{"name":"ankya — The LLM ATT&CK Navigator","version":"2026.06","url":"https://ankya.ai/research/llm-attack-navigator","licence":"Technique identifiers from MITRE ATT&CK® and MITRE ATLAS™ — © The MITRE Corporation. Grades and analysis © ankya pty ltd; cite with attribution.","gradeScale":{"0":"No shift","1":"Emerging","2":"Moderate","3":"High","4":"Critical"},"changelog":[{"version":"2026.06","note":"Initial public release — 50 techniques graded across ATT&CK and ATLAS."}],"surfaces":{"aiAsWeapon":[{"tactic":"Reconnaissance","code":"TA0043","techniques":[{"id":"T1589","name":"Gather Victim Identity Info","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1589/","analysis":"LLMs collapse hours of manual OSINT into seconds — correlating leaked records, social graphs and public filings into a ranked target dossier, then drafting the angle of approach.","fieldSignal":"GTIG and model-provider reports attribute live victim-research use to multiple state-linked actors.","defence":"Reduce public attack surface; monitor for unusual enumeration of staff identity data and credential-stuffing precursors."},{"id":"T1598","name":"Phishing for Information","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1598/","analysis":"Pretext generation is near-free. Models produce fluent, context-aware, locally idiomatic elicitation messages tuned to a specific role or vendor relationship.","fieldSignal":"Provider disclosures show actors iterating lures and translations through commercial and jailbroken models.","defence":"Out-of-band verification for any information request; brief staff that fluency is no longer a tell."},{"id":"T1591","name":"Gather Victim Org Information","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1591/","analysis":"Summarisation of sprawling corporate footprints — supply chains, tooling, org charts — into an exploitable map.","fieldSignal":"Routinely observed as a productivity aid rather than a novel capability.","defence":"Govern what business detail is exposed in job ads, repos and vendor pages."}]},{"tactic":"Resource Development","code":"TA0042","techniques":[{"id":"T1585","name":"Establish Accounts (Synthetic Personas)","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1585/","analysis":"Generative media manufactures convincing personas at scale — coherent histories, voice, video and writing style — enabling long-con infiltration and fraudulent employment.","fieldSignal":"Nation-state insider-placement campaigns increasingly lean on AI-forged identities and deepfake-assisted interviews.","defence":"Liveness and provenance checks in hiring and KYC; treat remote-only identity assurance as a control, not a formality."},{"id":"T1587","name":"Develop Capabilities (Malware)","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1587/","analysis":"Models scaffold tooling, port exploits between languages and explain unfamiliar code — compressing the skill and time floor for capable-enough malware.","fieldSignal":"Jailbroken 'dark' LLM services are marketed specifically for malware and BEC support.","defence":"Assume faster variant turnover; weight behavioural detection over signature freshness."},{"id":"T1588","name":"Obtain Capabilities","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1588/","analysis":"Faster triage of which public exploits and tools fit a given target stack.","fieldSignal":"Incremental efficiency gain.","defence":"Patch velocity on internet-facing assets remains the dominant control."}]},{"tactic":"Initial Access","code":"TA0001","techniques":[{"id":"T1566","name":"Phishing","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1566/","analysis":"The best-evidenced uplift anywhere on this matrix. Flawless grammar, per-recipient tailoring and volume together push campaign success rates up while erasing the classic linguistic red flags.","fieldSignal":"Microsoft/OpenAI and ENISA reporting tie measurable improvements in large-scale phishing to generative tooling.","defence":"Phishing-resistant MFA (FIDO2); move detection from content heuristics to behaviour, sender reputation and protocol signals."},{"id":"T1566.004","name":"Spearphishing Voice (Vishing)","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1566/004/","analysis":"Real-time voice cloning turns help-desk and approval workflows into a fast foothold that sidesteps endpoint controls entirely.","fieldSignal":"Deepfake-assisted help-desk fraud is now a recurring root cause in major intrusions.","defence":"Callback verification, code phrases and hard limits on what voice alone can authorise."},{"id":"T1199","name":"Trusted Relationship","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1199/","analysis":"AI sharpens the pretext for abusing a partner or supplier channel, though access still hinges on the underlying trust path.","fieldSignal":"Supporting role within social-engineering chains.","defence":"Scope and monitor third-party access; least privilege on federated trust."}]},{"tactic":"Execution","code":"TA0002","techniques":[{"id":"T1059","name":"Command & Scripting Interpreter","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1059/","analysis":"Malware can generate its commands on-demand from a model at runtime, fitting actions to the exact host it lands on rather than shipping fixed scripts.","fieldSignal":"LAMEHUG issues live LLM queries to synthesise system commands tailored to the local environment.","defence":"Constrain interpreter use; alert on processes reaching out to LLM provider endpoints unexpectedly."