Sigma is for SIEM. YARA is for malware.

ATR is for AI agents.

An open, versioned, machine-readable detection rule format for AI agent security threats. Any conforming engine can evaluate it. Community-maintained, MIT licensed.

427 rules·8 categories·97.1% garak recall

Read the spec Browse rules Submit a rule

Standards bodies:MISP / CIRCL·OWASP A-S-R-H·NIST AI RMF (OSCAL)·OpenTelemetry

In production:Cisco AI Defense·Microsoft AGT·Gen Digital Sage

MIT License · Maintained by ATR Community · Spec v1.0 stable

Why a new standard

Endpoint detection standards
cannot see AI agent behavior.

Old era

Sigma · YARA · CVE

Built for endpoint event logs, file binaries, and software vulnerability IDs. They watch code, not intent.

New surface

AI Agent behavior

Prompt injection, tool poisoning, skill compromise, context exfiltration — attacks live at the prompt / tool call / skill layer, not at process / file / network.

New standard

ATR

Protocol-agnostic behavioral detection rules. Watches what an agent does, not just what it runs. MIT forever. Community governed.

Before Sigma became the open standard for SIEM detection in 2017, every SOC wrote its own rules. Before CVE in 1999, every vendor numbered its own vulnerabilities. The detection layer for the AI agent era sits in the same position right now — not yet standardized. ATR fills the gap.

00,000

skills scanned — the largest AI agent security scan ever conducted

751

malicious AI agent skills.
Three coordinated threat actors.
The largest AI agent malware campaign ever documented.

hightower6eu

354

Solana / Google Workspace disguise

sakaen736jih

212

C2 server at 91.92.242.30

52yuanchangxing

137

Fake dev tools + npm typosquatting

ATR found these threat actors scanning 96,096 skills across six registries — ClawHub, OpenClaw, Skills.sh, and three others. All 751 blacklisted and reported to NousResearch.

Read the full research report →

Adopted by

Cisco AI Defense

PR #79 + #99 merged · full 330-rule pack in skill-scanner production

View PR #99 →

Microsoft AGT

PR #908 + #1277 merged · 287 rules + weekly auto-sync workflow

View PR #1277 →

Integrations in active review: NVIDIA garak #1676 · Gen Digital Sage #33 · IBM mcp-context-forge #4109 · OWASP LLM Top 10 #814

The Numbers

427

detection rules

8 threat categories

66.2%

HackAPrompt recall

4,780 adversarial samples

99.7%

PINT precision (0.25% FP)

850 samples

23K

npm

monthly downloads (30d)

In production

Cisco AI Defense · Microsoft AGT · Gen Digital Sage

Merged PRs, deployed in production

Standards bodies / in review

MISP/CIRCL (merged) · OWASP A-S-R-H (merged) · NIST AI RMF (community OSCAL · oscal-content#333 in review) · OpenTelemetry GenAI SIG (#165 in review)

Two merged, two under maintainer review

Production loop — case study

Microsoft's own autonomous AI engineer treats ATR as built-in.

2026-05-07

CVE disclosed

MSRC publishes Semantic Kernel CVE-2026-26030 + CVE-2026-25592

2026-05-11 06:07 UTC

Microsoft Copilot opens PR

Microsoft Copilot SWE Agent opens AGT#1981 with regression-test fixtures presuming ATR detection coverage

2026-05-11 08:24 UTC

ATR v2.1.2 ships

ATR-2026-00440 + ATR-2026-00441 published on npm. CVE disclosure to rule publish: 2h 16m

This was not a manually arranged integration. Microsoft's autonomous AI engineer opened the PR assuming ATR coverage existed — and the assumption was correct. Rules were validated and published within 2h 16m.

View AGT#1981 →

An open invitation

Every democratic nation is building sovereign AI.
None are building sovereign AI defense.

India, Japan, UK, France, Korea, UAE, and Taiwan are all shipping sovereign AI models and compute. None of these deployments include a corresponding defense layer. If this gap is not filled by an open standard, it will be filled by closed solutions, geopolitically-tied private agreements, or by adversaries first.

We invite digital ministries, AI safety institutes, and standards bodies to evaluate ATR as the open foundation for your sovereign AI defense layer.

