The Thing That Should Not Be

"Not dead which eternal lie, stranger aeons death may die." — You cannot kill what never lived. You cannot secure what is insecure by architecture.

By February 2026, MITRE ATLAS counted 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations and 42 case studies¹. More than 100 government, academic and industry organizations contribute to the project². The February update added agent-specific techniques, including "Publish Poisoned AI Agent Tool" and "Escape to Host"¹. The framework replicates ATT&CK's structure (matrix, AML.T-prefixed identifiers, STIX 2.1 data format) and extends it to threats targeting artificial intelligence systems: data poisoning, model extraction, evasion, prompt injection, persistent memory manipulation.

The ambition is logical. ATT&CK catalogs offensive techniques against conventional information systems. D3FEND catalogs defensive countermeasures. ATLAS extends the same method to AI systems. Three frameworks, one method, complete territory coverage. The symmetry is appealing.

I examined the method, the available data, the documented attack cases between January and April 2026, and the industry's response to the first major AI threat. ATLAS replicates ATT&CK's structure in a domain where that structure has zero operational value. The framework is not immature. It should not have been built.

Why ATT&CK stands up

ATT&CK works poorly. 21% SIEM coverage, five years of measurement with no progression, 13% of rules broken³. But ATT&CK still works, at a minimum, because the objects it catalogs possess three properties.

First, stability. T1003.001 (LSASS Memory) describes the same behavior in 2018 and 2026. The OS has not mutated. Active Directory has not mutated. The technique is reproducible. An analyst who wrote a detection rule in 2020 can maintain it in 2026 because the object it targets still exists.

Second, the space of possible actions on an operating system is finite and enumerable. The number of ways to dump credentials, move laterally or exfiltrate data is large but bounded. You can catalog a finite space. The catalog will be incomplete (it is, at 21%), but the approach makes logical sense.

Third property: ATT&CK techniques leave traces in logs, network flows, system registries. These traces are detectable by deterministic tools. Poorly detected, often ignored, but detectable in principle.

D3FEND fails to exploit these properties correctly (patent corpus, no effectiveness measurement, "may-counter" relationships never validated⁴). But the properties themselves exist in the conventional domain. The taxonomic method can work, poorly, with these properties. Without them, it cannot work at all.

The domain that defies classification

AI systems possess none of the three properties. Bruce Schneier named the problem in May 2024: LLMs mix data and commands in a single channel, and unlike the pre-SS7 phone network that suffered the same flaw, you cannot separate them⁵. Schneier draws the direct consequence: individual attacks are easy to prevent once published, but there are an infinite number of them and no way to block them as a class⁵.

In October 2025, Schneier and Raghavan formalized the problem in IEEE Security & Privacy by applying the OODA loop to AI agents⁶. Their conclusion: the adversary is not inside the loop by accident; it is there by architecture. Web-scale AI produces web-scale integrity failure. Every capability corrupts. Integrity is not a feature you add; it is an architecture you choose. Current AI systems were built for speed and intelligence, not security⁶. This diagnosis destroys ATLAS's premise before you even examine the framework's content.

A prompt injection (AML.T0051 in ATLAS) is not a stable object. What crosses Claude 3.5's guardrails does not cross Opus 4.6's. What works on GPT-4o does not work on GPT-4.5. The "technique" changes nature with every model weight update. T1003.001 in ATT&CK describes a reproducible behavior. AML.T0051 in ATLAS describes a category so broad it guides no concrete defensive action. A useful catalog distinguishes T1003.001 (LSASS Memory) from T1003.003 (NTDS) because the two are detected differently. AML.T0051 covers the entirety of the natural-language input space that can subvert a model. No one will write a detection rule for "everything you can say to an LLM to manipulate it."

The attack space of conventional systems is finite. The input space of an LLM is natural language, neither finite nor enumerable. Taxonomy assumes a bounded set of classifiable objects. ATLAS applies a finite-space method to an infinite space.

Memory Poisoning (AML.T0080) illustrates the problem from a different angle. The technique says: someone introduces malicious content into an agent's persistent memory. But the "persistent memory" of an MCP agent in March 2026 has nothing in common with that of a RAG chatbot in 2024. Architectures change every quarter. The technique does not document an observable behavior. It names a concept. You do not detect a concept.

Four attacks, one identifier

Between January and March 2026, four documented attacks target AI systems. All four are classified under the same ATLAS identifiers. All four exploit mechanisms that have nothing in common.

