This framework translates the first generation of documented AI security incidents into a six-domain operating model that security teams can act on in 90 days. Every control traces to a named public standard. Every threat traces to a primary source. No speculation.
In November 2025, Anthropic disclosed GTG-1002 — the first publicly reported AI-orchestrated cyber espionage campaign. A Chinese state-sponsored actor used Claude Code as an autonomous execution engine, completing 80–90% of tactical operations without human input across approximately 30 organizations.
Existing frameworks covered adversarial ML in theory. None provided a practitioner-ready operating model for what to actually do when an AI agent is the attacker. This framework fills that gap by mapping the incident to six defensive domains and anchoring each domain to standards teams already use.
The threat model covers both directions simultaneously. Most frameworks address only one.
Attackers using AI as a weapon against your organization. Progresses from AI-as-content-tool (deepfakes, phishing) through AI-as-coding-assistant through AI-as-runtime-malware-component to AI-as-autonomous-orchestrator.
Attacks on your own AI systems — models, agents, and the supply chain beneath them. Includes prompt injection, agentic-platform CVEs, MCP supply-chain RCE, and AI infrastructure exploitation.
The framework is an operating model, not a maturity model. The intent is a concrete 90-day execution plan, not a score. Each domain owns a set of controls that a named team can begin implementing with existing tools and authority.
Map AI risk to an established framework. A governance event before it is a technical event.
Use named public catalogues — MITRE ATLAS, OWASP LLM, OWASP Agentic — so the SOC and audit speak one language.
The agent runtime is the new perimeter. Treat it like a privileged-access workstation.
The AI agent is a non-human privileged identity. Govern it like a service account.
Model-agnostic detection at the action layer, not the model layer. Effective regardless of which foundation model is in use.
Buy against named benchmarks. Reject vendor self-evaluation as the primary evidence.
Click any standard to see which defensive domains it maps to. All citations are primary sources. Where a document is a draft (NIST IR 8596) or post-consultation pending finalization (MAS AIRG, CSA Singapore Agentic Addendum), the framework includes an explicit draft disclaimer.
Every named threat in the catalog is classified by evidence quality. The framework never presents a proof-of-concept alongside a confirmed incident without a clear visual distinction. No speculation is included regardless of how widely cited it is in vendor marketing materials.
Attributed by the disclosing vendor or government authority. Independently corroborated where possible. In-the-wild deployment confirmed.
Examples: GTG-1002 (Anthropic, Nov 2025) · LAMEHUG (CERT-UA + Cato CTRL, Jul 2025) · EchoLeak CVE-2025-32711 (NVD)
Disclosed by a single credible source or not yet independently corroborated. Attribution may be preliminary. Single-source items are explicitly flagged.
Examples: PROMPTFLUX (Google GTIG Nov 2025, flagged as in-development) · Mexican government Claude jailbreak (Gambit/Bloomberg, single-source)
Academic or security-research demonstration. Not deployed in the wild. Included for taxonomic completeness only — never presented alongside confirmed incidents without a clear PoC badge.
Examples: Agent Session Smuggling A2A (Palo Alto Unit 42) · NYU PromptLock research
Senior cybersecurity and technical sales leader with over 20 years of experience across the APAC and AMEA regions. Former Regional Technical Director at Trend Micro, covering Sales Engineering and Customer Success across 14+ markets.
Expertise spans Threat Intelligence, XDR, AI-integrated security operations, and CISO advisory. Has delivered executive briefings, EBC sessions, and keynotes for security leaders across Southeast Asia. Chaired the Cloud Security Alliance Malaysia Chapter. Has appeared on Bloomberg and BFM Radio.
This framework was built to close the gap between how the industry talks about AI security threats and what security teams can actually do about them in the next 90 days. It is updated as new named incidents are validated and sourced.
Five lenses. Three dimensional filters. 17 named threats. Click any threat to focus the diagram on a specific incident and see which defensive domains apply.
Open Framework →