The frameworks name the threat. ATR runs it.
MITRE ATLAS, OWASP, NIST AI RMF, ISO 42001 — six frameworks classify what can go wrong. ATR is the executable layer underneath: detection that fires on a real agent artifact. Every rule carries mappings into all six frameworks, enforced in CI.
ATR reaches 63.2% recall, 99.7% precision, and 0.25% FP on 850 PINT-format adversarial samples (self-built from deepset + Lakera Gandalf; not Lakera's official private benchmark) — rules rarely fire on legitimate MCP traffic.
ATR catches 66.0% of the 4,780 HackAPrompt competition samples at 100% precision, with no false alarms.
ATR reaches 89.4% recall, 100% precision, and 0% FP on 341 internal self-test samples — a separate corpus from the SKILL.md benchmark.
ATR reaches 98.0% recall on garak's in-the-wild jailbreak set (650 prompts), and 38.5% on the full 23-probe garak suite (3,475 prompts).
OWASP Agentic Top 10
10/10 categories, each backed by rules that fire — not a checklist, detections.
OWASP Agentic Skills Top 10 (AST10)
8/10 categories with rule coverage. 3 categories are process/meta-level (not pattern-detectable).
SAFE-MCP
78 of 85 MCP attack techniques are backed by a detection rule (91.8%) — the remaining 7 are known gaps, stated plainly rather than papered over. Mapping is revised continuously as categories are reconciled.
View full SAFE-MCP mapping on GitHub→MITRE ATLAS
Every rule's YAML carries a MITRE ATLAS reference — part of ATR's per-rule mapping into six frameworks (ATLAS, OWASP Agentic, OWASP LLM, EU AI Act, NIST AI RMF, ISO 42001). A rule with no mapping does not reach main; CI enforces it. Grouped by tactic in the rule explorer.
Browse rules with MITRE mappings→