MITRE ATLAS is the authoritative framework for adversarial threats to AI/ML systems. This page maps each technique to Crawdad's controls.
| ATLAS ID | Technique | Coverage | How | Notes |
|---|---|---|---|---|
| AML.T0051 | LLM Prompt Injection | Mitigated | Layer 1 pattern matching (25 regexes) + Layer 2 semantic heuristics (instruction density, boundary dissolution, authority impersonation) | 157 detection tests, 0 false positives. Novel patterns may require signature updates. |
| AML.T0054 | LLM Jailbreak | Mitigated | Layer 2 semantic detection: DAN/STAN/KEVIN mode, boundary dissolution, role hijacking, "do anything now" patterns | 43 known-bad jailbreak inputs in regression suite. |
| AML.T0056 | LLM Meta Prompt Extraction | Mitigated | Layer 2 sensitive data targeting: "show me your system prompt", "what are your instructions" patterns | Detects direct and indirect extraction attempts. |
| AML.T0057 | LLM Data Extraction | Mitigated | Layer 5 PII exfiltration detector: 15 PII categories, 10 credential types, internal URL detection, bulk data patterns | Runs on outbound responses. Redacts detected PII. |
| AML.T0043 | Craft Adversarial Data | Partial | Layer 3 indirect injection detector: catches instruction-like content in retrieved documents and tool outputs | Covers injection via external content. Does not cover adversarial examples targeting model perception. |
| AML.T0040 | ML Supply Chain Compromise | Partial | Skill attestation (SHA-256 hashing), SBOM generation, dependency auditing | Covers skill/plugin supply chain. Does not cover model weight tampering. |
| AML.T0049 | Exploit Public-Facing Application | Partial | Proxy scans all inbound traffic. Layer 1 detects malicious payloads (SQL injection, shell injection, path traversal). | Covers injection through agent interfaces. Does not cover web app vulnerabilities. |
| AML.T0051.001 | Direct Prompt Injection | Mitigated | Layers 1+2 scan user messages before they reach the model | Primary detection target. Highest confidence coverage. |
| AML.T0051.002 | Indirect Prompt Injection | Partial | Layer 3 detects injections in retrieved documents. Layer 2 detects injection markers in any content. | Effective against known patterns. Novel indirect injection vectors may evade detection. |
| AML.T0048 | Backdoor ML Model | Awareness | Threat intelligence feed tracks known backdoor research. No runtime detection. | Model integrity is the provider's responsibility. Crawdad operates at the application layer. |
| AML.T0020 | Poison Training Data | Awareness | Threat intelligence tracks poisoning research. No training-time controls. | Crawdad detects at inference time, not training time. |
| AML.T0047 | ML Model Inference API Access | Awareness | Audit log records all API access patterns. Anomalous access visible in dashboard. | Detection only, not prevention. API access controls are the provider's responsibility. |
| AML.T0016 | Obtain Capabilities | Not covered | — | Reconnaissance and capability enumeration are outside Crawdad's scope. |
| AML.T0044 | Full ML Model Access | Not covered | — | Model access is controlled by the API provider, not the application layer. |
Coverage levels are defined as:
Mitigated — Active detection and blocking with automated tests proving effectiveness.
Partial — Detection covers known attack patterns but not all variants.
Awareness — Threat tracked in intelligence feed but no active runtime mitigation.
Not covered — Outside Crawdad's architecture scope.