An open standard.
Started by one maintainer.

ATR provides executable detection rules for AI agents. Other frameworks — MITRE ATLAS, OWASP Agentic, NIST AI RMF — categorize threats and define risk management processes. ATR provides the detection rules that operate on real agent artifacts: SKILL.md files, MCP tool descriptions, agent configs. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.

Rules are published under MIT license in YAML format on GitHub. Anyone may integrate, modify, or contribute upstream. There are no paid features. There is no vendor lock-in.

1. 2026-03-09
   ATR founded · v0.1.0 released

   29 rules across 9 threat categories, TypeScript engine, 325 passing tests.

2. 2026-04-03
   Cisco AI Defense merges 34 rules (PR #79)

   First enterprise adoption. 1,272 additions, merged one day after submission.

3. 2026-04-06
   v1.0.0 released

   Coverage milestone: OWASP Agentic 10/10, SAFE-MCP 91.8%, PINT F1 76.7.

4. 2026-04-13
   Microsoft AGT merges 15 rules (PR #908)

   Second enterprise adoption. 554 additions, adapted as PolicyDocument.

5. 2026-04-14
   Mass malware campaign research published

   Scanned 96,096 skills across five registries. Documented 751 malicious skills from three coordinated threat actors. Notified NousResearch via issue #9809.

6. 2026-04-15
   v2.0.0 released

   113 detection rules across 8 categories. Full coverage mapping to MITRE ATLAS, OWASP Agentic, OWASP LLM, and OWASP AST.

All rule changes are submitted and reviewed via public GitHub pull requests. Adoption criteria include: clear description, test cases covering true and false positives, schema compliance, and no conflict with existing rules.

Rules use CVE/CWE-style identifiers (ATR-YYYY-NNNNN). IDs never change after publication. Rules may be revised (rule_version++), but the ID remains stable — safe for external documentation, academic citations, and CI scripts to reference.

ATR was founded and is primarily maintained by Kuan-Hsin Lin. This is a project started by one person — the same way Linus Torvalds started Linux in 1991, or Florian Roth started Sigma. What matters is whether the community can contribute substantively, not how long the founders list is.

External contributions to date come from engineers at Cisco AI Defense (PR #79, 34 rules) and Microsoft AGT (PR #908, 15 rules). This pattern — enterprises integrating via pull request instead of private forks — is the governance texture ATR is built for.

ATR is not owned by any commercial entity. It is not a feature of any security product and is not controlled by any vendor. The rules are a public good — anyone, including competing vendors, may adopt, extend, or fork them.