@blamejs/exceptd-skills 0.12.34 → 0.12.36

package/skills/dlp-gap-analysis/skill.md

@@ -125,13 +125,13 @@ A DLP gap analysis that maps only to NIST 800-53 SC-7, ISO 27001:2022 A.8.16, HI
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 + MITRE ATT&CK)
+## TTP Mapping (MITRE ATLAS v5.4.0 + MITRE ATT&CK)
 
 | ID | Source | Technique | DLP Relevance | Gap Flag — Which DLP Control Fails |
 |---|---|---|---|---|
-| AML.T0096 | ATLAS v5.1.0 | AI API as Covert C2 Channel | Direct: prompt and completion bodies as covert exfil. The same SesameOp pattern that is a C2 channel is also a DLP exfil channel — prompts encode payloads against allowlisted AI provider domains. Cross-references `DLP-CHAN-LLM-PROMPT` and `DLP-CHAN-LLM-CONTEXT` in `data/dlp-controls.json`. | Legacy email/web/USB DLP (`DLP-CHAN-EMAIL-OUT`, `DLP-CHAN-WEB-UPLOAD`, `DLP-CHAN-USB-REMOVABLE`) sees nothing. AI-aware DLP (`DLP-CHAN-LLM-PROMPT`) is the only effective control category. SC-7 boundary controls allowlist the AI provider domain — no protocol or destination anomaly fires. |
-| AML.T0017 | ATLAS v5.1.0 | Discover ML Model Ontology | Indirect but DLP-relevant: model inversion and membership-inference attacks against embedding stores and fine-tuned models extract training-corpus content (which is itself a protected surface — see `DLP-SURFACE-TRAINING-DATA`, `DLP-SURFACE-EMBEDDING-STORE`). | No legacy DLP control category exists. Modern controls: embedding-similarity classification at retrieval boundary (`DLP-CLASS-EMBEDDING-MATCH`), differential-privacy fine-tuning, query-rate limits on inference APIs. None of these are named in any compliance framework. |
-| AML.T0051 | ATLAS v5.1.0 | LLM Prompt Injection | Direct: prompt-injection-induced data extraction. A malicious document in a RAG corpus or a poisoned tool output (MCP) coerces the model into emitting protected content in a subsequent response. Cross-references `DLP-CHAN-LLM-CONTEXT` and `DLP-CHAN-MCP-TOOL-ARG`. | Egress-side classification on model output catches some cases but is fundamentally retroactive. Retrieval-time classification (`DLP-SURFACE-RAG-CORPUS`) and MCP tool-call argument inspection (`DLP-CHAN-MCP-TOOL-ARG`) are the primary controls. No compliance framework names either. |
+| AML.T0096 | ATLAS v5.4.0 | AI API as Covert C2 Channel | Direct: prompt and completion bodies as covert exfil. The same SesameOp pattern that is a C2 channel is also a DLP exfil channel — prompts encode payloads against allowlisted AI provider domains. Cross-references `DLP-CHAN-LLM-PROMPT` and `DLP-CHAN-LLM-CONTEXT` in `data/dlp-controls.json`. | Legacy email/web/USB DLP (`DLP-CHAN-EMAIL-OUT`, `DLP-CHAN-WEB-UPLOAD`, `DLP-CHAN-USB-REMOVABLE`) sees nothing. AI-aware DLP (`DLP-CHAN-LLM-PROMPT`) is the only effective control category. SC-7 boundary controls allowlist the AI provider domain — no protocol or destination anomaly fires. |
+| AML.T0017 | ATLAS v5.4.0 | Discover ML Model Ontology | Indirect but DLP-relevant: model inversion and membership-inference attacks against embedding stores and fine-tuned models extract training-corpus content (which is itself a protected surface — see `DLP-SURFACE-TRAINING-DATA`, `DLP-SURFACE-EMBEDDING-STORE`). | No legacy DLP control category exists. Modern controls: embedding-similarity classification at retrieval boundary (`DLP-CLASS-EMBEDDING-MATCH`), differential-privacy fine-tuning, query-rate limits on inference APIs. None of these are named in any compliance framework. |
+| AML.T0051 | ATLAS v5.4.0 | LLM Prompt Injection | Direct: prompt-injection-induced data extraction. A malicious document in a RAG corpus or a poisoned tool output (MCP) coerces the model into emitting protected content in a subsequent response. Cross-references `DLP-CHAN-LLM-CONTEXT` and `DLP-CHAN-MCP-TOOL-ARG`. | Egress-side classification on model output catches some cases but is fundamentally retroactive. Retrieval-time classification (`DLP-SURFACE-RAG-CORPUS`) and MCP tool-call argument inspection (`DLP-CHAN-MCP-TOOL-ARG`) are the primary controls. No compliance framework names either. |
 | T1567 | ATT&CK | Exfiltration Over Web Service | LLM and AI API endpoints are exactly the "legitimate web service used for exfil" pattern, pre-allowlisted in nearly every enterprise. | SC-7 sees only the destination domain (allowlisted). SDK-level prompt logging with identity binding is the only practical control. |
 | T1530 | ATT&CK | Data from Cloud Storage Object | Includes vector stores and model registries — embedding stores (Pinecone, Weaviate, Qdrant, pgvector, Vertex AI Matching Engine) and model artifacts in cloud object stores are 2026's high-value crown-jewel surface. See `DLP-SURFACE-EMBEDDING-STORE` and `DLP-SURFACE-TRAINING-DATA`. | Cloud DLP scanning of object stores is mature for files but not for vector indexes — index payloads are not classifiable as files. Vector-store-native ACL audit is the practical control. |
 | T1213 | ATT&CK | Data from Information Repositories | RAG corpora are exactly information repositories (SharePoint, Confluence, GitHub, Drive) ingested into vector indexes. Cross-cleared retrieval is a confused-deputy exfil channel. See `DLP-SURFACE-RAG-CORPUS`. | Repository-side ACL enforcement does not propagate to RAG context. Retrieval-time classification with user-clearance check is required (`DLP-CHAN-LLM-CONTEXT`). |

package/skills/exploit-scoring/skill.md

@@ -71,7 +71,7 @@ This skill is meta — it does not pin to a single TTP class. RWEP is the cross-
 | Catalog | Role for RWEP |
 |---|---|
 | `data/cve-catalog.json` | Source of factor values: CISA KEV flag, PoC availability, AI-discovery flag, active-exploitation status, patch and live-patch availability per CVE |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0016 Obtain Capabilities: Develop Capabilities, AML.T0017 Discover ML Model Ontology) |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.4.0) | Provides the AI/ML TTP context where AI-discovery and AI-acceleration factors apply (e.g., AML.T0016 Obtain Capabilities: Develop Capabilities, AML.T0017 Discover ML Model Ontology) |
 | `data/exploit-availability.json` | Authoritative PoC + KEV + last-verified date snapshot — drives factor freshness |
 | `data/zeroday-lessons.json` | Closes the loop: zero-day's lesson entry feeds back the framework gap that RWEP's score implied |
 