No vendor lock-in. No geopolitical strings. Forkable, replaceable, accountable. First reference deployment in discussion. We are seeking conversation partners across democracies.

[email protected]·Read the full manifesto →

What ATR Detects

8 threat categories.
427 rules. Real CVEs.

Prompt Injection

169 rules

Hijacking agent behavior through crafted inputs

Agent Manipulation

105 rules

Social engineering and behavioral manipulation of agents

Context Exfiltration

41 rules

Stealing conversation context and sensitive data

Skill Compromise

38 rules

Malicious or vulnerable MCP skills and SKILL.md

Tool Poisoning

36 rules

Poisoned tool descriptions and malicious tool responses

Privilege Escalation

15 rules

Unauthorized elevation of agent capabilities

Model-Level Attacks

15 rules

Attacks on the LLM itself — behavior extraction, adversarial fine-tuning, poisoned training data

Excessive Autonomy

8 rules

Agents exceeding intended operational boundaries

Browse all rules + YAML details →

Already in Production

Cisco AI Defense
ships the full ATR rule pack
as skill-scanner upstream.

On 2026-04-03 their engineer submitted PR #79 with a 34-rule PoC and it merged in 3 days. On 2026-04-22 the production PR #99 landed the full ATR rule pack inside Cisco AI Defense's skill-scanner. They built a --rule-packs CLI specifically to consume ATR as a first-class rule source.

PR #79 (PoC, 34 rules) →PR #99 (production, full pack) →

Microsoft Agent Governance Toolkit expanded from 15 to 287 ATR rules with a weekly auto-sync workflow.

PR #908 (2026-04-13) merged the 15-rule PolicyDocument PoC. PR #1277 (2026-04-26) brought it to 287 rules and added a workflow that auto-syncs ATR upstream releases every week.

PR #908 (PoC, 15 rules) →PR #1277 (production, 287 rules + auto-sync) →

Gen Digital Sage ships the full ATR rule pack in the Sage agentic-AI risk-scoring layer (Norton/Avast/LifeLock parent).

Merged 2026-05-11. The Sage platform — under the Norton/Avast/LifeLock parent — uses ATR rules as the substrate for its agentic-AI security scoring.

PR #33 →

Standards bodies referencing ATR

MISP / CIRCL

Taxonomy + Galaxy merged 2026-05-10

OWASP A-S-R-H

Merged 2026-05-11

NIST AI RMF (OSCAL)

Community catalog published · oscal-content#333 in review

OpenTelemetry GenAI SIG

agent.threat.detection.* in review

Fortune-500 deployments

Cisco · Microsoft · Gen Digital

427

detection rules

across 8 categories

96,096

skills scanned

across registries

11/30

ecosystem PRs

merged

Standards Coverage

OWASP Agentic

10/10

Full coverage

SAFE-MCP

91.8%

78/85 techniques

OWASP AST10

7/10

3 are process-level

PINT F1

76.7

850 samples

Frameworks tell you threats exist. ATR tells you how to detect them. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.

View full coverage mapping →

THREAT CRYSTALLIZATION

Every attack makes everyone safer.

Threat Cloud works like an immune system. When the LLM semantic layer (adaptive immunity) catches a novel attack, it crystallizes the detection logic into a regex rule (innate immunity) — turning a $0.001 / 500ms inference into a $0 / 5ms pattern match. 926 threat reports produced 42 crystallized rules. The 4.5% crystallization rate means 95.5% of threats are already covered by existing rules.

The flywheel is already turning. The 96,096-skill scan discovered 751 malware, triggered crystallization, and new rules re-scanned the ecosystem — a self-reinforcing loop.

Detect1/5

Global Sensors

Endpoints report suspicious patterns via ATR Reporter

More endpoints = more data = stronger rules

926

threat reports

crystallized rules

4.5%

crystallization rate

<48h

detect to deploy

More endpoints = more data = stronger rules

Integrate ATR.

One command. Instant results.

$ npx agent-threat-rules scan .

# results

3 SKILL.md scanned

12 tool descriptions checked

1 CRITICAL: credential theft

rule ATR-2026-00121

Done in 47ms.

TypeScript, Python, Raw YAML, SIEM converters. Four integration paths.

Integration Guide View Threat Feed