ZombieAgent (Radware, January 2026) injects instructions into ChatGPT's persistent memory via a shared file. The attack modifies the model's behavioral rules to exfiltrate user data with every future message. When OpenAI blocks dynamic URLs, researchers bypass by exfiltrating character by character through pre-constructed URLs⁷. ATLAS classification: AML.T0080 + AML.T0051.

Superhuman AI (PromptArmor, January 2026) exploits a prompt injection hidden in an email to exfiltrate dozens of sensitive emails (financial, legal, medical data) via a Google Form submission URL in Markdown image syntax. The vector relies on a specific CSP rule authorizing image loading from docs.google.com⁸. ATLAS classification: AML.T0051.

SANDWORM_MODE (Socket/Endor Labs, February 2026) installs a malicious MCP server and injects it into AI coding assistants (Claude Code, Cursor, Windsurf). The prompt injection is embedded in MCP tool descriptions, not in the processed data. The AI assistant silently collects environment variables, configuration files and SSH/AWS keys without the developer seeing the instruction⁹. The malware includes a dormant polymorphism capability via Ollama (automatic rewriting of malicious code by a local LLM)⁹. ATLAS classification: AML.T0051.

CVE-2025-15060/ZDI-26-124 (Trend Research, February 2026): a classic command injection in a claude-hovercraft package, CVSS 9.8, remotely exploitable, no authentication, no user interaction required¹⁰. A mundane software security flaw in an AI ecosystem tool. ATLAS does not cover it. Neither does ATT&CK, specifically.

Four incidents in two months. Four entirely distinct mechanisms. Three classified under the same AML.T0051 or AML.T0080 identifiers. One unclassifiable. No detection rule written for ZombieAgent detects SANDWORM_MODE. None. They share an ATLAS identifier. They share nothing else.

In February 2026, MITRE conducted a rapid investigation of OpenClaw, the most widely deployed open-source agentic tool, and identified seven new agent-specific techniques¹⁶. OpenClaw uses ATLAS as its official threat model¹⁷. Researchers developed 47 adversarial scenarios mapped to ATLAS and ATT&CK to test OpenClaw's resilience. Result: an average defense rate of 17%¹⁸. Worse than ATT&CK's 21% SIEM coverage. The most widely deployed agentic tool, tested against the framework designed to protect it, and attacks get through 83% of the time. Mapping techniques does not produce defense.

In March 2026, a systematic review of threat intelligence sources for AI confirms the void¹⁴. The authors survey ATLAS, AVID (40 documented vulnerabilities, 10 reports), AIID (1,366 incidents with "populated inconsistently" taxonomy annotations), OWASP, ENISA, SAIF. Their conclusion: existing resources "remain incomplete." The only concrete indicators of compromise the paper manages to document are SHA1 hashes of malicious PyTorch files on Hugging Face and infrastructure IP addresses. 1998 IoCs applied to 2026 artifacts. Five years after ATLAS launched, researchers are still proposing research directions to define what an operational indicator would look like. The framework named the techniques. It did not arm the defenders.

What OWASP says and ATLAS does not

OWASP Top 10 for LLM Applications operates differently. The document lists risks, not adversary techniques. It targets developers, not SOC analysts. And in its very first entry (LLM01:2025, Prompt Injection), it writes what ATLAS will never say: "Prompt injection vulnerabilities are possible due to the nature of generative AI. Given the stochastic influence at the heart of the way models work, it is unclear if there are fool-proof methods of prevention."¹⁵

OWASP acknowledges that insecurity is inherent to the technology. The proposed mitigations (semantic filtering, input validation, separation of trusted and untrusted content) are damage-reduction measures, not solutions. The framework does not pretend to catalog the infinite. It says: here are the ten most critical risk categories, do what you can.

ATLAS does the opposite. It transports the ATT&CK framework into a domain that OWASP itself admits resists classification, and presents the result as an exploitable threat intelligence base. OWASP is a survival guide. ATLAS is a map of territory that does not exist in stable form.

OWASP has its own limitations. It is a Top 10, not a comprehensive framework. Mitigations are recommendations, not guarantees. But at least the document does not misrepresent the nature of the problem it addresses.

The institution behind the empty framework

ATLAS is a MITRE product, developed with the Center for Threat-Informed Defense and funded through the same mechanism of federal contracts and industry collaboration as ATT&CK and D3FEND. Private collaborators include CrowdStrike, Booz Allen Hamilton, Fujitsu, Citigroup, FS-ISAC².