package/skills/framework-gap-analysis/skill.md

@@ -62,14 +62,14 @@ AGENTS.md hard rule #5 (global-first) now binds against the full expanded catalo
 - **China (CN):** PIPL, DSL, CSL, Cybersecurity Review Measures (2022).
 - **Brazil (BR):** LGPD + ANPD guidance.
 - **Saudi Arabia (KSA):** PDPL + SDAIA Implementing Regulation 2023.
-- **Global standards:** ISO 27001:2022 / 27002:2022, ISO/IEC 42001:2023, CSA CCM v4, CIS Controls v8, MITRE ATLAS v5.1.0.
+- **Global standards:** ISO 27001:2022 / 27002:2022, ISO/IEC 42001:2023, CSA CCM v4, CIS Controls v8, MITRE ATLAS v5.4.0.
 - **US sub-national:** NYDFS 23 NYCRR 500 (amended Nov 2023, phased through Nov 2025); state privacy laws (CA CCPA/CPRA, CO CPA, CT CTDPA, IL BIPA, NY SHIELD, TX DPSA, VA CDPA).
 
 A gap declaration that closes section 6 (Global coverage check) without referencing at least the EU, UK, AU, ISO, and a representative selection from {IL, CH, HK, TW, ID, VN, JP-expanded, KR, CN, BR, NYDFS} for any org operating in those jurisdictions fails hard rule #5. The exact set required depends on the org's footprint — but the analyst must consult `data/global-frameworks.json` to enumerate it rather than defaulting to the legacy four-jurisdiction shorthand.
 
-## TTP Mapping (MITRE ATLAS v5.1.0 and ATT&CK)
+## TTP Mapping (MITRE ATLAS v5.4.0 and ATT&CK)
 
-This skill maps framework controls to attacker TTPs on demand rather than statically. The authoritative TTP catalog is `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.1.0, November 2025) supplemented by MITRE ATT&CK Enterprise IDs for non-AI threats. The mapping convention used in every gap declaration this skill produces:
+This skill maps framework controls to attacker TTPs on demand rather than statically. The authoritative TTP catalog is `data/atlas-ttps.json` (pinned to MITRE ATLAS v5.4.0, February 2026) supplemented by MITRE ATT&CK Enterprise IDs for non-AI threats. The mapping convention used in every gap declaration this skill produces:
 
 | Built-in gap | Primary TTP(s) | Gap flag |
 |---|---|---|

package/skills/fuzz-testing-strategy/skill.md

@@ -87,7 +87,7 @@ By mid-2026 the asymmetry between offensive and defensive fuzzing has flipped. T
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 + MITRE ATT&CK Enterprise)
+## TTP Mapping (MITRE ATLAS v5.4.0 + MITRE ATT&CK Enterprise)
 
 Fuzz is a pre-exploit control: it surfaces weaknesses before they leave the build pipeline. Mapping is via the weakness root cause (CWE) rather than the post-exploit technique.
 

package/skills/incident-response-playbook/skill.md

@@ -132,7 +132,7 @@ This skill is response-shaped — the TTPs below name the incident classes the p
 | **AML.T0017** | Discover ML Model Ontology | Adversary mapping of deployed model family, system-prompt structure, guardrails, and training-data signal — precursor to extraction and adversarial-input crafting | Identification: anomalous inference-API usage patterns (high-volume queries, structured probing, membership-inference signatures, repeated training-data extraction prompts). Containment: rate-limit + API-key revocation + IP block. Eradication: identify attacker access surface; assess what model-ontology data was exposed. Recovery: re-key, consider model-rotation if proprietary weights are at risk; for training-data exfiltration consider differential-privacy retraining. | No standardized detection signatures; org must build custom telemetry over AI inference APIs. |
 | **AML.T0051** | LLM Prompt Injection | Prompt-injection breach as incident trigger | Identification: AI-assistant or agentic-system anomalous action (unauthorized data access, anomalous tool invocation, identity-context confusion). Containment: revoke AI-system tool scopes, disable agent autonomy, isolate affected RAG corpus. Eradication: identify injection vector (web content, email signature, document metadata, RAG corpus poisoning) and remove. Recovery: re-deploy with hardened system prompt + tool-scoping per `mcp-agent-trust`. | Detection lags; most orgs discover the incident from downstream effect (unauthorized action) rather than detection at the prompt boundary. |
 
-ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule; the v15-to-v17 ID migration does not introduce breaking changes for the T-IDs cited above.
+ATLAS pinned to v5.4.0 (February 2026) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule; the v15-to-v17 ID migration does not introduce breaking changes for the T-IDs cited above.
 
 ---
 

package/skills/mcp-agent-trust/skill.md

@@ -155,7 +155,7 @@ Every MCP server listed in popular registries (MCP Hub, npm `@modelcontextprotoc
 |---|---|---|---|
 | AML.T0010 | ML Supply Chain Compromise | Direct: malicious MCP server in public registry compromises AI assistant's tool execution | ATLAS covers this conceptually; no framework has a technical control |
 | AML.T0054 | LLM Jailbreak | Indirect: adversarial prompt in tool response bypasses guardrails and triggers AI to call next malicious action | No framework control |
-| AML.T0096 | LLM Integration Abuse | AI assistant is the integration point being abused — MCP tool calls are the mechanism | Not in ATT&CK; only in ATLAS v5.1.0 |
+| AML.T0096 | LLM Integration Abuse | AI assistant is the integration point being abused — MCP tool calls are the mechanism | Not in ATT&CK; only in ATLAS v5.4.0 |
 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies | MCP server package as supply chain attack target | ATT&CK covers but enterprise controls don't reach developer MCP configs |
 | T1059 | Command and Script Interpreter | MCP server causes shell command execution via model-mediated tool call | Standard SI-3/EDR doesn't attribute this to the MCP server as origin |
 | T1190 | Exploit Public-Facing Application | CVE-2026-30615: MCP client vulnerability driven by a locally-installed malicious server (AV:L) | Standard vuln management covers client; MCP server trust is unaddressed |

package/skills/mlops-security/skill.md

@@ -61,7 +61,7 @@ forward_watch:
   - OpenSSF model-signing emergence to v1.0 — Sigstore-based model-weight signing; track for production adoption and admission-control integration
   - SLSA v1.1 ML profile (draft) — model-provenance extension for training-run attestation chains; track ID and section changes
   - EU AI Act high-risk technical-file implementing acts (2026-2027) — operational requirements for Article 10 / 13 / 15 documentation may pin ML-BOM or model-signing
-  - MITRE ATLAS v5.2 — track AML.T0010 sub-technique expansion and any new MLOps-pipeline-specific TTPs
+  - MITRE ATLAS v5.4.0 (released February 2026) shipped the AML.T0010 sub-technique expansion this forecast tracked plus new techniques ("Publish Poisoned AI Agent Tool", "Escape to Host"); inventory now 16 tactics, 84 techniques, 56 sub-techniques. Forward watch: ATLAS v5.5 / v6.0 — track next-cadence updates to agentic-AI TTPs and MLOps-pipeline-specific techniques
 last_threat_review: "2026-05-15"
 ---
 
