Skip to content
Standards Coverage

The frameworks name the threat. ATR runs it.

MITRE ATLAS, OWASP, NIST AI RMF, ISO 42001 — six frameworks classify what can go wrong. ATR is the executable layer underneath: detection that fires on a real agent artifact. Every rule carries mappings into all six frameworks, enforced in CI.

How to read this
PINT (850 samples)

ATR reaches 63.2% recall, 99.7% precision, and 0.25% FP on 850 PINT-format adversarial samples (self-built from deepset + Lakera Gandalf; not Lakera's official private benchmark) — rules rarely fire on legitimate MCP traffic.

HackAPrompt (4,780 samples)

ATR catches 66.0% of the 4,780 HackAPrompt competition samples at 100% precision, with no false alarms.

Self-test (341 samples)

ATR reaches 89.4% recall, 100% precision, and 0% FP on 341 internal self-test samples — a separate corpus from the SKILL.md benchmark.

garak (650 in-the-wild / 3,475 full)

ATR reaches 98.0% recall on garak's in-the-wild jailbreak set (650 prompts), and 38.5% on the full 23-probe garak suite (3,475 prompts).

OWASP Agentic
10/10
SAFE-MCP
78/85 (91.8%)
OWASP AST10
7/10
PINT F1
77.7

OWASP Agentic Top 10

10/10 categories, each backed by rules that fire — not a checklist, detections.

ASI01
Agent Goal Hijack
13
STRONG
ASI02
Tool Misuse & Exploitation
11
STRONG
ASI03
Identity & Privilege Abuse
9
STRONG
ASI04
Agentic Supply Chain Vulnerabilities
8
STRONG
ASI05
Unexpected Code Execution / RCE
8
STRONG
ASI06
Memory & Context Poisoning
8
STRONG
ASI07
Insecure Inter-Agent Communication
5
MODERATE
ASI08
Cascading Failures
4
MODERATE
ASI09
Human-Agent Trust Exploitation
5
MODERATE
ASI10
Rogue Agents
7
MODERATE

OWASP Agentic Skills Top 10 (AST10)

8/10 categories with rule coverage. 3 categories are process/meta-level (not pattern-detectable).

AST01
Malicious Skills
7
STRONG
AST02
Supply Chain Compromise
8
STRONG
AST03
Over-Privileged Skills
4
MODERATE
AST04
Insecure Metadata
3
MODERATE
AST05
Unsafe Deserialization
3
MODERATE
AST06
Weak Isolation
3
PARTIAL
AST07
Update Drift
2
PARTIAL
AST08
Poor Scanning
0
GAP (meta-concern)
AST09
No Governance
0
GAP (process-level)
AST10
Cross-Platform Reuse
1
PARTIAL

SAFE-MCP

78 of 85 MCP attack techniques are backed by a detection rule (91.8%) — the remaining 7 are known gaps, stated plainly rather than papered over. Mapping is revised continuously as categories are reconciled.

View full SAFE-MCP mapping on GitHub

MITRE ATLAS

Every rule's YAML carries a MITRE ATLAS reference — part of ATR's per-rule mapping into six frameworks (ATLAS, OWASP Agentic, OWASP LLM, EU AI Act, NIST AI RMF, ISO 42001). A rule with no mapping does not reach main; CI enforces it. Grouped by tactic in the rule explorer.

Browse rules with MITRE mappings