An open standard.
Started by one maintainer.

ATR provides executable detection rules for AI agents. Other frameworks — MITRE ATLAS, OWASP Agentic, NIST AI RMF — categorize threats and define risk management processes. ATR provides the detection rules that operate on real agent artifacts: SKILL.md files, MCP tool descriptions, agent configs. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.

Rules are published under MIT license in YAML format on GitHub. Anyone may integrate, modify, or contribute upstream. There are no paid features. There is no vendor lock-in.

1. 2026-03-09
   ATR founded · v0.1.0 released

   29 rules across 9 threat categories, TypeScript engine, 325 passing tests.

2. 2026-04-03
   Cisco AI Defense merges 34 rules (PR #79)

   First enterprise adoption. 1,272 additions, merged one day after submission.

3. 2026-04-06
   v1.0.0 released

   Coverage milestone: OWASP Agentic 10/10, SAFE-MCP 91.8%, PINT F1 76.7.

4. 2026-04-13
   Microsoft AGT merges 15 rules (PR #908)

   Second enterprise adoption. 554 additions, adapted as PolicyDocument.

5. 2026-04-14
   Mass malware campaign research published

   Scanned 96,096 skills across five registries. Documented 751 malicious skills from three coordinated threat actors. Notified NousResearch via issue #9809.

6. 2026-04-15
   v2.0.0 released

   113 detection rules across 8 categories. Full coverage mapping to MITRE ATLAS, OWASP Agentic, OWASP LLM, and OWASP AST.

7. 2026-04-21
   v2.0.11 · NVIDIA garak coverage

   193 new rules covering the full NVIDIA garak probe corpus (311 total). garak in-the-wild jailbreak benchmark recall: 97.1% (646/666).

8. 2026-04-22
   Cisco AI Defense production rollout (PR #99)

   Follow-up production PR after the 34-rule PoC. Lands the full ATR rule pack inside Cisco AI Defense's skill-scanner. ATR now ships in two Cisco production paths: rule-packs CLI and skill-scanner.

9. 2026-04-26
   Microsoft AGT 287-rule expansion + weekly auto-sync (PR #1277)

   Follow-up to PR #908's 15-rule PoC. Adds 272 more rules (287 total) and a workflow that auto-syncs ATR upstream releases every week. First standards-grade auto-sync pipeline.

10. 2026-05-10
    MISP / CIRCL taxonomy + galaxy merged

    Alexandre Dulaunoy (CIRCL) merged ATR rule-ID taxonomy (misp-taxonomies #323) and threat-intel galaxy (misp-galaxy #1207) into MISP's core distribution. First neutral standards-body adoption.

11. 2026-05-11
    OWASP Agent Security Regression Harness (#74) + Gen Digital Sage (#33) both merged

    OWASP Foundation's regression-harness project references ATR as its canonical agent-threat detection ruleset (PR #74, merged by Mert Satilmaz). On the same day, Gen Digital (Norton / Avast / LifeLock parent) merged the full ATR rule pack into the Sage agentic-AI risk-scoring layer (PR #33).

12. 2026-05-22
    ATR website standards-form rewrite

    Hero, footer, and information architecture rewritten to match peer-format positioning (Sigma / YARA / ATT&CK / NIST AI RMF). Integration intake pipeline shipped: structured issue form, auto-triage workflow, ADOPTERS.md as machine-readable source of truth.

All rule changes are submitted and reviewed via public GitHub pull requests. Adoption criteria include: clear description, test cases covering true and false positives, schema compliance, and no conflict with existing rules.

Rules use CVE/CWE-style identifiers (ATR-YYYY-NNNNN). IDs never change after publication. Rules may be revised (rule_version++), but the ID remains stable — safe for external documentation, academic citations, and CI scripts to reference.

ATR was founded and is primarily maintained by Kuan-Hsin Lin. This is a project started by one person — the same way Linus Torvalds started Linux in 1991, or Florian Roth started Sigma. What matters is whether the community can contribute substantively, not how long the founders list is.

External adoption to date comes from three Fortune-500 production deployments (Cisco AI Defense's full rule pack in skill-scanner, Microsoft AGT's 287 rules plus weekly auto-sync, Gen Digital Sage's integrated pack); two standards-body integrations actually merged (MISP / CIRCL taxonomies #323 + galaxy #1207, and OWASP A-S-R-H #74); and two standards-body submissions in review (a community-authored OSCAL catalog for NIST AI RMF self-published by the ATR maintainers, with usnistgov/oscal-content#333 in NIST review; and the agent.threat.detection.* semantic-conventions PR #165 in OpenTelemetry GenAI SIG review). This pattern — enterprises integrating via pull request instead of private forks — is the governance texture ATR is built for.

ATR is not owned by any commercial entity. It is not a feature of any security product and is not controlled by any vendor. The rules are a public good — anyone, including competing vendors, may adopt, extend, or fork them.