},{"id":"T1204","name":"User Execution","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1204/","analysis":"More persuasive decoys and instructions raise the odds a user runs the payload.","fieldSignal":"Amplifies the social half of the chain.","defence":"Application control and MOTW enforcement on delivered content."},{"id":"T1106","name":"Native API","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1106/","analysis":"Marginal — AI helps author the code, but the technique itself is unchanged.","fieldSignal":"Low direct uplift.","defence":"Standard EDR behavioural coverage."}]},{"tactic":"Persistence","code":"TA0003","techniques":[{"id":"T1136","name":"Create Account","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1136/","analysis":"AI helps craft plausible account names and supporting artefacts that blend into directory noise.","fieldSignal":"Supporting, not transformative.","defence":"Alert on new privileged accounts; tie creation to change tickets."},{"id":"T1547","name":"Boot/Logon Autostart","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1547/","analysis":"Code-authoring help only; mechanics are well-trodden and well-detected.","fieldSignal":"Low direct uplift.","defence":"Baseline autostart locations and monitor for drift."}]},{"tactic":"Privilege Escalation","code":"TA0004","techniques":[{"id":"T1068","name":"Exploitation for Priv-Esc","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1068/","analysis":"Models accelerate vulnerability research and PoC drafting, but reliable end-to-end exploitation under real conditions is still uneven — a research aid more than an autonomous capability.","fieldSignal":"Academic agents show progress on guided exploitation; field reliability lags the demos.","defence":"Privilege hygiene and rapid patching blunt most of the gain."},{"id":"T1548","name":"Abuse Elevation Control","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1548/","analysis":"Minimal change to a heavily-instrumented technique.","fieldSignal":"Low direct uplift.","defence":"Enforce UAC/sudo policy; monitor elevation events."}]},{"tactic":"Defense Evasion","code":"TA0005","techniques":[{"id":"T1027","name":"Obfuscated / Polymorphic Code","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1027/","analysis":"A genuinely novel pattern: malware that calls an LLM to rewrite or regenerate its own code each run, defeating static signatures by never holding still.","fieldSignal":"PROMPTFLUX morphs itself via live model queries; PROMPTSTEAL/LAMEHUG query LLMs mid-execution.","defence":"Lean on runtime behaviour and egress analysis; flag binaries that contact model APIs."},{"id":"T1059.LOTL","name":"AI-Assisted Living-off-the-Land","grade":3,"gradeLabel":"High","syntheticId":true,"mitreRef":null,"analysis":"Models generate native commands shaped to mimic legitimate admin activity, raising the cost of separating malicious from routine.","fieldSignal":"Forecast and early-observed as a 2026 evasion staple.","defence":"Command-line telemetry with anomaly baselining; constrain admin tooling reach."},{"id":"T1620","name":"Reflective Code Loading","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1620/","analysis":"AI eases in-memory loader development but detection surface is unchanged.","fieldSignal":"Indirect uplift.","defence":"Memory-scanning EDR and AMSI coverage."}]},{"tactic":"Credential Access","code":"TA0006","techniques":[{"id":"T1110","name":"Brute Force","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1110/","analysis":"ML-guided guessing and smarter wordlist generation improve hit-rates against weak and reused secrets.","fieldSignal":"Identity remains the dominant intrusion vector; passwords still anchor most identity attacks.","defence":"Phishing-resistant MFA, passkeys and breached-password screening."},{"id":"T1056","name":"Input Capture","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1056/","analysis":"Little change to the technique itself.","fieldSignal":"Low direct uplift.","defence":"EDR keylogger detection; isolate credential entry."}]},{"tactic":"Discovery","code":"TA0007","techniques":[{"id":"T1083","name":"File & Directory Discovery","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1083/","analysis":"Once inside, models triage vast collections quickly — surfacing the crown-jewel data among noise far faster than manual review.","fieldSignal":"Reported abuse of AI inside compromised environments to find what matters.","defence":"Data classification and access logging on sensitive stores."},{"id":"T1087","name":"Account Discovery","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1087/","analysis":"Summarisation of directory and group structure into an attack path.","fieldSignal":"Efficiency gain within hands-on-keyboard operations.","defence":"Tiered admin model; monitor directory enumeration."},{"id":"T1057","name":"Process Discovery","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1057/","analysis":"Marginal.","fieldSignal":"Low direct uplift.","defence":"Standard host telemetry."