The American normative apparatus is under documented degradation on eight simultaneous fronts¹¹. Two directly affect ATLAS. MITRE has lost 440 employees and $28 million in federal contracts canceled by the administration. The CVE program ($57.8 million annually) narrowly avoided extinction in April 2025 before a last-minute contract option extended it¹¹. On April 15, 2026, NIST officially abandoned universal NVD enrichment. Only three categories now receive priority treatment: CISA's KEV catalog, federal software, and critical software as defined by Executive Order 14028. Everything else is published as "Lowest Priority, not scheduled for immediate enrichment." Harold Booth, NIST computer scientist, at VulnCon26: "Our ability to keep up is just not there."¹¹

The NIST AI Safety Institute has been renamed Center for AI Standards and Innovation (CAISI). Commerce Secretary Lutnick: "Innovators will no longer be limited by these standards." JD Vance at the Paris AI summit: "I'm not here this morning to talk about AI safety."¹¹ The parent institution has officially ceased to consider AI security a priority, while MITRE publishes an AI security framework.

ATLAS's private collaborators do not compensate for the institutional void. The ties between cybersecurity vendors who populate the Center for Threat-Informed Defense and the intelligence community are documented¹². Their presence in ATLAS reproduces the same producer biases documented for ATT&CK³.

The survivorship bias gets worse. For ATT&CK, at least organizations know they have been attacked (even if they only see a fifth of it). For AI threats, 62% of security practitioners have no way of knowing where LLMs are used in their organization¹³. You do not report incidents you do not know how to observe. MITRE's AI Incident Sharing initiative (launched October 2024²) will collect incidents that organizations detect. The 62% who see nothing will send nothing.

42 case studies for 84 techniques is still half a case per technique. The framework grows; the empirical coverage per technique does not move. ATT&CK documents its major techniques through dozens of incident reports. ATLAS, after five updates in six months, maintains the same skeletal ratio.

When the threat arrives, no one calls ATLAS

On April 7, 2026, Anthropic announced Claude Mythos Preview, a model capable of autonomously identifying and exploiting critical vulnerabilities across all major operating systems and browsers¹⁹. Mythos identified a 27-year-old bug in OpenBSD's TCP SACK implementation, a system known for its security, that decades of code review and automated fuzzing had not detected. Two packets are enough to crash any affected server. It found and exploited, without human intervention, a 17-year-old remote code execution vulnerability in FreeBSD (CVE-2026-4747), constructing a 20-gadget ROP chain split across six distinct RPC requests to obtain unauthenticated root access²⁰. It identified a 16-year-old flaw in FFmpeg's H.264 codec, software whose vulnerable code path had survived five million automated fuzzing passes²¹. On Firefox's JavaScript engine, Mythos produced 181 working exploits versus 2 for Opus 4.6²¹.

Anthropic briefed CISA and CAISI before the public announcement¹⁹. The institution renamed as an innovation accelerator was now expected to assess the most serious AI threat ever documented. Neither CISA nor NIST responded to requests for comment¹⁹.

In response, Anthropic launched Project Glasswing: AWS, Apple, Broadcom, Cisco, CrowdStrike, Google, JPMorgan Chase, Linux Foundation, Microsoft, NVIDIA, Palo Alto Networks, and over 40 additional organizations. $100 million in usage credits²⁰. The Cloud Security Alliance published an emergency briefing, "The AI Vulnerability Storm," co-authored with former CISA director Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, and over 250 CISOs²¹. The UK AI Security Institute evaluated Mythos in a 32-step network attack simulation and concluded the model can autonomously achieve complete control of an enterprise network²¹.

ATLAS is mentioned in none of these documents. Not in the Glasswing announcement, not in the CSA briefing, not in the UK AISI evaluation, not in CISA or CAISI communications. No ATLAS technique is cited to characterize what Mythos does. When the first major AI threat materializes, the framework designed to catalog AI threats is absent from the conversation. The industry built its response by bypassing the MITRE architecture entirely. ATLAS is not insufficient. It is ignored.

What I do not know

Whether the similarity techniques proposed by research (deep hashing, semantic fuzzy hashing¹⁴) will produce operational IoCs for AI artifacts, or remain at the conceptual stage. Today, the only documented IoCs for malicious models are file hashes and IP addresses. 1998 tools applied to a 2026 problem.