@@ -111,7 +111,7 @@ This skill is distinct from `rag-pipeline-security` (which is retrieval-side of
 
 ## TTP Mapping
 
-Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.1.0, released 2025-11-01).
+Descriptions sourced from `data/atlas-ttps.json` (ATLAS v5.4.0, released 2026-02-06).
 
 | ATLAS / ATT&CK ID | Technique | MLOps Lifecycle Stage | Gap |
 |---|---|---|---|

package/skills/ot-ics-security/skill.md

@@ -102,11 +102,11 @@ ATT&CK for ICS is a separate matrix from Enterprise. Many IT-rooted SOCs do not
 | HMI host LPE | T1068 — Exploitation for Privilege Escalation | ATT&CK Enterprise | Windows 7/10 HMI host; un-rebootable; Copy Fail (CVE-2026-31431) on any Linux HMI; Print Spooler / win32k LPE family on Windows HMIs | IT patch SLAs (30 day) inapplicable to HMI hosts; no compensating-control baseline in NIST 800-82r3 |
 | Hard-coded / shared credentials | CWE-798 | CWE | Vendor default creds on PLC web UI; shared "operator" account across HMI fleet | IEC 62443-3-3 SR 1.5 (authenticator management) cannot land on devices that lack per-user accounts; NERC CIP-007-6 R5 password-management partially addresses but exempts cyber-asset classes lacking user-account features |
 | Firmware-image integrity | CWE-1037 (Processor Optimization Removal or Modification of Security-Critical Code) and CWE-345 family (insufficient verification of data authenticity, captured via cve-catalog supply-chain entries) | CWE | Unsigned firmware accepted by L1 device; vendor-side build pipeline compromise | NERC CIP-010 baseline-change management does not require firmware-image signature verification at install time |
-| AI-assistant prompt injection in HMI/engineering workflow | AML.T0010 — ML Supply Chain Compromise (closest existing ATLAS entry) | ATLAS v5.1.0 | Crafted historian tag value or vendor PDF poisons context; LLM proposes unsafe setpoint or misleads operator | No ATT&CK for ICS technique for AI-mediated operator deception; no IEC 62443 control on AI conduit; NIST 800-82r3 silent |
+| AI-assistant prompt injection in HMI/engineering workflow | AML.T0010 — ML Supply Chain Compromise (closest existing ATLAS entry) | ATLAS v5.4.0 | Crafted historian tag value or vendor PDF poisons context; LLM proposes unsafe setpoint or misleads operator | No ATT&CK for ICS technique for AI-mediated operator deception; no IEC 62443 control on AI conduit; NIST 800-82r3 silent |
 
 **Note on ATT&CK for ICS ID format.** ATT&CK for ICS uses `T0xxx` IDs (e.g., T0855, T0883, T0867). The linter regex `^T\d{4}(\.\d{3})?$` accepts this shape. For IT/OT convergence techniques (the IT side of the pivot), ATT&CK Enterprise IDs (T1190, T1068, T1078) are cited alongside.
 
-**Note on ATLAS coverage.** AML.T0010 (ML Supply Chain Compromise) is the closest current ATLAS v5.1.0 mapping for AI-augmented-HMI threats; it does not specifically cover prompt-injection-as-operator-deception in a control room. This is a tracked ATLAS gap — see `forward_watch`.
+**Note on ATLAS coverage.** AML.T0010 (ML Supply Chain Compromise) is the closest current ATLAS v5.4.0 mapping for AI-augmented-HMI threats; it does not specifically cover prompt-injection-as-operator-deception in a control room. This is a tracked ATLAS gap — see `forward_watch`.
 
 ---
 

package/skills/policy-exception-gen/skill.md

@@ -80,7 +80,7 @@ This skill's exceptions exist precisely because the framework language has not c
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0 and ATT&CK)
+## TTP Mapping (MITRE ATLAS v5.4.0 and ATT&CK)
 
 A granted exception does not remove the threat — it shifts the burden onto compensating controls. For each exception in this skill, the residual TTPs the compensating controls MUST still disrupt:
 
@@ -91,7 +91,7 @@ A granted exception does not remove the threat — it shifts the burden onto com
 | Exception 3 — Zero Trust Architecture Network Segmentation | T1021 (Remote Services), T1570 (Lateral Tool Transfer), T1078 (Valid Accounts), T1199 (Trusted Relationship) | Workload identity (SPIFFE/SPIRE), per-request mTLS, device-posture verification, east-west behavioral analytics |
 | Exception 4 — Critical Systems No-Reboot Kernel Patching | T1068 (Exploitation for Privilege Escalation — Copy Fail class), T1548.001 (Setuid and Setgid), T1611 (Escape to Host) | Live kernel patch deployed and verified (`kpatch list` / `canonical-livepatch status`), eBPF/auditd exploitation-pattern rules, network-layer isolation if no live patch available, scheduled reboot window |
 
-The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v5.1.0, November 2025) supplemented by ATT&CK Enterprise. Per Hard Rule #4, no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
+The TTP source-of-truth is `data/atlas-ttps.json` (MITRE ATLAS v5.4.0, February 2026) supplemented by ATT&CK Enterprise. Per Hard Rule #4, no exception in this skill is granted without an enumerated residual-TTP set; an exception with no listed residual is theater.
 
