@blamejs/exceptd-skills 0.12.24 → 0.12.26

package/data/atlas-ttps.json

@@ -1,11 +1,14 @@
 {
   "_meta": {
     "schema_version": "1.0.0",
-    "atlas_version": "5.1.0",
-    "atlas_release_date": "2025-11-01",
-    "last_updated": "2026-05-13",
+    "atlas_version": "5.4.0",
+    "atlas_release_date": "2026-02-06",
+    "secure_ai_v2_release_date": "2026-05-06",
+    "secure_ai_v2_source": "https://ctid.mitre.org/blog/2026/05/06/secure-ai-v2-release",
+    "last_updated": "2026-05-15",
+    "last_threat_review": "2026-05-15",
     "source": "https://atlas.mitre.org",
-    "note": "AI-relevant ATLAS v5.1.0 TTPs with framework_gap field. framework_gap: no framework has a control that addresses this TTP.",
+    "note": "AI-relevant ATLAS v5.4.0 TTPs with framework_gap field. framework_gap: no framework has a control that addresses this TTP. secure_ai_v2_layer flags entries included in the CTID Secure AI v2 layered set (May 2026); maturity reflects CTID's technique-maturity classification (low / moderate / high).",
     "tlp": "CLEAR",
     "source_confidence": {
       "scheme": "Admiralty (A-F + 1-6)",
@@ -19,6 +22,74 @@
       "note": "Per-entry last_verified governs decay. Skills depending on this catalog must check entry freshness before high-stakes use."
     }
   },
+  "AML.T0001": {
+    "id": "AML.T0001",
+    "name": "Victim Research",
+    "tactic": "Reconnaissance",
+    "description": "Adversary gathers information about the victim's ML systems before active engagement — public-facing model endpoints, published research papers describing the system's architecture, model cards on HuggingFace, leaked system prompts, vendor disclosure of which foundation models power user-facing AI products. For AI-augmented developer environments: enumeration of installed MCP servers, AI-coding-assistant configuration files, and IDE-side extension manifests visible through error messages or public Git history.",
+    "subtechniques": [
+      "AML.T0001.000 — Search Application Repositories (HuggingFace, model cards, GitHub model commits)",
+      "AML.T0001.001 — Search Research Papers (academic publications detailing model architecture)",
+      "AML.T0001.002 — Vendor / Provider Disclosures (which AI foundation models power named products)",
+      "AML.T0001.003 — Public AI System Probing (enumerating exposed AI APIs without active payload)"
+    ],
+    "real_world_instances": [
+      "PROMPTSTEAL preparatory phase — adversary mapped victim's RAG corpus structure via public research papers before launching extraction",
+      "CVE-2026-30615 reconnaissance — public Windsurf marketplace pages enabled identification of vulnerable MCP server versions across deployments"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework requires AI-asset visibility hygiene as a control. NIST 800-53 PM-15 (information sharing) and AC-22 (publicly accessible content) do not contemplate AI-system-specific reconnaissance signal. No framework requires monitoring of model-card / HuggingFace / public-AI-API surface for adversary reconnaissance indicators (anomalous model-card view patterns, public-endpoint enumeration sweeps).",
+    "controls_that_partially_help": [
+      "NIST-800-53-AC-22",
+      "NIST-800-53-PM-15"
+    ],
+    "controls_that_dont_help": [
+      "ISO-27001-2022-A.8.28"
+    ],
+    "detection": "Public-facing AI endpoint scan-pattern monitoring; HuggingFace / model-repository view-pattern anomaly detection where attribution is possible; public-research-paper citation tracking for victim-named systems; honeytoken model cards seeded in public registries for victim attribution.",
+    "exceptd_skills": [
+      "ai-attack-surface",
+      "ai-c2-detection"
+    ],
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0040": {
+    "id": "AML.T0040",
+    "name": "Tool / Plugin Compromise",
+    "tactic": "Execution",
+    "description": "Adversary compromises an LLM tool-call surface or agent plugin layer — for example an MCP server, a tool registered with an OpenAI Codex / Anthropic Claude Code session, or a Copilot / Cursor agent plugin — to gain code execution within the agent runtime. The compromised tool exposes operator-controlled inputs (filesystem paths, shell commands, API endpoints) that the LLM invokes on behalf of the operator, bypassing the operator-side trust boundary.",
+    "subtechniques": [
+      "AML.T0040.000 — MCP server typosquat / registry compromise",
+      "AML.T0040.001 — Agent plugin authorization bypass via prompt-injection-induced consent",
+      "AML.T0040.002 — Stdio-transport command injection (Anthropic MCP SDK class)"
+    ],
+    "real_world_instances": [
+      "CVE-2026-30623 (Anthropic MCP SDK stdio command-injection class — 30+ MCP servers affected)",
+      "Pwn2Own Berlin 2026 — Viettel Cyber Security Claude Code collision (MCP-class bug)",
+      "Pwn2Own Berlin 2026 — STARLabs SG five-bug LM Studio chain",
