Glossary
Glossary
Definitions for key terms used throughout the specification. Where a term has a precise technical meaning that differs from common usage, the technical meaning takes precedence within the spec.
Term Definitions
- agent runtime
- An execution environment that hosts one or more AI agents and mediates their access to tools, model APIs, and external resources.
- ATR engine
- An implementation that consumes ATR rules and emits matches. A conforming engine MUST satisfy the requirements in /conformance §1.
- ATR rule
- A single YAML document declaring an attack pattern, the field it inspects, its test cases, and its cross-framework mappings.
- canary
- A 24-hour observation window during which a newly generated rule runs in shadow mode before being eligible for production status.
- confirm
- An optional rule field requesting a second-stage check before the rule may fire in the enforce or alert lane. The only defined method is confirm: embedding, which re-evaluates a pattern hit against attack-content similarity and keeps the match only when similarity meets the configured threshold. The confirm gate is narrowing only: it may remove a match but never create one. A rule declaring confirm MUST have maturity stable or test, and a detection method of pattern, signature, or semantic — trace and behavioral signals are structural, not content, so content-similarity confirmation does not apply.
- conformance level
- One of L1 (Engine), L2 (Publisher), or L3 (Sub-range Authority). Defined normatively in /conformance.
- crystallization
- The Threat Cloud pipeline that converts an observed attack into a candidate ATR rule and routes it through review. (Reference implementation, not part of the normative standard.)
- detection lane
- A consumer-selected gate that decides which rule maturities are allowed to fire, traded against false-positive tolerance. Three lanes are defined. enforce fires stable rules only — the auto-block lane, lowest false-positive rate. alert fires stable and test rules — the analyst / correlation lane. hunt fires every non-deprecated rule as advisory signal — the default, and the eval lane. Deprecated rules fire in no lane. The lane is chosen by the engine consumer, not declared on the rule: the same rule corpus yields a different firing set per lane, which is why ATR reports false-positive rates lane by lane rather than as a single figure.
- detection.conditions
- The array of field/operator/value triples in a rule body that determine whether the rule matches.
- fixture
- A YAML file under spec/conformance/ pairing a rule with its expected evaluation outcome on a fixed event.
- Implementer Report
- A self-declared public record of an organization's ATR integration, listed on /implementers.
- informative
- Content that provides context but does not define conformance requirements.
- maturity
- The promotion stage of a rule, drawn from a fixed ladder: draft → experimental → test → stable → deprecated. A rule advances on evidence (false-positive rate, sample volume, confidence), not on age. Maturity is what each detection lane gates on: enforce admits stable only, alert admits stable and test, hunt admits everything non-deprecated. An unrecognized maturity value normalizes to experimental — a typo never silently reaches the enforce lane. Promotion and demotion rules are defined in RFC-001.
- MCP exchange
- A single request/response pair between an MCP client and an MCP server. ATR rules with scan_target: mcp_exchange evaluate against this shape.
- normative
- Content that defines requirements for conformance. Engines and rules MUST follow normative sections.
- provenance
- Metadata on a rule describing who authored it, from what source (e.g., garak probe, CVE), and when.
- RFC-001
- The internal numbering of ATR's quality standard for rule promotion. See /quality-standard.
- scan_target
- A required field on every rule declaring what shape of event the rule expects: skill, mcp_exchange, agent_config, etc.
- severity
- One of {informational, low, medium, high, critical} declared on every rule.
- SKILL.md
- A Markdown manifest format used by some MCP skill ecosystems (OpenClaw, Skills.sh, ClawHub) to declare an agent skill's tools, prompts, and metadata.
- status
- A required field gating whether a rule loads into production matching at all. Rules with status: draft or status: deprecated MUST NOT participate in production matching without explicit opt-in. Status is the coarse load-time gate; maturity is the finer per-lane gate applied to the rules that do load. The two are distinct fields and may differ — a rule may be status: stable yet maturity: experimental, in which case it loads but only fires in the hunt lane.
- sub-range
- A contiguous segment of the ATR-YYYY-NNNNN identifier space reserved for a specific publisher (e.g., ATR-TW-2026-NNNNN for Taiwan).
- Technical Steering Committee (TSC)
- The body that governs ATR's evolution. Currently in BDFL transition; see /charter.
- Threat Cloud
- An optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it. Technically, it is an auto-review backend for community-submitted rules, running the crystallization pipeline and safety gates.