}]},{"tactic":"Lateral Movement","code":"TA0008","techniques":[{"id":"T1021","name":"Remote Services","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1021/","analysis":"Research shows LLM agents can plan and partly execute multi-host movement; reliability and stealth in real networks remain the gating factors.","fieldSignal":"Feasibility demonstrated in controlled multi-host studies.","defence":"Segmentation, just-in-time access and east-west monitoring."},{"id":"T1210","name":"Exploitation of Remote Services","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1210/","analysis":"AI-accelerated exploit selection feeds movement, bounded by the same exploitation-reliability ceiling.","fieldSignal":"Emerging.","defence":"Internal patching and service hardening."}]},{"tactic":"Collection","code":"TA0009","techniques":[{"id":"T1119","name":"Automated Collection","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1119/","analysis":"Models prioritise and summarise as they gather — turning bulk theft into curated, intelligence-led collection of the highest-value material first.","fieldSignal":"Attackers reported using LLMs to mine stolen data for what is worth taking.","defence":"DLP on egress; honeytokens in sensitive repositories."},{"id":"T1114","name":"Email Collection","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1114/","analysis":"Rapid synthesis of mailbox contents into actionable leverage or onward pretexts.","fieldSignal":"Supporting capability.","defence":"Mailbox access auditing; anomalous bulk-read alerts."},{"id":"T1213","name":"Data from Information Repositories","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1213/","analysis":"Semantic search across wikis and ticketing turns sprawl into targeted extraction.","fieldSignal":"Efficiency gain.","defence":"Least privilege and logging on knowledge stores."}]},{"tactic":"Command & Control","code":"TA0011","techniques":[{"id":"T1102","name":"Web Service (LLM API as Channel)","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1102/","analysis":"Legitimate model-provider APIs double as a covert decision-and-command channel — traffic to a trusted AI endpoint looks unremarkable and rides existing allow-lists.","fieldSignal":"PROMPTFLUX / LAMEHUG-class malware reach back to public LLM APIs at runtime.","defence":"Treat model-API egress as sensitive; baseline which hosts should ever talk to it."},{"id":"T1071","name":"Application Layer Protocol","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1071/","analysis":"AI assists in shaping protocol-blending traffic, though the channel concept is established.","fieldSignal":"Indirect uplift.","defence":"Egress filtering and JA3/protocol anomaly detection."},{"id":"T1573","name":"Encrypted Channel","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1573/","analysis":"Unchanged at the crypto layer.","fieldSignal":"Low direct uplift.","defence":"TLS inspection where lawful; certificate hygiene."}]},{"tactic":"Exfiltration","code":"TA0010","techniques":[{"id":"T1567","name":"Exfil Over Web Service","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1567/","analysis":"AI helps choose and blend with high-trust services; the staging benefits more than the transfer.","fieldSignal":"Modest direct uplift.","defence":"CASB and egress DLP on sanctioned SaaS."},{"id":"T1041","name":"Exfil Over C2 Channel","grade":1,"gradeLabel":"Emerging","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1041/","analysis":"Mechanically unchanged.","fieldSignal":"Low direct uplift.","defence":"Volume and beaconing analytics."}]},{"tactic":"Impact","code":"TA0040","techniques":[{"id":"T1491","name":"Defacement / Influence Operations","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1491/","analysis":"Generative text, image and video industrialise disinformation and brand-impersonation at a scale and believability that manual production never reached.","fieldSignal":"A leading driver of the rise in reported generative-AI harm incidents.","defence":"Content provenance, rapid takedown channels and executive-impersonation monitoring."},{"id":"T1486","name":"Data Encrypted for Impact (Ransomware)","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1486/","analysis":"AI streamlines target triage, negotiation drafting and operational tempo rather than the encryption itself.","fieldSignal":"Productivity layer across the ransomware lifecycle.","defence":"Immutable backups, segmentation and tested recovery."},{"id":"T1565","name":"Data Manipulation","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://attack.mitre.org/techniques/T1565/","analysis":"Convincing fabricated records and tampering at scale become cheaper to author.","fieldSignal":"Emerging integrity-attack concern.","defence":"Integrity monitoring and strong audit trails on systems of record."}]}],"aiAsTarget":[{"tactic":"Recon & Discovery","code":"AML.TA","techniques":[{"id":"AML.T0014","name":"Discover Model Family / Ontology","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0014","analysis":"Adversaries probe a deployed system to infer the underlying model, guardrail style and capability envelope before committing to an attack path.","fieldSignal":"Standard precursor in modern LLM red-team workflows.","defence":"Limit verbose error and version disclosure; rate-limit probing patterns."},{"id":"AML.T0015","name":"Evade ML Model","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0015","analysis":"Crafted inputs push a classifier or detector to the wrong side of its decision boundary — bypassing content filters, malware scanners or biometric checks.","fieldSignal":"A core, well-studied adversarial-ML class spanning evasion attacks.","defence":"Adversarial training, ensembling and out-of-distribution detection."