Control Verification (MLASTG Test Cases)
├── Data Security Tests
├── Model Security Tests
├── LLM Security Tests
├── Supply Chain Tests
├── Pipeline Tests
├── Infrastructure Tests
└── Governance Tests
│
▼
Phase 4: Exploitation & Validation
│
▼
Phase 5: Reporting & Remediation
3. Phase 1: Planning & Scoping 3.1 Define Scope Identify ML components: Models, training pipelines, inference endpoints, feature stores, model registries Determine ML system type: Classification, regression, NLP, computer vision, LLM/GenAI, recommendation Map data flows: Training data sources → preprocessing → training → evaluation → deployment → inference Identify dependencies: Pre-trained models, third-party APIs, external datasets, ML libraries 3.2 Select Security Level Level Criteria L1 (Standard) Internal ML systems, non-critical customer-facing applications L2 (Defense-in-Depth) Regulated industries, defense, healthcare, financial, critical infrastructure
3.3 Establish Rules of Engagement Define testing window and notification requirements Determine if adversarial testing (evasion, extraction) is in scope Establish model availability requirements (avoid DoS to production models) Define data handling for any training data or model artifacts accessed during testing 4. Phase 2: Intelligence Gathering & Threat Modeling 4.1 Architecture Discovery Document ML system architecture (diagrams, data flows, component interactions) Identify all ML artifacts (datasets, models, pipelines, serving infrastructure) Map trust boundaries between components 4.2 Threat Modeling Using MITRE ATLAS Map the system architecture to MITRE ATLAS tactics:
ATLAS Tactic ML System Focus Reconnaissance ML-SBOM, public model info, API documentation Initial Access Inference endpoint exposure, pipeline credentials Execution Training code execution, model loading Persistence Backdoor models, compromised feature stores Privilege Escalation ML platform admin access Defense Evasion Adversarial perturbations, model obfuscation Credential Access API keys, training data access tokens Discovery Model architecture fingerprinting, dataset enumeration Collection Inference data harvesting, training data exfiltration Exfiltration Model extraction, training data leakage Impact Model poisoning, denial of service, misclassification
Tool Purpose Installation IBM ART Adversarial robustness testing pip install adversarial-robustness-toolbox SecML ML security evaluation pip install secml Giskard LLM security testing pip install giskard Guardrails AI LLM output validation pip install guardrails-ai PromptInject Prompt injection testing pip install promptinject TextAttack NLP adversarial testing pip install textattack
5. Phase 3: Control Verification 5.1 Test Execution Flow For each applicable MLASVS control:
Identify the control from the applicable category Reference the corresponding MLASTG-TEST-XXXX test case Execute the test procedure Document results with evidence Classify any findings using MLASWE identifiers 5.2 Test Categories Category Test Cases Focus DATA MLASTG-TEST-DATA-001 Data provenance, cryptographic integrity, lineage, trust scoring MODEL MLASTG-TEST-MODEL-001 to 004 Adversarial robustness, extraction, membership inference, backdoor detection LLM MLASTG-TEST-LLM-001 to 003 Prompt injection, output handling, jailbreak and DoS testing SUPPLY MLASTG-TEST-SUPPLY-001 to 002 ML-SBOM audit, model provenance verification PIPELINE MLASTG-TEST-PIPELINE-001 CI/CD and MLOps security audit INFRA MLASTG-TEST-INFRA-001 to 002 Model serving infrastructure, API security GOV MLASTG-TEST-GOV-001 Governance and compliance audit
5.3 Test Procedure Template Each test case follows this structure:
## MLASTG-TEST-XXXX: [Test Title]
### Control Reference
MLASVS-{CATEGORY}-{NUMBER}: {Control Description}
### Severity
Critical / High / Medium / Low / Informational
### Prerequisites
- Access requirements
- Tools required
- Model/data access needed
### Step-by-Step Procedure
1. [Step 1]
2. [Step 2]
3. [Step 3]
...
### Expected Result
[What should happen if the control is properly implemented]
### Evidence Requirements
- [What to capture as proof of testing]
### Remediation Guidance
[How to fix if the test fails]
### References
- MITRE ATLAS: AML.TXXXX
- MLASWE: MLASWE-XXXX
6. Phase 4: Exploitation & Validation 6.1 Adversarial Testing For L2 assessments, adversarial exploitation is in scope:
Attack Type Tool Technique Evasion (white-box) ART, CleverHans FGSM, PGD, DeepFool Evasion (black-box) ART HopSkipJump, Boundary Attack Data poisoning ART, SecML Gradient matching, backdoor injection Model extraction ART KnockoffNets, CopycatCNN Membership inference ART Shadow model, confident-based Prompt injection Giskard, PromptInject Direct, indirect, multi-turn Jailbreak Custom frameworks DAN, role-playing, encoding bypass
6.2 Validation Criteria Attack Success Rate Risk Level < 5% success Low risk 5–15% success Medium risk 15–30% success High risk > 30% success Critical risk
7. Phase 5: Reporting 7.1 Report Structure Executive Summary
├── Assessment scope and methodology
├── Risk overview by category
├── Key findings and critical risks
└── Overall security posture
Technical Findings
├── By MLASVS Category
│ ├── Control Reference
│ ├── MLASWE Reference
│ ├── Test Procedure Executed
│ ├── Evidence
│ ├── Risk Rating
│ └── Remediation Recommendation
└── Adversarial Testing Results
├── Attack type
├── Success rate
├── Affected controls
└── Mitigation effectiveness
Compliance Mapping
├── MLASVS Coverage (%)
├── Controls by level (L1/L2)
├── Industry framework alignment
└── Gap analysis
Appendices
├── Test execution logs
├── Tool outputs and screenshots
├── Model architecture diagrams
└── ML-SBOM analysis
7.2 Risk Ratings Rating Definition ML Impact Critical Immediate exploitation with severe impact Model can be reliably poisoned, extracted with >50% fidelity, or made unavailable High Exploitation possible with moderate effort Model evasion >30% success rate, training data leakage confirmed Medium Exploitation requires significant resources Model extraction requires > 100K queries; membership inference accuracy only marginally above the 50% random baseline Low Limited exploitation potential Control deficiency with compensating controls in place
Risk Level Remediation Timeline Critical 24-48 hours High 1-2 weeks Medium 1-3 months Low 3-6 months
June 28, 2026 June 28, 2026