+      "Pwn2Own Berlin 2026 — Compass Security OpenAI Codex CWE-150 chain"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework currently models the agent-runtime tool-call trust boundary. NIST 800-53 CM-7 (Least Functionality) was designed for OS-level execution allowlisting, not for AI-agent tool registries. ISO 27001:2022 A.5.20 (Information security in supplier relationships) does not reach plugin-level supplier identity in the agent runtime. The MCP-server-registry surface is closest analogue to a package registry; supply-chain controls (SLSA, sigstore) are not yet applied to MCP registries operationally.",
+    "controls_that_partially_help": [
+      "NIST-800-53-CM-7",
+      "NIST-800-53-AC-3",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "controls_that_dont_help": [
+      "Traditional WAF / API gateway controls — agent-side calls bypass these by design",
+      "OS-level antimalware — the agent runtime invokes the tool inside its own process trust boundary"
+    ],
+    "detection": "MCP-server inventory + signature attestation; tool-call audit logs reviewed for typosquat patterns; agent-side outbound API call monitoring for credential exfiltration patterns; plugin-installation event correlation with prompt-injection IOCs.",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "ai-attack-surface",
+      "mcp-supply-chain"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
   "AML.T0010": {
     "id": "AML.T0010",
     "name": "ML Supply Chain Compromise",
@@ -48,7 +119,9 @@
       "mcp-agent-trust",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0016": {
     "id": "AML.T0016",
@@ -75,7 +148,9 @@
       "ai-c2-detection",
       "mcp-agent-trust"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0017": {
     "id": "AML.T0017",
@@ -104,7 +179,9 @@
       "ai-c2-detection",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0018": {
     "id": "AML.T0018",
@@ -134,7 +211,9 @@
       "rag-pipeline-security",
       "skill-update-loop"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0020": {
     "id": "AML.T0020",
@@ -163,7 +242,9 @@
       "rag-pipeline-security",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0024": {
     "id": "AML.T0024",
@@ -196,7 +277,9 @@
       "rag-pipeline-security",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0043": {
     "id": "AML.T0043",
@@ -227,7 +310,9 @@
       "ai-attack-surface",
       "rag-pipeline-security"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0044": {
     "id": "AML.T0044",
@@ -259,7 +344,9 @@
       "ai-attack-surface",
       "ai-risk-management"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0048": {
     "id": "AML.T0048",
@@ -291,7 +378,9 @@
       "rag-pipeline-security",
       "ai-risk-management"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0051": {
     "id": "AML.T0051",
@@ -323,7 +412,9 @@
       "mcp-agent-trust",
       "rag-pipeline-security"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0053": {
     "id": "AML.T0053",
@@ -354,7 +445,9 @@
       "mcp-agent-trust",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0054": {
     "id": "AML.T0054",
@@ -383,7 +476,9 @@
       "ai-attack-surface",
       "mcp-agent-trust"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0055": {
     "id": "AML.T0055",
@@ -415,7 +510,9 @@
       "mcp-agent-trust",
       "rag-pipeline-security"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   },
   "AML.T0057": {
     "id": "AML.T0057",
@@ -449,7 +546,9 @@
       "ai-attack-surface",
       "dlp-gap-analysis"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
   },
   "AML.T0096": {
     "id": "AML.T0096",
@@ -480,6 +579,416 @@
       "ai-c2-detection",
       "ai-attack-surface"
     ],
-    "last_verified": "2026-05-13"
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0097": {
+    "id": "AML.T0097",
+    "name": "Virtualization/Sandbox Evasion",
+    "tactic": "Defense Evasion",
+    "description": "Adversary uses LLM-driven reasoning to detect that a generated payload is being executed inside an analysis sandbox or virtualization layer and alters behavior to evade dynamic analysis. The LLM is queried for environment-fingerprint signals (process tree, hypervisor markers, timing artifacts) at runtime; if a sandbox is suspected, the payload diverges from the path observed during sandbox detonation.",
+    "subtechniques": [
+      "AML.T0097.000 — Sandbox fingerprinting via LLM reasoning",
+      "AML.T0097.001 — Conditional payload bifurcation based on LLM verdict"
+    ],
+    "real_world_instances": [
+      "Adversary research samples 2026 — malware queries hosted LLM to classify the runtime environment before deciding which branch to execute"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework requires sandbox-detection-resistance testing on payloads that consult an external LLM at runtime. SI-3 antimalware detonation pipelines assume payload behavior is deterministic across the sandbox / production split.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-3",
