In May 2026 the NSA’s Artificial Intelligence Security center published Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation. It breaks MCP risk into 8 named security concerns and gives 9 recommendations — and, like every piece of government guidance, ships zero executable detection rules.
Its thesis is one line: “MCP’s rapid proliferation has outpaced the development of its security model.” Secure-by-default behavior, the NSA says, “must be enforced through implementation rigor, proper coding practices, clearer protocol specifications, and robust validation tools.” ATR is one such validation-tool layer — and, deliberately, only one layer.
Two of the nine recommendations are rule-shaped:
“Track and patch MCP related vulnerabilities” — the CSI asks for a formal process monitoring CVEs, vendor advisories, and open-source issue trackers, subscribing to security feeds. That is ATR’s CVE flywheel: 2,262 CVEs tracked across 15 feeds, 594 detection-ready signatures. ATR-2026-00451 covers the LiteLLM admin SQLi that landed in CISA’s KEV; ATR-2026-00534 covers the Alibaba RDS MCP unauthenticated metadata exfil Akamai disclosed in June. One Microsoft Semantic Kernel MSRC advisory went from disclosure to a published, regression-tested rule in about two hours.
“Filter and monitor output pipelines and chained execution” — treat every tool output as untrusted; detect indirect injection and toolchain pivots. That is ATR’s densest cluster: ATR-2026-00002 (indirect prompt injection) and ATR-2026-00010 (malicious tool response).
About the other seven — honestly
A standard earns trust by being explicit about what it does not do. The CSI also says “scan your local network for open or vulnerable MCP servers,” and names the scanners — MCP Scanner, Ramparts, CyberMCP, Proximity. ATR is not one of them.ATR is the rule content a scanner runs, not the scanner, and it does no network discovery. “Instrument for logging and detection” is a SIEM’s job; ATR emits no logs of its own — it is the detection content a SIEM consumes. Identity binding, message signing, sandboxing: those are infrastructure, not pattern detection. Run ATR as one layer, not the only one.
We mapped all 8 concerns and all 9 recommendations to specific rules, each with an honest strength rating — including the ones where ATR is only complementary, and the ones it does not touch at all. The full mapping is here.
Run it
npm install -g agent-threat-rules
npx agent-threat-rules scan .Point it at your skill directory or MCP config. The rules are open and MIT-licensed — read them, test them, send us a variant we miss.