An open standard for the

AI agent era.

Detect prompt injection, tool poisoning, and agent privilege escalation before unauthorized action. The way Sigma is for SIEM. ATR is for AI agents. MIT forever.

421 rules·8 categories·97.1% garak recall

Integrate ATR Explore Rules

In production:Cisco AI Defense·Microsoft AGT|Integrating:NVIDIA garak·Gen Digital Sage·IBM mcp-context-forge|MIT License · Maintained by ATR Community

Why a new standard

Endpoint detection standards
cannot see AI agent behavior.

Old era

Sigma · YARA · CVE

Built for endpoint event logs, file binaries, and software vulnerability IDs. They watch code, not intent.

New surface

AI Agent behavior

Prompt injection, tool poisoning, skill compromise, context exfiltration — attacks live at the prompt / tool call / skill layer, not at process / file / network.

New standard

ATR

Protocol-agnostic behavioral detection rules. Watches what an agent does, not just what it runs. MIT forever. Community governed.

Before Sigma became the open standard for SIEM detection in 2017, every SOC wrote its own rules. Before CVE in 1999, every vendor numbered its own vulnerabilities. The detection layer for the AI agent era sits in the same position right now — not yet standardized. ATR fills the gap.

00,000

skills scanned — the largest AI agent security scan ever conducted

751

malicious AI agent skills.
Three coordinated threat actors.
The largest AI agent malware campaign ever documented.

hightower6eu

354

Solana / Google Workspace disguise

sakaen736jih

212

C2 server at 91.92.242.30

52yuanchangxing

137

Fake dev tools + npm typosquatting

ATR found these threat actors scanning 96,096 skills across six registries — ClawHub, OpenClaw, Skills.sh, and three others. All 751 blacklisted and reported to NousResearch.

Read the full research report →

Adopted by

Cisco AI Defense

PR #79 + #99 merged · full 330-rule pack in skill-scanner production

View PR #99 →

Microsoft AGT

PR #908 + #1277 merged · 287 rules + weekly auto-sync workflow

View PR #1277 →

Integrations in active review: NVIDIA garak #1676 · Gen Digital Sage #33 · IBM mcp-context-forge #4109 · OWASP LLM Top 10 #814

The Numbers

421

detection rules

8 threat categories

66.2%

HackAPrompt recall

4,780 adversarial samples

99.7%

PINT precision (0.25% FP)

850 samples

23K

npm

monthly downloads (30d)

In production

Microsoft Agent Governance Toolkit · Cisco AI Defense

Merged PRs, deployed in production

Integrating

NVIDIA garak · MISP taxonomies + galaxy · OWASP A-S-R-H · NIST OSCAL Path 1

Under review or accepted

Production loop — case study

Microsoft's own autonomous AI engineer treats ATR as built-in.

2026-05-07

CVE disclosed

MSRC publishes Semantic Kernel CVE-2026-26030 + CVE-2026-25592

2026-05-11 06:07 UTC

Microsoft Copilot opens PR

Microsoft Copilot SWE Agent opens AGT#1981 with regression-test fixtures presuming ATR detection coverage

2026-05-11 08:24 UTC

ATR v2.1.2 ships

ATR-2026-00440 + ATR-2026-00441 published on npm. CVE disclosure to rule publish: 2h 16m

This was not a manually arranged integration. Microsoft's autonomous AI engineer opened the PR assuming ATR coverage existed — and the assumption was correct. Rules were validated and published within 2h 16m.

View AGT#1981 →

An open invitation

Every democratic nation is building sovereign AI.
None are building sovereign AI defense.

India, Japan, UK, France, Korea, UAE, and Taiwan are all shipping sovereign AI models and compute. None of these deployments include a corresponding defense layer. If this gap is not filled by an open standard, it will be filled by closed solutions, geopolitically-tied private agreements, or by adversaries first.

We invite digital ministries, AI safety institutes, and standards bodies to evaluate ATR as the open foundation for your sovereign AI defense layer.