+      "NIST-800-53-SI-4"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SC-7"
+    ],
+    "detection": "Egress monitoring for AI API calls from analysis-sandbox networks; behavioral divergence comparison between sandbox detonation and production execution traces",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0098": {
+    "id": "AML.T0098",
+    "name": "AI Agent Tool Credential Harvesting",
+    "tactic": "Credential Access",
+    "description": "Adversary instructs a compromised or attacker-controlled AI agent to enumerate and exfiltrate credentials held by the agent runtime — environment variables, mounted secret files, credential stores accessible via registered tools, and API keys passed via tool arguments. The agent has legitimate read access; the abuse is in the redirection of what the agent reads for.",
+    "subtechniques": [
+      "AML.T0098.000 — Env-var harvesting via agent shell tool",
+      "AML.T0098.001 — Cloud-metadata harvesting via agent HTTP tool",
+      "AML.T0098.002 — Vault / secret-manager harvesting via authorized agent identity"
+    ],
+    "real_world_instances": [
+      "Indirect-prompt-injection campaigns 2026 — attacker-controlled web content instructs the agent to dump $env and POST to attacker endpoint"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "IA-5 authenticator management does not contemplate agent runtime credential scope. No framework requires per-tool credential masking on agent prompts or response captures. AC-6 least privilege has no AI-agent-specific guidance for what an agent identity should be permitted to read.",
+    "controls_that_partially_help": [
+      "NIST-800-53-IA-5",
+      "NIST-800-53-AC-6"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Agent prompt + tool-call audit trail with secret-pattern scan; per-tool credential allowlist; egress block on agent identities making outbound requests to non-allowlisted destinations",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "dlp-gap-analysis",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0099": {
+    "id": "AML.T0099",
+    "name": "AI Agent Tool Data Poisoning",
+    "tactic": "Impact",
+    "description": "Adversary uses an AI agent's authorized tool access to corrupt downstream data the agent is responsible for maintaining — knowledge base entries, vector embeddings, CRM records, ticketing fields, configuration objects — by inducing the agent (via prompt injection or task manipulation) to issue write operations that degrade data integrity at scale.",
+    "subtechniques": [
+      "AML.T0099.000 — RAG corpus poisoning via agent write-tool",
+      "AML.T0099.001 — Structured datastore poisoning via agent CRUD tool"
+    ],
+    "real_world_instances": [
+      "Production RAG-agent incidents 2026 — agent instructed via injected document to overwrite knowledge base entries"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "SI-7 software/firmware integrity does not contemplate agent-issued writes to data stores. CM-3 change management does not address AI-agent-mediated data writes. No framework requires write-scope review on agent tool registrations.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-7",
+      "NIST-800-53-CM-3"
+    ],
+    "controls_that_dont_help": [
+      "ISO-27001-2022-A.8.28"
+    ],
+    "detection": "Agent write-operation audit with content diff; rate-of-change anomaly on datastores accessed by agent identities; canary records in agent-writable corpora",
+    "exceptd_skills": [
+      "rag-pipeline-security",
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0100": {
+    "id": "AML.T0100",
+    "name": "AI Agent Clickbait",
+    "tactic": "Initial Access",
+    "description": "Adversary publishes content (web pages, marketplace listings, GitHub repos, package descriptions) crafted to be highly attractive to AI agents performing web search or supply-chain discovery — engineered to rank well in agent retrieval and to embed indirect prompt-injection payloads that fire when the agent ingests the content.",
+    "subtechniques": [
+      "AML.T0100.000 — Search-ranked indirect prompt injection page",
+      "AML.T0100.001 — Marketplace / registry typosquat with injected description"
+    ],
+    "real_world_instances": [
+      "MCP and npm registry typosquat campaigns 2026 — package descriptions tuned for agent-driven discovery"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a control for adversarial content optimization against AI retrieval. SA-12 supply chain does not contemplate agent-driven content discovery. No framework requires retrieval-side content provenance evaluation.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SA-12"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Retrieval-side content reputation scoring; injection-classifier on retrieved web pages prior to model ingestion; allowlist enforcement on agent retrieval domains for high-trust workflows",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "ai-attack-surface",