 ---
 

package/skills/rag-pipeline-security/skill.md

@@ -180,9 +180,9 @@ This attack requires:
 
 ---
 
-## TTP Mapping (MITRE ATLAS v5.1.0)
+## TTP Mapping (MITRE ATLAS v5.4.0)
 
-Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.1.0, released 2025-11-01). Partial-coverage controls from `data/framework-control-gaps.json`.
+Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.4.0, released 2026-02-06). Partial-coverage controls from `data/framework-control-gaps.json`.
 
 | ATLAS ID | ATLAS Name | RAG Attack Class | Control Gap That Lets It Land | Controls That Partially Cover It |
 |---|---|---|---|---|
@@ -196,7 +196,7 @@ Descriptions sourced verbatim from `data/atlas-ttps.json` (ATLAS v5.1.0, release
 
 ## Exploit Availability Matrix
 
-**No CVE catalog entry as of 2026-05 maps directly to RAG embedding manipulation, vector store poisoning, or RAG indirect prompt injection.** These attack classes are tracked via MITRE ATLAS TTPs (v5.1.0) and public incident reporting rather than vendor CVEs, because they exploit architectural properties of the RAG pattern rather than a single vendor's implementation flaw. `data/exploit-availability.json` therefore has no RAG-specific rows; the rows below source ATLAS `real_world_instances` and the framework-gap entries.
+**No CVE catalog entry as of 2026-05 maps directly to RAG embedding manipulation, vector store poisoning, or RAG indirect prompt injection.** These attack classes are tracked via MITRE ATLAS TTPs (v5.4.0) and public incident reporting rather than vendor CVEs, because they exploit architectural properties of the RAG pattern rather than a single vendor's implementation flaw. `data/exploit-availability.json` therefore has no RAG-specific rows; the rows below source ATLAS `real_world_instances` and the framework-gap entries.
 
 | ATLAS Technique | PoC / Public Demo Available? | CISA KEV? | AI-Accelerated? | Patch Available? | Reboot / Version Bump Required? |
 |---|---|---|---|---|---|

package/skills/ransomware-response/skill.md

@@ -133,7 +133,7 @@ Cross-cutting gap: **no security framework treats the four ransomware-specific d
 
 Shadow Copy deletion and exfil-staging via Web Service align to the parent IR playbook's `T1486` and `T1567` entries; the parent's `AML.T0096 / T0017 / T0051` entries do not apply to ransomware-as-a-class but may apply if AI-system data is exfiltrated within the ransomware operation.
 
-ATLAS pinned to v5.1.0 (November 2025) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule.
+ATLAS pinned to v5.4.0 (February 2026) per AGENTS.md rule #8. ATT&CK pinned to v17 (2025-06-25) per the same rule.
 
 ---
 

package/skills/sector-energy/skill.md

@@ -54,7 +54,7 @@ d3fend_refs:
 forward_watch:
   - NERC CIP v7 final FERC order (anticipated 2026–2027) — additions for low-impact BES Cyber Systems, supply chain, and INSM (internal network security monitoring)
   - CISA + EPA joint guidance evolution for water/wastewater following the 2023 Unitronics campaign and the 2024 EPA enforcement memorandum
-  - TSA Pipeline Security Directive renewal cadence (SD Pipeline-2021-02C reissued mid-2025, next reissue cycle anticipated mid-2026)
+  - TSA Pipeline Security Directive renewal cadence — SD Pipeline-2021-02F effective 3 May 2025, expires 2 May 2026; next reissue (anticipated 02G) overdue as of mid-May 2026, expected H2 2026; track for renewed performance-based requirements and any inclusion of agentic-AI / supply-chain extensions
   - EU NCCS-G (Network Code on Cybersecurity for Cross-Border Electricity Flows, Reg. (EU) 2024/1366) phased compliance milestones through 2027 for ENTSO-E, EU DSO Entity, and impact-tier classified operators
   - AESCSF 2025 refresh by AEMO with renewable/DER specific maturity indicators
   - UL 2941 (DER cybersecurity) and IEEE 1547.3-2023 (DER cyber) adoption into US state PUC interconnection rules
@@ -136,7 +136,7 @@ Energy-sector TTPs span ATT&CK for ICS, ATT&CK Enterprise (for the IT side of th
 | Hard-coded / shared / default credentials in energy assets | CWE-798 | CWE | Vendor default credentials on PLC, RTU, smart inverter, smart meter, EVSE, OCPP back-end; shared substation operator accounts | NERC CIP-007 R5 partially addresses but exempts asset classes lacking user-account features; AWWA guidance non-binding for water |
 | Firmware-image integrity at L1 | CWE-1037 + CWE-345 family (insufficient verification of data authenticity) | CWE | Unsigned firmware accepted by relay, RTU, smart inverter; vendor build-pipeline compromise propagating to substation fleet | NERC CIP-010 baseline-change management does not require firmware-image signature verification at install time; signed-firmware support varies by vendor and product line |
 | Authentication weakness in energy protocols | CWE-287 + CWE-306 | CWE | IEC 60870-5-104 and IEC 61850 MMS deployed without IEC 62351 authentication retrofit; DNP3 deployed without DNP3-SA; Modbus/TCP without any authentication layer | IEC 62443-3-3 SR 1.1/1.2 unenforceable at protocol layer for installed brownfield; retrofit cost and operational risk routinely defer indefinitely |
-| AI-pipeline poisoning in dispatch / forecasting | (closest ATLAS mapping addressed in `ai-attack-surface`) | ATLAS v5.1.0 | ML-poisoning of load forecast inputs, renewables forecast inputs, congestion model training data, or unit-commitment optimization features | No ATT&CK for ICS technique for AI-mediated market or dispatch manipulation; NERC CIP-007 R4 silent on AI event sources; NIST 800-82r3 silent. Cross-reference `ai-attack-surface`, `rag-pipeline-security`. |
+| AI-pipeline poisoning in dispatch / forecasting | (closest ATLAS mapping addressed in `ai-attack-surface`) | ATLAS v5.4.0 | ML-poisoning of load forecast inputs, renewables forecast inputs, congestion model training data, or unit-commitment optimization features | No ATT&CK for ICS technique for AI-mediated market or dispatch manipulation; NERC CIP-007 R4 silent on AI event sources; NIST 800-82r3 silent. Cross-reference `ai-attack-surface`, `rag-pipeline-security`. |
 
 **Note on ATT&CK for ICS ID format.** ATT&CK for ICS uses `T0xxx` IDs (T0855, T0883, T0867). The linter regex `^T\d{4}(\.\d{3})?$` accepts this shape. ATT&CK Enterprise IDs (T1190, T1078, T1068) are cited alongside for IT/OT pivot.
 