}]},{"tactic":"Initial Access","code":"AML.TA","techniques":[{"id":"AML.T0051","name":"Prompt Injection (Direct)","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0051","analysis":"User-supplied instructions override the system's intent, coaxing the model past its guardrails or into unintended actions — the defining vulnerability class of the LLM era.","fieldSignal":"Microsoft/OpenAI explicitly track prompt-injection attempts against deployed systems.","defence":"Privilege separation between instructions and data; deny-by-default tool gating; output mediation."},{"id":"AML.T0051.i","name":"Indirect Prompt Injection","grade":4,"gradeLabel":"Critical","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0051.001","analysis":"Malicious instructions hide inside content the model later ingests — a web page, document, email or RAG record — and execute when the agent reads them.","fieldSignal":"Self-propagating prompt worms (Morris II) demonstrate cross-agent spread via injected content.","defence":"Treat all retrieved content as untrusted; sandbox tool use; strip and quarantine active instructions."}]},{"tactic":"ML Supply Chain","code":"AML.TA","techniques":[{"id":"AML.T0010","name":"ML Supply Chain Compromise","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0010","analysis":"Poisoned weights, tampered datasets, trojaned model hubs or malicious dependencies introduce backdoors before the system is ever deployed.","fieldSignal":"Repeated discovery of malicious models and packages on public hubs.","defence":"Provenance, signing and SBOM for models and data; scan artefacts on ingest."},{"id":"AML.T0020","name":"Poison Training Data","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0020","analysis":"Manipulated training or fine-tuning data implants targeted misbehaviour or backdoor triggers that survive into production.","fieldSignal":"One of NIST's four canonical adversarial-ML categories.","defence":"Data curation, influence analysis and anomaly screening on training pipelines."}]},{"tactic":"Persistence (Agentic)","code":"AML.TA","techniques":[{"id":"AML.RAG","name":"RAG Poisoning","grade":3,"gradeLabel":"High","syntheticId":true,"mitreRef":null,"analysis":"Adversaries seed the retrieval corpus so the model confidently serves attacker-chosen content or instructions — persistent, because it lives in the knowledge base, not the prompt.","fieldSignal":"Added to ATLAS in 2025 alongside false-entry and retrieval-crafting techniques.","defence":"Authenticate and review corpus sources; integrity-check vector stores; constrain what retrieval can authorise."},{"id":"AML.MEM","name":"Memory Manipulation","grade":2,"gradeLabel":"Moderate","syntheticId":true,"mitreRef":null,"analysis":"Tampered long-term agent memory carries malicious state across sessions, quietly steering future behaviour.","fieldSignal":"Agent-focused techniques expanded in recent ATLAS releases.","defence":"Scope, validate and expire agent memory; isolate per-tenant state."}]},{"tactic":"Exfiltration","code":"AML.TA","techniques":[{"id":"AML.T0024","name":"Exfil via ML Inference API","grade":3,"gradeLabel":"High","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0024","analysis":"Carefully shaped queries pull training data, system prompts or secrets back out through the model's own outputs.","fieldSignal":"Membership-inference and prompt-leak demonstrations are well established.","defence":"Output filtering, query monitoring and minimisation of sensitive context exposure."},{"id":"AML.T0044","name":"Extract / Replicate Model","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0044","analysis":"Systematic querying clones a model's behaviour — a distillation attack that steals the IP and logic of a high-value model.","fieldSignal":"Distillation-style theft flagged across recent frontline reporting.","defence":"Rate-limit, watermark outputs and detect extraction-shaped query volume."}]},{"tactic":"Impact","code":"AML.TA","techniques":[{"id":"AML.T0029","name":"Denial of ML Service","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0029","analysis":"Inputs engineered to maximise compute (sponge examples) or flood inference exhaust capacity and run up cost.","fieldSignal":"Documented availability and cost-attack class.","defence":"Input cost budgeting, throttling and autoscaling guardrails."},{"id":"AML.T0034","name":"Cost Harvesting","grade":2,"gradeLabel":"Moderate","syntheticId":false,"mitreRef":"https://atlas.mitre.org/techniques/AML.T0034","analysis":"Abuse of a victim's hosted model or agent to run the attacker's workloads on the victim's bill.","fieldSignal":"Recognised abuse-attack category.","defence":"Per-tenant quotas, anomaly billing alerts and strong auth on inference endpoints."},{"id":"AML.INT","name":"Erode Model Integrity","grade":2,"gradeLabel":"Moderate","syntheticId":true,"mitreRef":null,"analysis":"Sustained manipulation degrades trust in a model's outputs, corrupting downstream decisions that rely on it.","fieldSignal":"Forward-looking integrity concern in agentic deployments.","defence":"Continuous evaluation, drift detection and human review on consequential outputs."}]}]}}