+      "rag-pipeline-security"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0101": {
+    "id": "AML.T0101",
+    "name": "Data Destruction via AI Agent Tool Invocation",
+    "tactic": "Impact",
+    "description": "Adversary causes an AI agent to invoke destructive tools — file deletion, repository purge, database drop, cloud-resource teardown — within its authorized scope. Distinguished from T0099 (poisoning) by goal: irreversible loss rather than corruption.",
+    "subtechniques": [
+      "AML.T0101.000 — Repository purge via agent git-tool",
+      "AML.T0101.001 — Cloud-resource teardown via agent IaC tool"
+    ],
+    "real_world_instances": [
+      "Production agent incidents 2026 — injected instructions caused agent to drop staging tables believing it was a sanctioned cleanup task"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework requires destructive-action confirmation gates on AI agent tool invocations. AC-3 access enforcement treats the agent identity as a single principal and does not contemplate per-tool destructive-scope review.",
+    "controls_that_partially_help": [
+      "NIST-800-53-AC-3",
+      "NIST-800-53-CP-9"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Two-step confirmation on destructive agent tools; immutable backups outside agent write scope; alert on agent-issued DELETE/DROP/PURGE patterns",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "ai-attack-surface",
+      "incident-response-playbook"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0102": {
+    "id": "AML.T0102",
+    "name": "Generate Malicious Commands",
+    "tactic": "Execution",
+    "description": "Adversary uses an LLM (hosted or self-hosted) to generate malicious commands, shell snippets, or program code that the adversary then executes against a target — distinguished from T0050-style LLM-as-interpreter by the adversary, not the model, doing the execution. Covers AI-accelerated exploit development and on-demand evasion code synthesis.",
+    "subtechniques": [
+      "AML.T0102.000 — On-demand evasion code generation (PROMPTFLUX pattern)",
+      "AML.T0102.001 — AI-assisted exploit primitive synthesis"
+    ],
+    "real_world_instances": [
+      "PROMPTFLUX — malware queries public LLM API for novel AV evasion code at each execution",
+      "Adversary-tooling marketplaces 2026 — LLM-as-a-service tuned for offensive code generation"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a control for monitoring LLM API usage by attacker identity / process. Vendor abuse-detection on hosted LLM APIs is provider-side and not visible to defenders. SI-3 antimalware does not contemplate code that is freshly generated per execution.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-3",
+      "NIST-800-53-SI-4"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SC-7"
+    ],
+    "detection": "Behavioral execution analytics (uniqueness-per-instance suggests freshly-generated code); endpoint AI-API egress monitoring from non-developer processes",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "ai-attack-surface",
+      "exploit-scoring"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0103": {
+    "id": "AML.T0103",
+    "name": "Deploy AI Agent",
+    "tactic": "Persistence",
+    "description": "Adversary deploys an attacker-controlled AI agent into a target environment for sustained, autonomous attack operations — long-horizon credential harvesting, lateral discovery, data staging, opportunistic exploitation. The agent persists across operator sessions and reacts to its own observations without continuous adversary direction.",
+    "subtechniques": [
+      "AML.T0103.000 — Adversary-deployed autonomous agent in compromised cloud tenant",
+      "AML.T0103.001 — Agent persistence via scheduled-task or service-account registration"
+    ],
+    "real_world_instances": [
+      "Threat-research demonstrations 2025-2026 of long-running agentic C2 inside compromised cloud accounts"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework treats a long-running AI agent identity as a separately-controlled asset. SI-4 information system monitoring has no AI-agent-baseline guidance. PM-16 threat intelligence does not contemplate agentic-persistence indicators.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SI-4",
+      "NIST-800-53-AC-2"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Inventory of AI-agent identities + their tool scopes; alert on new agent registrations; behavioral baseline on agent activity hours and operation classes",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "mcp-agent-trust",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0104": {
+    "id": "AML.T0104",
+    "name": "Publish Poisoned AI Agent Tool",