package/skills/sector-federal-government/skill.md

@@ -297,7 +297,7 @@ Forward-watch: CMMC Level 3 (NIST 800-172 enhanced practices) addresses APT-rele
 - **`supply-chain-integrity`** — SSDF practice evidence, SLSA L3 attestation, in-toto chain, Sigstore / cosign keyless signing, SBOM (CycloneDX 1.6 / SPDX 3.0), VEX via CSAF 2.0 for federal procurement.
 - **`attack-surface-pentest`** — Federal red-team and High-Value Asset assessment scoping; CISA penetration testing program alignment; allied-government red-team baselines.
 - **`identity-assurance`** — NIST 800-63 IAL / AAL / FAL; PIV / CAC issuance; FIDO2 / WebAuthn for federal external users; M-22-09 identity pillar evidence.
-- **`ai-attack-surface`** — Federal AI use cases under OMB M-24-04; NIST AI RMF Generative AI Profile (NIST AI 600-1); MITRE ATLAS v5.1.0 TTP coverage for federal AI threat modeling.
+- **`ai-attack-surface`** — Federal AI use cases under OMB M-24-04; NIST AI RMF Generative AI Profile (NIST AI 600-1); MITRE ATLAS v5.4.0 TTP coverage for federal AI threat modeling.
 - **`ai-c2-detection`** — Detection of agentic-AI command-and-control inside federal networks.
 - **`compliance-theater`** — Distinguishing FedRAMP / CMMC paper compliance from operational federal security; ConMon substance audit; SPRS-score-vs-evidence reconciliation.
 - **`framework-gap-analysis`** — Per-control gap analysis when an explicit framework-vs-threat reconciliation is requested by an auditor or AO.

package/skills/sector-financial/skill.md

@@ -155,14 +155,14 @@ In all three, the SCA evidence chain (the customer's authenticated session, the
 | Internet-banking / treasury portal exploit | T1190 — Exploit Public-Facing Application | ATT&CK Enterprise | Ivanti VPN, MOVEit-class file-transfer, web-portal SSRF, JWT validation flaws (RFC 8725 best-current-practice violations) | DORA Art. 6-15 ICT risk-management requirements general; CWE-862 (Missing Authorization) and CWE-352 (CSRF) common findings; SWIFT CSCF v2026 covers SWIFT zone, not customer-facing portals |
 | Ransomware against banking infrastructure | T1486 — Data Encrypted for Impact | ATT&CK Enterprise | LockBit-class, BlackBasta, ALPHV/BlackCat residuals 2024-2026; double-extortion + regulatory-threat-of-disclosure | NYDFS 500.17 ransom-payment notification (72h) + DORA major-incident reporting (Art. 19, 24h initial) + APRA CPS 234 para 26 (72h) — notification cadences harmonising slowly; ransom-payment legality fragmented (NYDFS reporting only, OFAC sanctions-screening, EU sanctions overlay) |
 | Data exfiltration including LLM-channel | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | LLM API egress (OpenAI, Anthropic, Google) as covert channel; AI-coding-assistant context leaks; KYC-document upload to consumer-grade AI | DLP controls in `data/dlp-controls.json` apply; SWIFT CSCF v2026 1.1 segregation assumption violated when AI-API egress crosses administrative jump zone |
-| AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.1.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.1.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
-| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v5.1.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
+| AI-as-covert-C2 in trading / treasury systems | AML.T0096 — Use AI for C2 Communications | ATLAS v5.4.0 | Steganographic encoding in trading-assistant prompts; LLM response decodes operator instructions; multi-agent covert relay in market-making bots | No ATT&CK Enterprise mapping; ATLAS v5.4.0 names the technique but no financial-sector-specific detection. SOC tooling rarely monitors trading-system AI tool-use. |
+| Fraud-detection model extraction | AML.T0017 — Discover ML Model Ontology | ATLAS v5.4.0 | Adversarial probing of card-not-present fraud models; chargeback-pattern fingerprinting; transaction-monitoring threshold discovery via test transactions | Fraud-model lifecycle governance under MAS TRM / OSFI B-13 / NYDFS 500.13 (asset management) — model-extraction probes are not classified as a cyber event in most institutions |
 | Hard-coded credentials in financial mobile / API clients | CWE-798 | CWE | Mobile-banking apps shipping API keys; partner-integration API tokens checked into Git; treasury-management-system local config | PSD2 RTS-SCA covers customer SCA, silent on partner-API credential hygiene; SWIFT CSCF 5.1/5.2 covers credential management for SWIFT users only |
 | Agent-initiated payment via prompt injection | (No native TTP — closest: T1078 + AML.T0051) | ATT&CK + ATLAS | LLM agent with payment-initiation tool-use receives injected instruction via email / document / web content; transaction executes under customer's authenticated session | RTS-SCA evidence chain is fully compliant; injected intent invisible. Captured in `data/framework-control-gaps.json#PSD2-RTS-SCA`. |
 | AI-generated SWIFT MT/MX message draft poisoning | (No native TTP — closest: T1565 + AML.T0051) | ATT&CK + ATLAS | LLM-assisted operator drafting tool produces subtly-wrong beneficiary BIC or amount; reviewer fatigue lets it pass 4-eyes principle | Captured in `data/framework-control-gaps.json#SWIFT-CSCF-v2026-1.1`. |
 | Deepfake-mediated SCA bypass / KYC bypass | T1556 — Modify Authentication Process (closest) | ATT&CK Enterprise | Voice-clone defeating remote-KYC liveness; deepfake-video defeating high-value-transaction step-up | RTS-SCA "inherence" factor (biometric) implementation-dependent; liveness-detection vendor-fragmented. CWE-287 underlying weakness. |
 
-**Note on TTP coverage.** ATT&CK Enterprise does not yet have a financial-sector matrix (unlike ATT&CK for ICS). ATLAS v5.1.0 covers AI-specific techniques. The gap between (a) the customer's authenticated session and (b) the AI agent's injected intent within that session is not currently named in either matrix — this is a tracked gap in `forward_watch`.
+**Note on TTP coverage.** ATT&CK Enterprise does not yet have a financial-sector matrix (unlike ATT&CK for ICS). ATLAS v5.4.0 covers AI-specific techniques. The gap between (a) the customer's authenticated session and (b) the AI agent's injected intent within that session is not currently named in either matrix — this is a tracked gap in `forward_watch`.
 
