Agentic Threat Detection

Agentic Threat Detection (ATD) is an open, machine-readable, executable enumeration of agent-native threat techniques. Each technique is bound to detection logic and mapped to the established prose frameworks — OWASP Agentic Top 10, MITRE ATLAS, CWE, and AVID.

Those frameworks tell you what can go wrong with an agent. ATD is the layer underneath that tells you how to detect it at runtime — and ships with a measurable false-positive rate. It is to agentic security what Sigma is to SIEM detection.

Status: an Editor's Draft — a request for comments and an open invitation to co-author. It is not yet a ratified standard; it earns that title when it meets the §8 neutrality bar. We publish it openly to gather collaborators and mapping partners, not to claim authority.

ATD enumerates agent-runtime threat techniques detectable in agent I/O: prompt/content, tool calls, tool responses, inter-agent messages, memory operations, traces, screen state, and payment mandates.

• ATD MUST NOT mint vulnerability instance identifiers. A specific CVE in a specific MCP server lives in CVE / GHSA / OSV / AVID; ATD references it, it does not replace it.
• ATD MUST NOT present itself as a competing top-level risk taxonomy. The "top ten agentic risks" framing belongs to OWASP ASI; ATD sits beneath it and makes it runnable.
• ATD MUST map every technique to at least one upstream framework, or document the gap where none exists yet.

This boundary is deliberate. Vulnerability registries that mirrored CVE's territory (e.g. the now-archived GSD) fragmented and stalled. ATD fills the uncovered executable detection layer, it does not re-fight a settled lane.

ATD uses two axes, borrowed from proven standards:

• Tactic / Technique matrix (MITRE ATLAS model): a Tactic is the adversary's goal-phase; a Technique is a concrete, detectable attack pattern; a Sub-technique is a variant.
• Abstraction hierarchy (CWE model): each technique is tagged pillar / class / base / variant.

Identifiers. Tactics are ATD-TA1 … ATD-TA9. Techniques are ATD-T0001 (zero-padded, sequential, permanent, never reused); sub-techniques use dotted notation ATD-T0001.001. Each individual detection rule additionally carries a UUIDv4 so rules survive renaming — techniques are the catalog, rules are the executable instances bound to them.

Maturity. Every technique and every rule carries a status on the ladder experimental → test → stable (plus deprecated). Production consumers SHOULD auto-sync only stable.

A technique entry is a YAML/JSON document validated against a normative JSON Schema (Draft 2020-12), shipped in-repo. It is designed to be compatible with the OSV and Sigma ecosystems. Required fields:

atd_id            ATD-T####            permanent
schema_version    SemVer, no "v"       additive-minor guarantee (OSV)
title             short imperative phrase
tactic            ATD-TA#
abstraction       pillar | class | base | variant
status            experimental | test | stable | deprecated
description       the technique and its attack mechanism
detection_surface content | tool_input | tool_response |
                  inter_agent_msg | memory_op | trace | screen | payment_mandate
mappings          owasp_asi[] · mitre_atlas[] · cwe[] · avid[] · maestro_layer[]
references         advisory / CVE / research URLs (evidence it is real)
detection_rules   UUIDv4[] into the rule corpus

A detection rule reuses the ATR rule schema already in production: regex/conditions, true_positives and true_negatives (a precision test), false-positive notes, response actions, and a valid agent_source.type.

Legitimacy comes from interoperability, not from declaring authority. Every ATD technique maps to OWASP ASI, MITRE ATLAS and CWE where a slot exists; AVID and the MAESTRO layer are added where they apply. ATD borrows the authority of these frameworks and feeds its ★gaps back to them as proposed techniques and case studies.

ATD is designed to interoperate with — not compete against — AVID, which already operates a governed, submission-open AI vulnerability registry. ATD supplies the executable detection AVID's "Detection" report type expects.

• A conformant technique entry MUST validate against the JSON Schema, carry at least one framework mapping (or a documented gap), and cite at least one reference.
• A conformant detection rule MUST pass the precision gate: every declared true-positive matches, zero false positives on the published benign corpus, and no cross-rule conflict.
• A conformant consumer MUST honor the maturity field and SHOULD expose the ATD-T#### id on every detection it emits.

ATD is governed by a written charter and published as an open draft and an invitation to co-author. It earns the title standard when it meets a concrete, public neutrality bar adopted from the OpenSSF project lifecycle — at least three maintainers across at least two organizations — and we are actively seating them.

Governance follows a Minimal Viable Governance charter: lazy consensus of maintainers, a simple-majority Technical Steering Committee fallback, charter amendments by a two-thirds vote, and no single-person veto. The specification is CC-BY-4.0 and forkable by design — no party can hold it hostage — with a committed roadmap to a neutral foundation home (an OpenSSF working group, or the OWASP GenAI Security Project).

Call for collaborators — if your team works on agent security, map your tooling to ATD, submit a technique, or take a maintainer seat. See /contribute.