+    "tactic": "Resource Development",
+    "description": "Adversary publishes a poisoned AI agent tool — MCP server, plugin, function-calling package — to a registry where it will be discovered and installed by victim agents. Distinguished from T0010 (general supply-chain compromise) by being scoped to AI-agent tool registries and from T0053 (plugin compromise) by being the publishing step rather than the runtime trust failure.",
+    "subtechniques": [
+      "AML.T0104.000 — Typosquat publish to MCP registry",
+      "AML.T0104.001 — Compromised-account publish to agent-tool registry",
+      "AML.T0104.002 — Slow-poison via legitimate-tool update with later backdoor"
+    ],
+    "real_world_instances": [
+      "CVE-2026-30615 — Windsurf MCP zero-interaction RCE via published tool",
+      "MCP registry typosquat campaigns 2025-2026"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a publish-time control for AI-agent tool registries. SA-12 supply chain assumes traditional package registries. No framework requires Ed25519-style signing or registry-side review on agent-tool publishes.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SA-12",
+      "ISO-27001-2022-A.8.30"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Registry-side reputation scoring on newly published tools; signature requirement enforcement at registry boundary; victim-side allowlist of audited tools",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "supply-chain-integrity",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0105": {
+    "id": "AML.T0105",
+    "name": "Escape to Host",
+    "tactic": "Privilege Escalation",
+    "description": "Adversary escapes from an AI workload's confinement boundary — model-serving container, agent sandbox, training-job pod — onto the underlying host. Combines container-escape primitives (T1611) with AI-pipeline-specific privileged-mount patterns (GPU device, model-cache volume, hostPath for training datasets) that commonly weaken sandbox boundaries on AI infrastructure.",
+    "subtechniques": [
+      "AML.T0105.000 — GPU-device passthrough abuse",
+      "AML.T0105.001 — Model-cache hostPath escape",
+      "AML.T0105.002 — Privileged training-job pod escape"
+    ],
+    "real_world_instances": [
+      "GPU-passthrough container research 2026 — escape from ML serving container via nvidia device node",
+      "Kubeflow / Vertex training pod escape demonstrations"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "Container isolation controls (SI-7, AC-3) do not contemplate GPU device passthrough as a privilege boundary weakening pattern. No framework requires AI-workload-specific pod security policy. CIS Kubernetes Benchmark addresses pod security generically; AI-specific privileged-mount patterns are not enumerated.",
+    "controls_that_partially_help": [
+      "NIST-800-53-SC-39",
+      "NIST-800-53-AC-3"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Pod-spec audit for hostPath / privileged / device-passthrough on AI workloads; runtime detection on container-to-host process transitions; eBPF tracing for namespace escape primitives",
+    "exceptd_skills": [
+      "container-runtime-security",
+      "mlops-security",
+      "ai-attack-surface"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0106": {
+    "id": "AML.T0106",
+    "name": "Exploitation for Credential Access (AI Pipeline)",
+    "tactic": "Credential Access",
+    "description": "Adversary exploits a vulnerability in AI-pipeline software (model server, inference framework, agent runtime, MCP server, training scheduler) to obtain credentials held by the workload — service-account tokens, cloud-provider keys, vault credentials, model-registry tokens. ATLAS-scoped analogue of ATT&CK T1212 with AI-pipeline-specific exploit primitives.",
+    "subtechniques": [
+      "AML.T0106.000 — Model-server SSRF to cloud metadata API",
+      "AML.T0106.001 — MCP-server memory-disclosure leaking host secrets"
+    ],
+    "real_world_instances": [
+      "CVE-2026-30615 — Windsurf MCP zero-interaction RCE chained to credential read",
+      "Triton / vLLM / Ray exploit chains 2025-2026 reaching service-account scope"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "RA-5 vulnerability scanning does not cover AI-pipeline software in most asset inventories. SI-2 flaw remediation prioritizes traditional CVE classes; AI-pipeline CVEs are under-tracked in patch SLAs. No framework requires inference-stack vuln management with AI-pipeline-specific cadence.",
+    "controls_that_partially_help": [
+      "NIST-800-53-RA-5",
+      "NIST-800-53-SI-2"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-IA-5"
+    ],
+    "detection": "AI-pipeline CVE scanning with pipeline-specific KEV-equivalent prioritization; IMDSv2 enforcement on AI workloads; per-workload credential rotation cadence",
+    "exceptd_skills": [
+      "mlops-security",
+      "ai-attack-surface",