No vendor lock-in. No geopolitical strings. Forkable, replaceable, accountable. First reference deployment in discussion. We are seeking conversation partners across democracies.

[email protected]·Read the full manifesto →

What ATR Detects

8 threat categories.
421 rules. Real CVEs.

Prompt Injection

169 rules

Hijacking agent behavior through crafted inputs

Agent Manipulation

105 rules

Social engineering and behavioral manipulation of agents

Context Exfiltration

41 rules

Stealing conversation context and sensitive data

Skill Compromise

36 rules

Malicious or vulnerable MCP skills and SKILL.md

Tool Poisoning

33 rules

Poisoned tool descriptions and malicious tool responses

Model-Level Attacks

15 rules

Attacks on the LLM itself — behavior extraction, adversarial fine-tuning, poisoned training data

Privilege Escalation

14 rules

Unauthorized elevation of agent capabilities

Excessive Autonomy

8 rules

Agents exceeding intended operational boundaries

Browse all rules + YAML details →

Already in Production

Cisco AI Defense
ships 34 ATR rules
as upstream.

Their engineer submitted a PR. We reviewed it. Merged in 3 days. 1,272 additions. Then they built a CLI specifically to consume ATR rules.

View PR #79 on GitHub →

Microsoft AGT merged 15 ATR rules.

Adapted as PolicyDocument, AGT's native policy format. 554 additions.

View PR #908 on GitHub →

rules merged

Cisco AI Defense

421

detection rules

across 8 categories

96,096

skills scanned

across registries

11/30

ecosystem PRs

merged

Standards Coverage

OWASP Agentic

10/10

Full coverage

SAFE-MCP

91.8%

78/85 techniques

OWASP AST10

7/10

3 are process-level

PINT F1

76.7

850 samples

Frameworks tell you threats exist. ATR tells you how to detect them. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.

View full coverage mapping →

THREAT CRYSTALLIZATION

Every attack makes everyone safer.

Threat Cloud works like an immune system. When the LLM semantic layer (adaptive immunity) catches a novel attack, it crystallizes the detection logic into a regex rule (innate immunity) — turning a $0.001 / 500ms inference into a $0 / 5ms pattern match. 926 threat reports produced 42 crystallized rules. The 4.5% crystallization rate means 95.5% of threats are already covered by existing rules.

The flywheel is already turning. The 96,096-skill scan discovered 751 malware, triggered crystallization, and new rules re-scanned the ecosystem — a self-reinforcing loop.

Detect1/5

Global Sensors

Endpoints report suspicious patterns via ATR Reporter

More endpoints = more data = stronger rules

926

threat reports

crystallized rules

4.5%

crystallization rate

<48h

detect to deploy

More endpoints = more data = stronger rules

Integrate ATR.

One command. Instant results.

$ npx agent-threat-rules scan .

# results

3 SKILL.md scanned

12 tool descriptions checked

1 CRITICAL: credential theft

rule ATR-2026-00121

Done in 47ms.

TypeScript, Python, Raw YAML, SIEM converters. Four integration paths.

Integration Guide View Threat Feed

AI agent era.

Endpoint detection standardscannot see AI agent behavior.

malicious AI agent skills.Three coordinated threat actors.The largest AI agent malware campaign ever documented.

Cisco AI Defense

Microsoft AGT

Microsoft's own autonomous AI engineer treats ATR as built-in.

Every democratic nation is building sovereign AI.None are building sovereign AI defense.

8 threat categories. 421 rules. Real CVEs.

Cisco AI Defense ships 34 ATR rules as upstream.

Microsoft AGT merged 15 ATR rules.

Every attack makes everyone safer.

Integrate ATR.

Endpoint detection standards
cannot see AI agent behavior.

malicious AI agent skills.
Three coordinated threat actors.
The largest AI agent malware campaign ever documented.

Every democratic nation is building sovereign AI.
None are building sovereign AI defense.

8 threat categories.
421 rules. Real CVEs.

Cisco AI Defense
ships 34 ATR rules
as upstream.