Whether Project Glasswing will produce lasting defensive results or remain a commercial positioning exercise. Schneier called the announcement a successful "PR play"²². The balance between real capability and market positioning remains to be measured. The controlled distribution program lasted 14 hours before unauthorized access was gained, on the same day as the announcement²³. The security of the system meant to secure the world was breached in less than a day.

Whether OWASP Top 10 for LLM Applications will evolve into a more comprehensive framework without reproducing ATLAS's errors. The risk-based approach rather than adversary-technique approach is more honest. The question is whether it will be sufficient as agentic architectures multiply attack surfaces every quarter.

What I know

ATT&CK works, poorly, because the objects it catalogs are stable, finite and observable. ATLAS copies the method for a domain where the objects are unstable (techniques mutate with every model update), infinite (the input space is natural language) and often unobservable (62% of organizations cannot see their own AI usage). The taxonomic method requires all three properties. ATLAS possesses none.

Schneier has demonstrated that LLM insecurity is architectural, not accidental. Data and commands share the same channel. This flaw produces an infinite attack space that cannot be blocked as a class. Cataloging an infinite space remains a contradiction in terms, regardless of the number of contributors.

OpenClaw uses ATLAS as its official threat model. 47 adversarial scenarios tested. 17% defense rate. Mapping techniques onto a framework does not produce resistance to attacks. OWASP knows this and says so. ATLAS ignores it and catalogs. And when Mythos arrives, first AI threat capable of autonomously finding and exploiting zero-days at a scale that exceeds human capabilities, neither Anthropic, nor CISA, nor the CSA, nor the UK AISI mention ATLAS. 84 techniques, 42 case studies, five updates in six months. The threat materializes. The framework is absent.

The eldest stood but saw only a fifth of the field³. The middle child dressed up patents as countermeasures⁴. The youngest should never have been born. It applies the only method MITRE knows to a domain that method cannot address, from an institution that has abandoned the very mission the framework is supposed to serve, with half a documented case per technique. Innsmouth had its inhabitants, who collaborated with the entity believing they controlled it. The industry welcomes ATLAS because it looks like ATT&CK. The resemblance is the trap.

Sixteenth article in a series on the structural flaws of Western cybersecurity (articles 1-5 in French):

• Article 1 : La vulnérabilité de la gestion des vulnérabilités
• Article 2 : La dépendance européenne aux standards américains
• Article 3 : Les États, architectes cachés du marché noir des vulnérabilités
• Article 4 : L'IA ou l'effondrement du modèle défensif occidental
• Article 5 : Desert Power — survivre sans l'Empire
• Article 6: I Am Altering the Deal
• Article 7: The Last Channel
• Article 8: Lord of Cyber War
• Article 9: The digital hawks
• Article 10: They Live... we sleep
• Article 11: Soylent Green
• Article 12: Ghost in the Binary
• Article 13: Now You See Me
• Article 14: The Prestige
• Article 15: Pitch Black

References

¹ MITRE ATLAS CHANGELOG. v5.1.0 (November 2025): 16 tactics, 84 techniques, 56 sub-techniques, 32 mitigations, 42 case studies. v5.4.0 (February 2026): agent-focused techniques including "Publish Poisoned AI Agent Tool" and "Escape to Host." Vectra AI, "MITRE ATLAS: 16 tactics and 84 techniques for AI security" https://www.vectra.ai/topics/mitre-atlas

² MITRE (October 2024). "MITRE Launches AI Incident Sharing Initiative." Center for Threat-Informed Defense, Secure AI project. 100+ contributing organizations including CrowdStrike, Booz Allen Hamilton, Fujitsu, Citigroup, FS-ISAC. https://www.mitre.org/news-insights/news-release/mitre-launches-ai-incident-sharing-initiative

³ See "Now You See Me" in this series: ATT&CK, 21% SIEM coverage, survivorship bias, five-year stagnation. https://www.klaerenn.com/now-you-see-me/

⁴ See "The Prestige" in this series: D3FEND, patent corpus, no effectiveness measurement, "may-counter" relationships. https://www.klaerenn.com/the-prestige/

⁵ Schneier, B. (May 2024). "LLMs' Data-Control Path Insecurity." Communications of the ACM. https://www.schneier.com/essays/archives/2024/05/llms-data-control-path-insecurity.html

