Skip to content

Glossary

Glossary

Definitions for key terms used throughout the specification. Where a term has a precise technical meaning that differs from common usage, the technical meaning takes precedence within the spec.

Working Draft·version 3.5.6·updated 16 June 2026·canonical /spec·editor Adam Lin

Term Definitions

agent runtime
An execution environment that hosts one or more AI agents and mediates their access to tools, model APIs, and external resources.
ATR engine
An implementation that consumes ATR rules and emits matches. A conforming engine MUST satisfy the requirements in /conformance §1.
ATR rule
A single YAML document declaring an attack pattern, the field it inspects, its test cases, and its cross-framework mappings.
canary
A 24-hour observation window during which a newly generated rule runs in shadow mode before being eligible for production status.
confirm
An optional rule field requesting a second-stage check before the rule may fire in the enforce or alert lane. The only defined method is confirm: embedding, which re-evaluates a pattern hit against attack-content similarity and keeps the match only when similarity meets the configured threshold. The confirm gate is narrowing only: it may remove a match but never create one. A rule declaring confirm MUST have maturity stable or test, and a detection method of pattern, signature, or semantic — trace and behavioral signals are structural, not content, so content-similarity confirmation does not apply.
conformance level
One of L1 (Engine), L2 (Publisher), or L3 (Sub-range Authority). Defined normatively in /conformance.
crystallization
The Threat Cloud pipeline that converts an observed attack into a candidate ATR rule and routes it through review. (Reference implementation, not part of the normative standard.)
detection lane
A consumer-selected gate that decides which rule maturities are allowed to fire, traded against false-positive tolerance. Three lanes are defined. enforce fires stable rules only — the auto-block lane, lowest false-positive rate. alert fires stable and test rules — the analyst / correlation lane. hunt fires every non-deprecated rule as advisory signal — the default, and the eval lane. Deprecated rules fire in no lane. The lane is chosen by the engine consumer, not declared on the rule: the same rule corpus yields a different firing set per lane, which is why ATR reports false-positive rates lane by lane rather than as a single figure.
detection.conditions
The array of field/operator/value triples in a rule body that determine whether the rule matches.
fixture
A YAML file under spec/conformance/ pairing a rule with its expected evaluation outcome on a fixed event.
Implementer Report
A self-declared public record of an organization's ATR integration, listed on /implementers.
informative
Content that provides context but does not define conformance requirements.
maturity
The promotion stage of a rule, drawn from a fixed ladder: draft → experimental → test → stable → deprecated. A rule advances on evidence (false-positive rate, sample volume, confidence), not on age. Maturity is what each detection lane gates on: enforce admits stable only, alert admits stable and test, hunt admits everything non-deprecated. An unrecognized maturity value normalizes to experimental — a typo never silently reaches the enforce lane. Promotion and demotion rules are defined in RFC-001.
MCP exchange
A single request/response pair between an MCP client and an MCP server. ATR rules with scan_target: mcp_exchange evaluate against this shape.
normative
Content that defines requirements for conformance. Engines and rules MUST follow normative sections.
provenance
Metadata on a rule describing who authored it, from what source (e.g., garak probe, CVE), and when.
RFC-001
The internal numbering of ATR's quality standard for rule promotion. See /quality-standard.
scan_target
A required field on every rule declaring what shape of event the rule expects: skill, mcp_exchange, agent_config, etc.
severity
One of {informational, low, medium, high, critical} declared on every rule.
SKILL.md
A Markdown manifest format used by some MCP skill ecosystems (OpenClaw, Skills.sh, ClawHub) to declare an agent skill's tools, prompts, and metadata.
status
A required field gating whether a rule loads into production matching at all. Rules with status: draft or status: deprecated MUST NOT participate in production matching without explicit opt-in. Status is the coarse load-time gate; maturity is the finer per-lane gate applied to the rules that do load. The two are distinct fields and may differ — a rule may be status: stable yet maturity: experimental, in which case it loads but only fires in the hunt lane.
sub-range
A contiguous segment of the ATR-YYYY-NNNNN identifier space reserved for a specific publisher (e.g., ATR-TW-2026-NNNNN for Taiwan).
Technical Steering Committee (TSC)
The body that governs ATR's evolution. Currently in BDFL transition; see /charter.
Threat Cloud
An optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it. Technically, it is an auto-review backend for community-submitted rules, running the crystallization pipeline and safety gates.

Editor: Adam Lin <[email protected]> — DOI 10.5281/zenodo.19178002 — MIT License — ISO 8601 2026-06-16