+      "mcp-agent-trust"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0107": {
+    "id": "AML.T0107",
+    "name": "Exploitation for Defense Evasion (AI Pipeline)",
+    "tactic": "Defense Evasion",
+    "description": "Adversary exploits AI-pipeline vulnerabilities specifically to bypass detection or instrumentation — disabling telemetry on the inference path, suppressing agent audit trails, evading content-policy filters via inference-server bug. Distinguished from T0054 (jailbreak) by exploiting a software bug rather than guardrail-prompt evasion.",
+    "subtechniques": [
+      "AML.T0107.000 — Inference-server telemetry suppression via crafted request",
+      "AML.T0107.001 — Agent audit-log bypass via prompt-execution race"
+    ],
+    "real_world_instances": [
+      "AI gateway bypass research 2026 — crafted requests cause content filter to fail-open while logging records 'allowed'",
+      "Audit-trail race-condition disclosures in agent frameworks 2026"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "AU-9 protection of audit information does not address AI-agent audit trails as a control surface. SI-4 information system monitoring has no AI-pipeline-specific tamper-detection requirement.",
+    "controls_that_partially_help": [
+      "NIST-800-53-AU-9",
+      "NIST-800-53-SI-4"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Inference-server log integrity verification; out-of-band telemetry from agent runtime; redundant logging at gateway + model + agent layers with cross-correlation",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "mcp-agent-trust",
+      "incident-response-playbook"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0108": {
+    "id": "AML.T0108",
+    "name": "AI Agent (as Attacker Asset)",
+    "tactic": "Resource Development",
+    "description": "Adversary stands up an AI agent as part of the offensive toolchain — autonomous reconnaissance, exploit chaining, lateral movement planning, deepfake / vishing scripting. The agent is the attacker asset; targets see the agent's actions, not the human operator's keystrokes. Underpins agentic C2 (T0096) and AI-accelerated exploit development (T0102).",
+    "subtechniques": [
+      "AML.T0108.000 — Offensive recon agent",
+      "AML.T0108.001 — Offensive exploit-chaining agent",
+      "AML.T0108.002 — Offensive social-engineering agent"
+    ],
+    "real_world_instances": [
+      "PROMPTFLUX, PROMPTSTEAL — first-generation offensive agent samples in the wild",
+      "41% of 2025 zero-days were AI-discovered; AI-assisted exploit development is operational reality"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "No framework has a control for defending against an adversary-controlled AI agent as an attack capability. PM-16 threat intelligence does not require tracking offensive-agent capability evolution. AI RMF GOVERN-1.7 mentions adversarial use but does not mandate detection capability.",
+    "controls_that_partially_help": [
+      "NIST-800-53-PM-16",
+      "NIST-AI-RMF-GOVERN-1.7"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Behavioral indicators of agentic attacker tempo (consistent inter-request timing, parallelized recon, prompt-style fingerprints in residual artifacts); threat-intel feed on offensive-agent capability releases",
+    "exceptd_skills": [
+      "ai-c2-detection",
+      "ai-attack-surface",
+      "exploit-scoring",
+      "threat-model-currency"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "high",
+    "last_verified": "2026-05-15"
+  },
+  "AML.T0011.002": {
+    "id": "AML.T0011.002",
+    "name": "User Execution: Poisoned AI Agent Tool",
+    "tactic": "Execution",
+    "description": "User installs and invokes a poisoned AI agent tool (MCP server, plugin) that they were socially engineered into trusting — distinct from T0104 (the publish step) and T0053 (the runtime trust failure on an already-trusted plugin). Captures the user-decision moment where the tool moves from untrusted to trusted scope.",
+    "subtechniques": [],
+    "real_world_instances": [
+      "MCP-registry social-engineering 2026 — tool descriptions tuned to appear authoritative to operators evaluating new agent capabilities"
+    ],
+    "framework_gap": true,
+    "framework_gap_detail": "AT-2 security awareness does not include AI-agent tool vetting curriculum. No framework requires tool-provenance review as a user-decision step.",
+    "controls_that_partially_help": [
+      "NIST-800-53-AT-2",
+      "NIST-800-53-SA-12"
+    ],
+    "controls_that_dont_help": [
+      "NIST-800-53-SI-3"
+    ],
+    "detection": "Tool-vetting policy + human-review gate on new agent tool installation; allowlist enforcement at the agent-runtime layer",
+    "exceptd_skills": [
+      "mcp-agent-trust",
+      "supply-chain-integrity"
+    ],
+    "secure_ai_v2_layer": true,
+    "maturity": "moderate",
+    "last_verified": "2026-05-15"
   }
 }