⁶ Raghavan, B. & Schneier, B. (October 2025). "Agentic AI's OODA Loop Problem." IEEE Security & Privacy. https://www.schneier.com/blog/archives/2025/10/agentic-ais-ooda-loop-problem.html

⁷ Radware (January 2026). ZombieAgent: attack on ChatGPT persistent memory, character-by-character exfiltration. Via Ars Technica. https://arstechnica.com/security/2026/01/chatgpt-falls-to-new-data-pilfering-attack-as-a-vicious-cycle-in-ai-continues/

⁸ PromptArmor (January 2026). Superhuman AI: sensitive email exfiltration via prompt injection and pre-filled Google Form in Markdown image. https://www.promptarmor.com/resources/superhuman-ai-exfiltrates-emails

⁹ SecurityWeek / Endor Labs / Socket (February 2026). SANDWORM_MODE: MCP poisoning of AI coding assistants, Ollama-based polymorphism. https://www.securityweek.com/new-sandworm_mode-supply-chain-attack-hits-npm/

¹⁰ Zero Day Initiative, ZDI-26-124 / CVE-2025-15060 (February 2026). claude-hovercraft, command injection, CVSS 9.8. http://www.zerodayinitiative.com/advisories/ZDI-26-124/

¹¹ See "Pitch Black" in this series: eight NIST degradation vectors, AISI to CAISI pivot, MITRE: 440 employees laid off, $28M in contracts canceled, CVE program near-extinction, NVD universal enrichment abandoned April 2026. https://www.klaerenn.com/pitch-black/

¹² See "Soylent Green" in this series: ties between cybersecurity vendors and the intelligence community. https://www.klaerenn.com/soylent-green/

¹³ Harness (2025). Survey of 500 security practitioners (US, UK, France, Germany): 62% have no way of knowing where LLMs are used in their organization. Via VentureBeat, January 2026. https://venturebeat.com/security/seven-steps-to-ai-supply-chain-visibility

¹⁴ Krawczyk, N., Szczepkowski, M., Brodzik, A. & Bocianiak, K. (March 2026). "Cyber Threat Intelligence for Artificial Intelligence Systems." arXiv:2603.05068. https://arxiv.org/abs/2603.05068

¹⁵ OWASP (2025). "Top 10 for Large Language Model Applications 2025." LLM01:2025, Prompt Injection. https://genai.owasp.org/llm-top-10/

¹⁶ MITRE (February 2026). "MITRE ATLAS: OpenClaw Investigation." 7 new techniques identified. Center for Threat-Informed Defense. https://www.mitre.org/news-insights/publication/mitre-atlas-openclaw-investigation

¹⁷ OpenClaw (February 2026). Official Threat Model built on MITRE ATLAS. https://docs.openclaw.ai/security/THREAT-MODEL-ATLAS

¹⁸ "Don't Let the Claw Grip Your Hand: A Security Analysis and Defense Framework for OpenClaw" (March 2026). arXiv:2603.10387. 47 adversarial scenarios, 17% average defense rate. https://arxiv.org/html/2603.10387v1

¹⁹ NBC News (April 2026). Anthropic briefed CISA and CAISI on Mythos Preview offensive and defensive capabilities. CISA and NIST did not respond to requests for comment. https://www.nbcnews.com/tech/security/anthropic-project-glasswing-mythos-preview-claude-gets-limited-release-rcna267234

²⁰ Anthropic (April 7, 2026). Project Glasswing announcement. 11 founding partners + 40 organizations, $100M in credits, $4M in open-source donations. https://www.anthropic.com/glasswing

²¹ CSO Online (April 2026). CSA briefing "The AI Vulnerability Storm" with Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, 250+ CISOs. UK AISI: 32-step network attack simulation, full autonomous takeover by Mythos. https://www.csoonline.com/article/4158117/anthropics-mythos-signals-a-structural-cybersecurity-shift.html

²² Schneier, B. (April 13, 2026). "On Anthropic's Mythos Preview and Project Glasswing." "This is very much a PR play by Anthropic, and it worked." https://www.schneier.com/blog/archives/2026/04/on-anthropics-mythos-preview-and-project-glasswing.html

²³ Arnav.au (April 2026). Project Glasswing compromised within 14 hours of the April 7 public announcement, via OpSec failure chain (unsecured CMS, contractor data leak, insufficiently scoped vendor credentials). https://arnav.au/2026/04/29/anthropic-mythos-ai-breach-2026/