AEGIS
Sign in Start free

Docs · AAT-T* threat ontology

Agent threats, classified.

AAT-T* (AEGIS Agent Threat) is our 10-tactic × 4-technique ontology of attacks against LLM-driven agents. MITRE ATT&CK for AI tools, basically. Every AEGIS detector is mapped to one or more AAT-T* technique IDs so customers can audit coverage gaps.

T1 Indirect Prompt Injection

  • T1001 Embedded instruction in retrieved doc
  • T1002 Zero-width unicode steganography
  • T1003 Multilingual prompt-injection
  • T1004 Tool result poisoning (server-side)

T2 Override / Jailbreak

  • T2001 Ignore-previous-instructions
  • T2002 Persona hijack (DAN / GPT-99)
  • T2003 Roleplay escape
  • T2004 Filter-suspend request

T3 System-prompt Exfiltration

  • T3001 Verbatim system-prompt repeat
  • T3002 Translate-to-other-language leak
  • T3003 Bracket-marker leak (<system>...)
  • T3004 Function-spec leak

T4 Tool Abuse

  • T4001 Destructive SQL (DROP/TRUNCATE)
  • T4002 Shell with sensitive path access
  • T4003 Hijacked email recipient
  • T4004 Outbound to attacker URL

T5 Sensitive Context Exfiltration

  • T5001 PII relay (internal → external tool)
  • T5002 Secret in argument (api keys, tokens)
  • T5003 Encrypted-channel exfiltration
  • T5004 Slow-drip exfiltration (rate-limit evasion)

T6 Memory Poisoning

  • T6001 Vector-store inject (RAG corpus)
  • T6002 Long-term memory inject
  • T6003 Conversation history rewrite
  • T6004 Cache poisoning

T7 Discovery / Recon

  • T7001 Tool enumeration probe
  • T7002 Credential discovery (env / FS scan)
  • T7003 Workflow topology probe
  • T7004 Rate-limit / quota probe

T8 Resource Abuse

  • T8001 Token-quota exhaustion (cost attack)
  • T8002 Tool-call fan-out (DoS via agent)
  • T8003 Long-context inflation
  • T8004 Recursive agent invocation

T9 Output Tampering

  • T9001 Misformat as legitimate JSON
  • T9002 Hallucinated citation injection
  • T9003 Misleading user-facing response
  • T9004 Function-call argument spoofing

T10 Multi-agent Collusion

  • T10001 Cross-agent trust abuse
  • T10002 Session / token replay across agents
  • T10003 Sensitive-data relay (A→B→external)
  • T10004 Handoff burst (A→B floods cycle)

Coverage map

Each detector in AEGIS declares the AAT-T* technique IDs it claims to catch. The cockpit /coverage page renders this as a heat-map per deployment; the REST endpoint at GET /api/v1/ontology/coverage emits the same data for procurement spreadsheets.

Want to compare AEGIS vs another guardrail vendor? Run their equivalent claims through this ontology and the gaps fall out by intersection.

Versioning

AAT-T* v1 freezes the 10 × 4 = 40 technique IDs. New techniques land in v2 with new IDs; existing IDs never shift meaning. Customers can pin detector → technique mappings to the major version for compliance reports.

Next