AATMF is an attempt to give adversarial AI the thing every mature security discipline already has: a shared vocabulary. One taxonomy, one scoring model, one set of identifiers — so red teams, defenders, engineers and regulators can describe the same attack the same way.
What AATMF is, and what it deliberately is not.
AATMF catalogues the adversarial-AI attack surface across 15 tactics and 240 techniques, grouped into three domains — core, advanced, and infrastructure & human. Each technique carries a stable identifier, a risk score, concrete attack procedures, and mappings to the frameworks already in use.
It does for AI systems what ATT&CK did for enterprise intrusion: it does not tell you what tool to run. It gives everyone a common way to name, locate, and reason about an attack — which is the prerequisite for testing it, scoring it, and defending against it.
The framework is versioned. v3 (2026) reflects a landscape where jailbreaking is commodity, agents are weaponised, and retrieval and supply-chain poisoning are cheap and reliable.
The first technology where human manipulation is technical exploitation.
Traditional security assumes a machine that follows rules. AI systems are different: they were trained to respond like humans, which means they inherit human susceptibilities — to authority, to urgency, to framing, to misdirection.
That is why a social-engineering playbook translates so cleanly to a model. The substrate changed from a person to a network of weights; the attack did not. AATMF is built around that single observation. Same attack. Different substrate.
AATMF-R v3 — how every technique gets one comparable score.
Every technique is scored on the AATMF-R model so that a prompt-injection bug and an agent-orchestration exploit can be compared on the same axis and triaged against the same bands.
Risk = (L · I · E) / 6 × (D / 6) × R × C
Likelihood, Impact, Exploitability and Detectability each score 1–5; Recoverability 1–5; and a Cost factor of 0.5–2.0 weights how cheap the attack is to mount. Scores resolve to five bands — Critical (250+), High, Medium, Low and Info — each tied to a remediation expectation.
AATMF references the standards you already report against.
Every technique cross-references NIST AI RMF, MITRE ATLAS and the OWASP LLM Top 10, and risk tiers align to the EU AI Act. AATMF is meant to sit inside an existing governance program — adding the AI-specific resolution those frameworks lack, without asking anyone to abandon them.
A small, independent adversarial-AI research group. No vendor, no platform — the people doing the work are the people on the byline.
Leads the framework's taxonomy and risk model, and the adversarial research behind the v3 technique set.
Drives procedure development, detection signatures, and the mappings into NIST, ATLAS and OWASP.
AATMF is published for defensive research, authorised testing, and education. It describes how AI systems are attacked so that they can be tested and defended — not so they can be exploited against systems or people without consent.
Use it only against systems you own or are explicitly authorised to assess. Responsible disclosure applies.
Same attack. Different substrate.
