ATR is community-driven. Every contribution protects the entire ecosystem.
MIT licensed. No proprietary tooling. No CLA. Start by reporting an evasion, 15 minutes.
Open an Integration Request issue
Structured intake form, 5 minutes. Use this path if you need a spec walkthrough, design review, sample code for your language, or framework-compliance mapping. Maintainers respond within seven days.
Open the issue→Open a PR against ADOPTERS.md
Take this path when your integration is publicly verifiable. Schema-conforming entries with a verifiable evidence link get merged — maintainers do not pre-approve adopters. Same model as Sigma.
ADOPTERS.md →Submit a New Rule (5 min, no fork)
~5 minFound a new attack pattern? File one issue, the bot converts it to a draft proposal PR automatically. No clone, no YAML required.
Open an Issue→Submit a Red Team Probe (joins the benchmark)
~10 minHave an attack payload plus benign look-alikes? The bot converts it into a proposal; once merged, your probe joins the next benchmark run. Your contribution shows up in the recall numbers.
Submit a Probe→Report an Evasion
~15 minFound a way to bypass a rule? Every confirmed evasion triggers a rule improvement. Most impactful contribution.
Open an Issue→Report a False Positive
~20 minRule triggered on legitimate content? Help us keep 99.6% precision real.
Open an Issue→Full Rule Authoring (advanced)
1-2 hrWant to author YAML directly? Fork the repo, follow the spec, run atr validate + atr test, open a PR. Full walkthrough provided.
See the Guide→AI-Native Contribution
VariableUse Claude Code or Cursor with ATR's MCP server. The AI writes YAML, you review.
See MCP Setup→- Bot converts your issue to a YAML draft under proposals/ and opens a draft PR with your name in the author field.
- A maintainer or community member writes the detection regex and runs the safety gate (0 FP on the benign corpus is a hard requirement).
- Rule merges to main, auto-publishes to npm + GitHub release.
- On the next measurement run, your payload joins the benchmark corpus. data/measurements/<source>/ stores the historical recall / precision / fp-rate per run, version-pinned and drift-proof.
- Every public recall claim cites a measurement file path, so your contribution is traceable in the public audit chain.
The spec (ATR-SPEC-v1) is the contract between all conforming engines. Spec changes are not as direct as rule additions — the process is: open an RFC issue with title prefixed [RFC] describing what you want to change and why; leave a 7-day public comment window so every implementer sees it and can respond; then submit the PR. Breaking changes (SemVer major bump) require an additional 30-day advance notice.
Full process documented under Decision-making on the governance page.
If you want to contribute but don't know where to start, two low-friction entry points:
- Open issues labelled 'good first issue' — maintainer-tagged starter tasks with clear scope.
- False-positive reports — if you hit a misfire in your workflow, a 15-minute report directly helps every downstream adopter. Maintainers prioritise this class of feedback.
ATR is currently single-maintainer and is actively recruiting a second and third. Candidate criteria, the decision-making structure, and how to apply are all on the governance page.
See 'Become a maintainer' on the governance page→How Threat Cloud Crystallization Works
Traditional rules take weeks to write, review, and ship. Threat Cloud targets hours.