Lab 1: ATLAS Threat Mapping and Production Scope Declaration

Module: 1 — The Production AI Attack Surface
Points: 15
Time estimate: 2 hr lab + 1 hr independent
Deliverable: lab-1-report.md + scope-declaration.json

Objectives

1. Navigate the MITRE ATLAS Navigator and locate techniques relevant to a given deployment scenario.
2. Map OWASP LLM Top 10 entries to their ATLAS equivalents.
3. Produce a scoped engagement declaration for a fictional production AI system.

Setup

No special dependencies for this lab. You need:

• A browser (ATLAS Navigator: atlas.mitre.org)
• The course SETUP.md ATLAS Navigator entry confirmed working

Part A: ATLAS Navigator Exploration (45 min)

Open the ATLAS Navigator at atlas.mitre.org. You are scoping an engagement against the following fictional system:

Target: AgentAssist v2.3 — a customer-service chatbot deployed by a mid-size e-commerce company. The chatbot uses GPT-4o with vision enabled, has access to a send_email tool, a lookup_order tool (SQL backend), and a RAG corpus built from the company's knowledge base. Users upload screenshots of orders to dispute charges. Customer service agents can query conversation history. The system is deployed on AWS; the chatbot application runs on an EC2 instance with an IAM role attached.

Using the ATLAS Navigator:

1. Identify the Initial Access techniques applicable to AgentAssist. List each technique by ID and name. For each, write one sentence explaining why it applies to this deployment.

2. Identify at least two Execution techniques applicable. Same format.

3. Identify at least one applicable technique from each of: Persistence, Collection, Exfiltration.

4. Record your findings in the Technique Map table below.

| ATLAS ID     | Technique Name                    | Tactic      | Applies because... |
|---|---|---|---|
| AML.T0043    | Craft Adversarial Data            | Initial Access | vision input enabled; users upload screenshots |
| ...          | ...                               | ...         | ...                |

Minimum 8 techniques total across the tactics.

Part B: OWASP-to-ATLAS Crosswalk (30 min)

Complete the following crosswalk table. For each OWASP LLM Top 10 entry, identify the ATLAS technique(s) that operationalize the threat. Use the ATLAS Navigator and the Module 1 content.

At least one ATLAS technique ID for each row. Multiple techniques where applicable.

Part C: Scope Declaration (45 min)

Produce a scope-declaration.json for the AgentAssist engagement. The JSON must conform to this schema:

{
  "target_name": "AgentAssist v2.3",
  "deployment_summary": "...",
  "in_scope_components": [
    { "component": "...", "access_type": "black-box | gray-box | white-box" }
  ],
  "out_of_scope": ["..."],
  "threat_model_axes": [
    {
      "axis": "...",
      "rationale": "...",
      "atlas_techniques": ["AML.T0043", "..."]
    }
  ],
  "constraints": {
    "production_traffic_allowed": false,
    "rate_limit_per_minute": 10,
    "data_handling": "no PII exfiltration"
  },
  "escalation_procedure": "..."
}

Requirements:

• At least 4 in_scope_components (the system description above gives you at least this many)
• At least 1 out_of_scope item with a rationale sentence (add as a comment or separate field)
• At least 3 threat_model_axes; each axis maps to at least 2 ATLAS techniques
• constraints block filled in with realistic values for a production engagement

This document type is what you submit at the start of a real AI security engagement. Get comfortable with the format.

Lab Report

Create lab-1-report.md with the following sections:

1. Technique Map (from Part A — the completed table)
2. OWASP-ATLAS Crosswalk (from Part B — the completed table)
3. Scope Observations — 2-3 paragraphs: What surprised you about the ATLAS technique coverage? Which techniques were hardest to map? What would change if AgentAssist had no vision input?
4. Production Constraint Rationale — one paragraph explaining your rate_limit_per_minute choice and production_traffic_allowed: false constraint.

Grading