 ---
 

package/skills/sector-healthcare/skill.md

@@ -116,8 +116,8 @@ Healthcare has been the most targeted sector for ransomware for three consecutiv
 | Clinician credential phishing for EHR / VPN / Citrix access | T1078 — Valid Accounts | ATT&CK Enterprise | Targeted phishing of physicians and nurses using lookalike Epic / Cerner / Workday portals; MFA-fatigue against Duo/Microsoft Authenticator; SIM-swap on on-call physician phones | HIPAA §164.312(d) person/entity authentication does not specify AAL; many CEs accept SMS-OTP MFA — fails NIST 800-63B AAL2 phishing-resistance bar. Hand off to identity-assurance. |
 | Bulk EHR / FHIR / data-warehouse exfiltration | T1530 — Data from Cloud Storage Object | ATT&CK Enterprise | FHIR `$export` Bulk Data over-broad scopes; cloud data warehouse (Snowflake / BigQuery / Redshift) credential theft from clinician laptop; AWS S3 misconfiguration on de-identification staging buckets | HIPAA §164.312(c) integrity controls do not address bulk-API exfil semantics; HITRUST CSF 09.l information-transfer-policies treats bulk data flow at a policy layer. CWE-200 (Information Exposure), CWE-862 (Missing Authorization). |
 | PHI exfiltration via clinician prompt to consumer LLM | T1567 — Exfiltration Over Web Service | ATT&CK Enterprise | Clinician pastes patient note into ChatGPT / Claude / Gemini for differential diagnosis or letter drafting; ambient-doc tool retains and forwards transcript to vendor cloud outside BAA | No HIPAA control specifically names this channel; HHS-OCR Bulletin reasoning applies. Hand off to dlp-gap-analysis. CWE-200 (Information Exposure). |
-| Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v5.1.0 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
-| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v5.1.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
+| Prompt injection of clinical decision-support copilot | AML.T0051 — LLM Prompt Injection (with .000/.001/.002 sub-techniques) | ATLAS v5.4.0 | Indirect prompt injection via referenced lab report PDF, OCR'd intake form, or patient-portal message that exploits an EHR-integrated copilot; instruction to suppress allergy alert, reorder medications, or fabricate trend in vital signs | EU AI Act Art 15 cybersecurity obligation applies but lacks concrete healthcare-AI threshold; HIPAA silent on prompt-injection-as-disclosure-vector. CWE-1426 (Improper Validation of Generative AI Output). |
+| Model extraction / membership inference against clinical AI | AML.T0017 — Discover ML Model Ontology (inference-API probing for system-prompt, guardrail, training-data signal); AML.T0016 — Obtain Capabilities: Develop Capabilities (adversarial-ML weaponization) | ATLAS v5.4.0 | Adversarial probing of a clinical-decision-support API to determine whether specific patient records were in training set; reconstruction of de-identified training examples from inference behaviour | EU AI Act Art 10 data-governance applies to training-data quality; does not codify membership-inference defence. CWE-1426 covers output-validation gap. |
 | Medical-device firmware tamper / exploit | T1190 (IT-side initial access to device-network) chained with vendor-specific device CVEs | ATT&CK Enterprise + ICS where applicable | Insulin pumps, cardiac monitors, infusion pumps (BD Alaris), sequencers (Illumina firmware), patient-monitoring (BD, Philips, GE Healthcare), bedside imaging | FDA 524B PMA/510(k) cyber obligations only apply to devices submitted after March 2023; brownfield fleet pre-dates it. EU MDR Annex I 17.2 silent on AI-augmented devices. Hand off to ot-ics-security for device-network treatment, and coordinated-vuln-disclosure for vendor reporting. |
 | FHIR / SMART on FHIR session token theft | T1078 chained with T1530 | ATT&CK Enterprise | Stolen JWT / OAuth2 bearer for SMART-on-FHIR launch; over-broad scopes (`*/*.read`, `patient/*.read`); refresh-token theft persists access; CWE-287 (improper authentication) and CWE-862 (missing authorization) | RFC-7519 JWT validation must enforce `iss`, `aud`, `exp`, signature algorithm, key rotation; RFC-9421 HTTP message signatures for FHIR API integrity in flight; HL7 FHIR R5 does not mandate either. |
 | EHR over-privileged break-glass / shared-account access | T1078.002 — Valid Accounts: Domain Accounts | ATT&CK Enterprise | Shared "Nurse" account on med-cart Windows; break-glass clinician account auditing gap; service account for EHR-integrated copilot with patient/* scope rather than encounter-bound | HIPAA §164.312(a)(2)(i) unique user identification is met technically by user-account-per-clinician but break-glass and AI-service-principals are commonly outside that boundary. NIST 800-53 AC-2 account management does not codify AI-service-principal scoping. |

package/skills/security-maturity-tiers/skill.md

@@ -451,7 +451,7 @@ Per AGENTS.md hard rule #5, the divergences above are surfaced against US, EU, U
 
 ## TTP Mapping
 
-Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus additions; Overkill includes both plus additions. Source-of-truth: `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) and ATT&CK references in `data/cve-catalog.json`.
+Per-tier TTP coverage is cumulative: Practical includes MVP's coverage plus additions; Overkill includes both plus additions. Source-of-truth: `data/atlas-ttps.json` (MITRE ATLAS v5.4.0) and ATT&CK references in `data/cve-catalog.json`.
 
 | Tier | Must cover | TTP | Source | Tier-specific control element |
 |---|---|---|---|---|

package/skills/skill-update-loop/skill.md

@@ -53,7 +53,7 @@ The threat context this skill defends against is not a specific adversary techni
 
 Real-world manifestations in mid-2026:
 
-- ATLAS v5.1.0 (November 2025) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
+- ATLAS v5.4.0 (February 2026) added TTPs that bind to operational reality (AML.T0096 AI-API C2, AML.T0048 erode-integrity-via-drift). A skill pinned to ATLAS v4 cannot route these. **AML.T0010** family was expanded to cover MCP supply-chain compromise mid-cycle.
 - CVE-2026-31431 (Copy Fail) joined CISA KEV on 2026-05-01 with a 2026-05-15 federal due date. Any skill whose `last_threat_review` predates that listing and whose body recommends "patch on 30-day SLA" is recommending against a threat model that KEV escalated to days, not weeks.
 - NIST SP 800-63B updated PBKDF2 iteration guidance to ≥ 600,000 in 2022; many compliance attestations still cite the 2017 numbers. A skill that does not track that lag perpetuates the theater.
 - IETF RFC 9116 (security.txt) and the CSAF 2.0 transition both have hard cutover signals that change how `coordinated-vuln-disclosure` should advise.
@@ -281,7 +281,7 @@ When drift is detected:
 
 **Monitor:** Microsoft STRIDE updates (microsoft.com/en-us/securityengineering/sdl/threatmodeling), Linddun-go updates (linddun.org), Pol's Unified Kill Chain repository (https://www.unifiedkillchain.com/), MITRE D3FEND ontology releases (d3fend.mitre.org).
 
