Skip to content
About ATR

An open standard.
Started by one maintainer.

ATR is the open detection standard for AI agent security threats. This page explains why it exists, how it works, and who maintains it.

Mission

ATR provides executable detection rules for AI agents. Other frameworks — MITRE ATLAS, OWASP Agentic, NIST AI RMF — categorize threats and define risk management processes. ATR provides the detection rules that operate on real agent artifacts: SKILL.md files, MCP tool descriptions, agent configs. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.

Rules are published under MIT license in YAML format on GitHub. Anyone may integrate, modify, or contribute upstream. There are no paid features. There is no vendor lock-in.

The standard is community-driven and grows through daily auto-crystallization flywheels — a red-team mega-scan pipeline and a CVE-ingestion pipeline each ran full sweeps, expanding the ruleset from 462 to 768 rules.

But growth was never the point — honesty about precision is. The v3.5.0 release introduced detection lanes: every rule declares a maturity, and the consumer decides how far to trust it. The enforce lane fires only the most mature rules (~0.24% false positives on a 65,000-sample benign corpus); the default hunt lane runs everything as advisory (~9%). ATR reports false-positive rates lane by lane, never as a single flattering number. A standard earns trust by publishing its worst figure, not hiding it.

History
  1. 2026-03-09
    ATR founded · v0.1.0 released

    29 rules across 9 threat categories, TypeScript engine, 325 passing tests.

  2. 2026-04-03
    Cisco AI Defense merges 34 rules (PR #79)

    First enterprise adoption. 1,272 additions, merged one day after submission.

  3. 2026-04-06
    v1.0.0 released

    Coverage milestone: OWASP Agentic 10/10, SAFE-MCP 91.8%, PINT F1 76.7.

  4. 2026-04-13
    Microsoft AGT merges 15 rules (PR #908)

    Second enterprise adoption. 554 additions, adapted as PolicyDocument.

  5. 2026-04-14
    Mass malware campaign research published

    Scanned 96,096 skills across five registries. Documented malicious skills from three coordinated threat actors (552 confirmed on the live blacklist). Notified NousResearch via issue #9809.

  6. 2026-04-15
    v2.0.0 released

    113 detection rules across 8 categories. Full coverage mapping to MITRE ATLAS, OWASP Agentic, OWASP LLM, and OWASP AST.

  7. 2026-04-21
    v2.0.11 · NVIDIA garak coverage

    193 new rules covering the full NVIDIA garak probe corpus (311 total). garak in-the-wild jailbreak subset recall: 97.1% (646/666) at the time.

  8. 2026-04-22
    Cisco AI Defense production rollout (PR #99)

    Follow-up production PR after the 34-rule PoC. Lands the full ATR rule pack inside Cisco AI Defense's skill-scanner. ATR now ships in two Cisco production paths: rule-packs CLI and skill-scanner.

  9. 2026-04-26
    Microsoft AGT 287-rule expansion + weekly auto-sync (PR #1277)

    Follow-up to PR #908's 15-rule PoC. Adds 272 more rules (287 total) and a workflow that auto-syncs ATR upstream releases every week. First standards-grade auto-sync pipeline.

  10. 2026-05-10
    MISP / CIRCL taxonomy + galaxy merged

    Alexandre Dulaunoy (CIRCL) merged ATR rule-ID taxonomy (misp-taxonomies #323) and threat-intel galaxy (misp-galaxy #1207) into MISP's core distribution. First neutral standards-body adoption.

  11. 2026-05-11
    OWASP Agent Security Regression Harness (#74) + Gen Digital Sage (#33) both merged

    OWASP Foundation's regression-harness project references ATR as its canonical agent-threat detection ruleset (PR #74, merged by Mert Satilmaz). On the same day, Gen Digital (Norton / Avast / LifeLock parent) merged the full ATR rule pack into the Sage agentic-AI risk-scoring layer (PR #33).

  12. 2026-05-22
    ATR website standards-form rewrite

    Hero, footer, and information architecture rewritten to match peer-format positioning (Sigma / YARA / ATT&CK / NIST AI RMF). Integration intake pipeline shipped: structured issue form, auto-triage workflow, ADOPTERS.md as machine-readable source of truth.

  13. 2026-06
    v3.5.0 · detection lanes ship

    v3.5.0 (652 rules at release) introduced detection lanes (enforce / alert / hunt) — maturity-driven precision, with false-positive rates reported per lane rather than as a single figure.

  14. 2026-07
    Adoption re-verified · auto-publish flywheel

    Every adopter PR state re-verified against GitHub — new shipped integrations recorded across FINOS, SigmaHQ, rulezet/CIRCL, AMD GAIA, and AG2. The crystallization flywheel now auto-publishes new rules to npm on merge; rule count, spec version, and the adopter wall on this site are all rebuilt from repo state at deploy time.

Governance

All rule changes are submitted and reviewed via public GitHub pull requests. Adoption criteria include: clear description, test cases covering true and false positives, schema compliance, and no conflict with existing rules.

Rules use CVE/CWE-style identifiers (ATR-YYYY-NNNNN). IDs never change after publication. Rules may be revised (rule_version++), but the ID remains stable — safe for external documentation, academic citations, and CI scripts to reference.

Maintainers

ATR was founded and is primarily maintained by Kuan-Hsin Lin. This is a project started by one person — the same way Linus Torvalds started Linux in 1991, or Florian Roth started Sigma. What matters is whether the community can contribute substantively, not how long the founders list is.

External adoption to date includes two in production (Cisco AI Defense's full rule pack in skill-scanner, Microsoft AGT's 287 rules plus weekly auto-sync) plus Gen Digital's merged Sage pack; two standards-body integrations actually merged (MISP / CIRCL taxonomies #323 + galaxy #1207, and OWASP A-S-R-H #74); and two standards-body submissions in review (a community-authored OSCAL catalog for NIST AI RMF self-published by the ATR maintainers, with usnistgov/oscal-content#338 collaboration branch in review — not a NIST endorsement; and the agent.threat.detection.* semantic-conventions PR #165 in OpenTelemetry GenAI SIG review). This pattern — enterprises integrating via pull request instead of private forks — is the governance texture ATR is built for.

Independence

ATR is not owned by any commercial entity. It is not a feature of any security product and is not controlled by any vendor. The rules are a public good — anyone, including competing vendors, may adopt, extend, or fork them.