How does MITRE ATLAS map to AI-agent detection rules?
ATR aligns to 34 of 101 top-level MITRE ATLAS techniques and 13 of 16 tactics against the ATLAS v5.6.0 draft. This is the honest state of that crosswalk, gaps included.
ATR currently aligns to 34 of the 101 top-level techniques in MITRE ATLAS, spanning 13 of the 16 ATLAS tactics, measured against the ATLAS v5.6.0 draft. That leaves 66 techniques with no ATR rule behind them yet. This is a working crosswalk, not a published mapping, and I am writing it up with the gaps in plain sight because a security standard that hides its coverage holes is worse than useless.
I am Adam Lin, and I maintain ATR (Agent Threat Rules), an open, MIT-licensed detection standard for AI agents. PanGuard is built on ATR and operates it. This post explains what ATLAS is, why an agent-specific ruleset has to crosswalk to it, and exactly where the 34-of-101 coverage stops.
What is MITRE ATLAS and why crosswalk to it?
MITRE ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems) is the ATT&CK-style knowledge base for attacks against machine learning and AI systems. It organizes real adversary behavior into tactics (the attacker's goal at each stage, like reconnaissance or exfiltration) and techniques (the specific method used to achieve that goal). The v5.6.0 draft lists 16 tactics and 101 top-level techniques.
A detection ruleset that only ships raw rules is a pile of pattern-matchers with no shared language. Crosswalking to ATLAS gives every rule a coordinate: this rule detects this technique under this tactic. That matters for three concrete reasons. A security team can ask "where am I blind against ATLAS?" and get an answer. A rule author can see which techniques are over-covered and which have zero rules. And a compliance reviewer can trace a control back to an industry-standard taxonomy instead of a vendor's private categories.
ATR does the same crosswalk against OWASP: 866 rule-to-category mappings covering all 10 of the OWASP Agentic Top 10 (2026) categories, nine at STRONG strength and one, ASI10 Rogue Agents, at MODERATE. ATLAS is the second axis. OWASP tells you which agent risk class a rule addresses. ATLAS tells you which adversary technique it detects. The two taxonomies overlap but do not substitute for each other.
What does 34 of 101 techniques actually cover?
The 34 covered techniques cluster where ATR's corpus is strongest: prompt injection and jailbreak variants, tool misuse, credential and token theft, and supply-chain tampering in agent skills and MCP servers. ATR is a corpus of nearly 690 rules across 10 categories (688 as of July 2026, shipped as npm agent-threat-rules v3.5.6), and most of those rules describe attacks that map cleanly onto ATLAS execution, exfiltration, and initial-access techniques.
The coverage is deterministic Layer 1 detection. On the SKILL.md corpus of 498 real-world samples, ATR's Layer 1 rules hit 100% recall at 97% precision and a 0.2% false-positive rate. On the NVIDIA garak in-the-wild jailbreak corpus of 650 samples, recall is 97.2%. These are per-corpus, per-layer numbers, not a single engine-wide figure, and the false-positive behavior is lane-based: roughly 0.24% FP in the enforce lane against a 65,000-sample benign gate, roughly 9% in the default hunt lane. There is no blended precision number that honestly describes the whole engine, so I do not report one.
The techniques ATR covers are the ones I could back with real attack payloads. The wild scan behind much of this corpus swept 96,096 AI agent skills across six public registries and confirmed 751 malicious. Real MCP incidents anchor the supply-chain techniques: the postmark-mcp server that silently BCC'd thousands of emails per day for 15 versions, MCPJam Inspector (CVE-2026-23744) turning one HTTP request into RCE, and Azure MCP Server (CVE-2026-26118) leaking managed-identity tokens via SSRF.
Where are the 66 gaps?
The uncovered 66 techniques fall into a few honest categories. First, model-level attacks that ATR's action-focused rules do not touch: data-poisoning of training sets, model-extraction, and adversarial-example crafting against a model's weights live mostly outside the runtime behavior ATR observes. Second, techniques that require infrastructure telemetry ATR does not ingest, like ML-supply-chain compromise at the model-artifact level. Third, the three ATLAS tactics with no ATR coverage at all, where I have not yet found generalizable attack payloads that survive the benign gate.
I will not paper over these. A technique counts as covered only when there is a rule with real true-positive and true-negative test cases that clears the 65,000-sample benign gate. A rule that fires on a description of an attack instead of the attack itself does not count, and an earlier batch of predicted rules was retired for exactly that failure. Coverage that cannot survive a false-positive audit is not coverage.
How does a new technique become a covered rule?
Through threat crystallization. An AI understands an attack once, that understanding is written as a deterministic rule, and the rule then executes in milliseconds for everyone who runs the engine. A new attack becomes a shipped rule in about an hour, not the weeks a committee process takes. When a payload for one of the 66 uncovered techniques shows up and generalizes past the benign gate, the ATLAS crosswalk moves. That is why this is a draft alignment against a draft ATLAS version, and why the count will change.
This mapping is not published or endorsed by MITRE. It is my working crosswalk, offered so that anyone using ATR can see coverage and gaps at the same resolution I do.
FAQ
Is ATR's ATLAS mapping official or endorsed by MITRE?
No. It is an independent working crosswalk against the ATLAS v5.6.0 draft, maintained by me as part of ATR. It is a draft alignment, not a published or MITRE-endorsed mapping.
Why only 34 of 101 techniques?
Because a technique only counts when ATR has a rule backed by real attack payloads that clears the 65,000-sample benign gate. The 66 uncovered techniques are mostly model-level attacks and cases where no generalizable payload has survived that gate yet.
How does ATLAS coverage relate to ATR's OWASP mapping?
They are two independent axes. OWASP (866 mappings, all 10 Agentic Top 10 categories) classifies the agent risk; ATLAS classifies the adversary technique. A single rule usually carries both coordinates.
How fast does new technique coverage ship?
About an hour per rule via threat crystallization, once a real payload for that technique generalizes past the benign gate. That is what moves the 34-of-101 count over time.
You can read the standard and check the crosswalk yourself, or scan a skill or MCP server before you install it: npm install -g @panguard-ai/panguard && pga up, then pga scan <target>.