-Threat modeling methodologies evolve. STRIDE has periodic Microsoft revisions; LINDDUN's privacy-extension catalog grows as new privacy-violating AI patterns are documented; the Unified Kill Chain is versioned by Pol et al. and absorbs new phase definitions as adversary behavior shifts; MITRE D3FEND adds defensive-technique IDs and reorganizes its ontology on a published release cadence. A skill that names a methodology without tracking its version is the same drift class as a skill that names ATLAS without pinning v5.1.0.
+Threat modeling methodologies evolve. STRIDE has periodic Microsoft revisions; LINDDUN's privacy-extension catalog grows as new privacy-violating AI patterns are documented; the Unified Kill Chain is versioned by Pol et al. and absorbs new phase definitions as adversary behavior shifts; MITRE D3FEND adds defensive-technique IDs and reorganizes its ontology on a published release cadence. A skill that names a methodology without tracking its version is the same drift class as a skill that names ATLAS without pinning v5.4.0.
 
 When a new methodology version drops:
 1. Update `threat-modeling-methodology` skill body — refresh the methodology-version table, the DFD templates, and the attack-tree templates in its Output Format section to match the new release.
@@ -478,7 +478,7 @@ This skill does not have a single exploited target — its "exploit surface" is
 | Source | What It Provides | Cadence | Pinned Version / Anchor | Tracked In |
 |---|---|---|---|---|
 | CISA KEV catalog | Confirmed in-the-wild exploitation flag per CVE | Real-time (RSS / JSON API) | cisa.gov/known-exploited-vulnerabilities-catalog | `data/exploit-availability.json` (`cisa_kev`, `cisa_kev_date`) |
-| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.1.0 (November 2025) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
+| MITRE ATLAS changelog | TTP additions, renames, removals for AI/ML threat domain | Quarterly check; immediate on minor-version release | ATLAS v5.4.0 (February 2026) — pinned in AGENTS.md and `data/atlas-ttps.json._meta.atlas_version` | `_meta.atlas_version` |
 | NVD CVE 2.0 API | Authoritative CVE metadata, CVSS vectors, references | Real-time on new CVE in covered domain | services.nvd.nist.gov/rest/json/cves/2.0 | `data/cve-catalog.json` |
 | NIST FIPS publication tracker | PQC and crypto-standard finalizations | Per-publication (event-driven) | csrc.nist.gov/publications | pqc-first `forward_watch` + manifest `last_threat_review` |
 | MITRE ATT&CK Enterprise | Non-AI TTP additions/renames | Per ATT&CK version release | attack.mitre.org (current pinned: v17, 2025-06-25) | Skill `attack_refs` fields |
@@ -514,4 +514,4 @@ The drift attack against skill currency is structural, not technical — there i
 | **D3-IOPR** (Input/Output Profiling Resource) | Lint-skills body / frontmatter parsing is the profiling step: every skill body is parsed against the canonical section template (Threat Context, TTP Mapping, Framework Lag Declaration, Exploit Availability Matrix, Analysis Procedure, Output Format, Compliance Theater Check, DCM). A drifted skill that drops a required section is caught at lint time. | Layer 2 (Harden — schema). | Per-skill — schema is per-skill body. | Default-deny missing sections; the v0.13.0 lint upgrade makes DCM a hard-fail. |
 | **D3-PA** (Process Analysis) | The watchlist / dispatch / scan log every load and signature-check event so a forensic reader can reconstruct which skill version produced which finding. Without a per-invocation evidence stream, a stale skill body whose timestamp says "current" cannot be detected after the fact. | Layer 5 (Detect — runtime). | Per-invocation — every CLI invocation emits a structured log entry. | Treat every invocation as untrusted until the signature chain is verified at load time; persist the verification result alongside the finding. |
 
-**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Per AGENTS.md hard rule #8 (pinned ATLAS / ATT&CK version), every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.1.0 is not interchangeable with one taken against a later release.
+**Defense-in-depth posture:** signature integrity (D3-CA) and snapshot-pinning (D3-EHB) are the hard gates that prevent a tampered skill body from shipping; lint-schema (D3-IOPR) and currency timestamps (D3-FAPA) are the audit gates that catch silent drift inside an intentional release; D3-PA is the per-invocation evidence stream that lets the operator answer "which version of the skill produced this finding" post-hoc. Per AGENTS.md hard rule #8 (pinned ATLAS / ATT&CK version), every layer's evidence is keyed off the pinned version — a manifest snapshot taken against ATLAS v5.4.0 is not interchangeable with one taken against a later release.

package/skills/supply-chain-integrity/skill.md

@@ -139,7 +139,7 @@ The catalog's expansion means a supply-chain assessment that names only NIST 800
 
 | ATLAS / ATT&CK ID | Technique | Supply-Chain Relevance | Gap |
 |---|---|---|---|
-| AML.T0010 | ML Supply Chain Compromise | Direct: malicious model, malicious MCP server, malicious ML library — the umbrella attack class for AI artifact compromise | ATLAS v5.1.0 classifies the attack; no framework mandates the cryptographic control that would detect it at load |
+| AML.T0010 | ML Supply Chain Compromise | Direct: malicious model, malicious MCP server, malicious ML library — the umbrella attack class for AI artifact compromise | ATLAS v5.4.0 classifies the attack; no framework mandates the cryptographic control that would detect it at load |
 | AML.T0018 | Backdoor ML Model | Specific: a model weight file with an embedded backdoor (trojaned weights, data poisoning persisted into weights, or executable payload in a code-executing serialization format) is loaded at inference | No framework requires model-weight signature verification; CWE-502 deserialization risk is not mapped to a compliance control |
 | T1195.001 | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | The XZ Utils class, the typosquat class, the dependency-confusion class — directly addressable by SLSA L3 provenance + in-toto attestation chain | Standard SCA tooling detects known-vulnerable dependencies but does not detect novel compromise of an authentic-looking dependency. SLSA L3 + reproducible builds closes this; not required by any framework |
 | T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | Build pipeline compromise (CI runner, build-time toolchain, signing-key compromise). Defense: hardened builder per SLSA L3, key custody in HSM or cloud KMS, ephemeral CI tokens | NIST 800-218 PS practices are process-level. No framework prescribes hardened-builder requirements. |

package/skills/threat-model-currency/skill.md

@@ -198,14 +198,14 @@ This skill produces a currency score and a specific update roadmap. Currency is
 
 ---
 
-### Class 13: MITRE ATLAS v5.1.0 Coverage
+### Class 13: MITRE ATLAS v5.4.0 Coverage
 
-**2026 reality:** MITRE ATLAS (November 2025, v5.1.0) is the primary AI threat framework. Most SOC detection engineering programs are built on ATT&CK, not ATLAS. AI-specific TTPs have zero detection coverage in ATT&CK-only programs.
+**2026 reality:** MITRE ATLAS (February 2026, v5.4.0) is the primary AI threat framework. Most SOC detection engineering programs are built on ATT&CK, not ATLAS. AI-specific TTPs have zero detection coverage in ATT&CK-only programs.
 
 **Currency check questions:**
-- Is MITRE ATLAS v5.1.0 incorporated into the threat model?
+- Is MITRE ATLAS v5.4.0 incorporated into the threat model?
 - Are ATLAS TTPs mapped to detection controls?
-- What is the current ATLAS version in use? (Current: 5.1.0, November 2025)
+- What is the current ATLAS version in use? (Current: 5.4.0, February 2026)
 
 **If unchecked:** AI-specific threat techniques are not covered by the detection architecture. The SOC has no alerts for ATLAS TTPs.
 
@@ -262,7 +262,7 @@ The recurring failure across all of the above: every framework treats threat mod
 
 ## TTP Mapping
 
-The 14-class checklist above *is* the TTP map. Each class is a coverage requirement against the canonical sources of truth: `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) and the ATT&CK techniques referenced in `data/cve-catalog.json`. A current threat model must address — explicitly or by reasoned exclusion — every TTP below.
+The 14-class checklist above *is* the TTP map. Each class is a coverage requirement against the canonical sources of truth: `data/atlas-ttps.json` (MITRE ATLAS v5.4.0) and the ATT&CK techniques referenced in `data/cve-catalog.json`. A current threat model must address — explicitly or by reasoned exclusion — every TTP below.
 
 | Class | Primary TTP | Catalog source | Gap if absent |
 |---|---|---|---|
@@ -397,14 +397,14 @@ For each gap, produce a specific, actionable update:
 | 10 | Model Poisoning | 0/1/2 | |
 | 11 | AI-Speed Reconnaissance | 0/1/2 | |
 | 12 | AI-Generated Credential Phishing | 0/1/2 | |
-| 13 | MITRE ATLAS v5.1.0 Coverage | 0/1/2 | |
+| 13 | MITRE ATLAS v5.4.0 Coverage | 0/1/2 | |
 | 14 | Post-Quantum Adversary Timeline | 0/1/2 | |
 
 ### Priority Update Roadmap
 [Ordered by current exposure risk: specific additions for each gap]
 
 ### ATLAS Version Check
-Current reference: MITRE ATLAS v5.1.0 (November 2025)
+Current reference: MITRE ATLAS v5.4.0 (February 2026)
 Threat model references: [version cited in document]
 Gap: [if different]
 ```

package/skills/threat-modeling-methodology/skill.md

@@ -126,7 +126,7 @@ Threat-modelling methodologies are *consumers* of the TTP catalog, not contribut
 | Cyber Kill Chain | Linear 7-stage intrusion timeline | Per stage: ATT&CK TTPs | Cloud-native / serverless / AI-pipeline scenarios fit the timeline poorly; lateral movement assumptions break in ephemeral compute. |
 | Diamond Model | Adversary–capability–infrastructure–victim diamond | Per intrusion event: TTPs become adversary capabilities; pivot to other diamonds | Built for IR / SOC, not for design-phase threat modelling — pair with STRIDE/PASTA during design and Diamond during operate phase. |
 | MITRE Unified Kill Chain (v3.0, 2024) | 18 phases spanning initial access through objectives | Per phase: ATLAS and ATT&CK TTPs assigned to phases that cover both classical and AI-augmented attacks | Most comprehensive single methodology, but weak on privacy threats — pair with LINDDUN. |
-| AI-system threat modeling (composite) | Augmented DFD with AI actors and AI trust boundaries | Full ATLAS v5.1.0 catalogue (every `AML.T*` key in `data/atlas-ttps.json`) | Methodology not yet standardised — this skill operationalises it. |
+| AI-system threat modeling (composite) | Augmented DFD with AI actors and AI trust boundaries | Full ATLAS v5.4.0 catalogue (every `AML.T*` key in `data/atlas-ttps.json`) | Methodology not yet standardised — this skill operationalises it. |
 | Agent-based threat modeling | Actor graph with autonomous agents, MCP plugins, tool-call boundaries | CVE-2026-30615 (MCP RCE), CVE-2025-53773 (prompt-injection RCE), AML.T0051, AML.T0096 | Methodology not yet standardised — this skill operationalises it. |
 
 The truth set for any composite model is: every `AML.T*` key in `data/atlas-ttps.json`, plus every `attack_refs` entry across every CVE in `data/cve-catalog.json`, plus the CWE root-cause classes in `data/cwe-catalog.json`. A model that does not address each, or document a reasoned exclusion for each, is non-current by construction (and should be re-run through `threat-model-currency`).

package/skills/webapp-security/skill.md

@@ -109,7 +109,7 @@ Webapps still ship CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), and CW
 
 ---
 
-## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.1.0)
+## TTP Mapping (MITRE ATT&CK Enterprise + ATLAS v5.4.0)
 
 | TTP ID | Technique | Webapp Manifestation | CWE Root-Causes | Framework Coverage |
 |---|---|---|---|---|

package/skills/zeroday-gap-learn/skill.md

@@ -78,7 +78,7 @@ This skill is meta — it does not pin to a single TTP class. The learning loop
 | Input Catalog | Role in the Learning Loop |
 |---|---|
 | `data/cve-catalog.json` | The CVE-level corpus: each entry is a candidate lesson input. New entries trigger a new loop run per AGENTS.md DR-8. |
-| `data/atlas-ttps.json` (MITRE ATLAS v5.1.0) | The AI/ML TTP taxonomy. Attack-vector extraction maps the CVE's mechanism to an ATLAS ID (e.g., AML.T0096 for SesameOp AI-as-C2). |
+| `data/atlas-ttps.json` (MITRE ATLAS v5.4.0) | The AI/ML TTP taxonomy. Attack-vector extraction maps the CVE's mechanism to an ATLAS ID (e.g., AML.T0096 for SesameOp AI-as-C2). |
 | `data/framework-control-gaps.json` | The control-gap corpus. Framework-coverage assessment writes into this file via new entries or `status` updates. |
 | `data/zeroday-lessons.json` | The output corpus. Each completed loop produces one entry here — the durable artifact of the lesson. |
 
@@ -368,7 +368,7 @@ Run through each applicable framework:
 - CIS Controls v8 (which control?)
 - ASD Essential 8 (which mitigation?)
 - ISO 27001:2022 (which control?)
-- MITRE ATLAS v5.1.0 (which TTP? Is it covered?)
+- MITRE ATLAS v5.4.0 (which TTP? Is it covered?)
 
 For each: Covered (adequate) / Covered (insufficient) / Missing entirely