Skip to content
Integrate

Four paths. Same destination.

708 rules, written once, runnable anywhere. Wire the same ruleset into TypeScript, Python, CI, or a SIEM — the path Cisco, Microsoft, and MISP already walked.

One ruleset · Any conforming engine · Choose your integration level
L1Scan
Individual developers
One command or GitHub Action
Know if your AI tools are poisoned
Updates: npx pulls latest rules automatically
L2Embed
Platforms (IDEs, agent frameworks)
npm install + call ATR engine
Your users protected by 708 rules automatically
Updates: npm update or lockfile + CI
L3Bidirectional (optional)
Security platforms, enterprise SOC
Embed + optionally connect Threat Cloud reference service
Optional convenience: submit threats and sync rules; the standard works fully without it
Updates: npm update (TC adds real-time push if connected)

Try it in 30 seconds

No signup, no API key. One command scans your SKILL.md or MCP config — the same YAML you run locally is the same ruleset Cisco and Microsoft run in production.

Scan a SKILL.md file
$ npx agent-threat-rules scan your-skill.md
Scan a directory
$ npx agent-threat-rules scan ./my-mcp-skills/
Install as Claude Code real-time guard
$ npx agent-threat-rules init --global

708 rules · 10 threat categories · < 5ms latency · zero dependencies · MIT license

SDK Integration · Same rules, five ways to read them

TypeScript / Node.js

Docs
$ npm install agent-threat-rules
import { ATREngine } from 'agent-threat-rules';

const engine = new ATREngine();
const matches = engine.evaluate({
  type: 'tool_response',
  content: toolOutput,
  timestamp: new Date().toISOString(),
});

if (matches.length > 0) {
  // Threat detected — block or alert
}

Python (pyATR)

Docs
$ pip install pyatr
from pyatr import ATREngine

engine = ATREngine()
result = engine.evaluate(event={
    "type": "llm_input",
    "content": user_message,
})

if result.outcome == "deny":
    # Block the request

Raw YAML (any language)

Docs
$ git submodule add https://github.com/Agent-Threat-Rule/agent-threat-rules.git
# Point your scanner at rules/ directory
# Each .yaml file follows ATR-SPEC-v1 schema
# Parse with any YAML library
# Schema: spec/atr-schema.yaml

rules/
  prompt-injection/
  tool-poisoning/
  agent-manipulation/
  ... (10 categories)

GitHub Action (CI/CD)

Docs
$ # Add to .github/workflows/atr-scan.yml
name: ATR Scan
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Agent-Threat-Rule/agent-threat-rules@main
        with:
          path: '.'            # Scan entire repo
          severity: 'medium'   # Minimum severity
          fail-on-finding: 'true'
          upload-sarif: 'true' # Results in GitHub Security tab

SIEM Integration

Docs
$ atr convert splunk --output splunk-queries.txt
# Convert ATR rules to SIEM query language
atr convert splunk    # Output SPL queries
atr convert elastic   # Output Elasticsearch Query DSL
atr convert sarif     # Output SARIF v2.1.0 for CI/CD

GitHub Action Adopters

Wire ATR into any GitHub repo's CI. Results write to SARIF and surface in the repo's GitHub Security tab — same place as CodeQL and dependabot.

Minimal Workflow
# .github/workflows/atr-scan.yml
on: [push, pull_request]
jobs:
  scan:
    runs-on: ubuntu-latest
    permissions:
      security-events: write   # for SARIF upload
    steps:
      - uses: actions/checkout@v4
      - uses: Agent-Threat-Rule/agent-threat-rules@main
        with:
          severity: medium
          fail-on-finding: true
Public Adopters

No public adopters tracked yet. If your repo uses the ATR Action, let us know via a GitHub issue and we'll list it here.

Adoption forms vary — Cisco AI Defense (PR #79 PoC + PR #99 production) integrates the full rule pack via a rule-packs CLI; Microsoft AGT (PR #908 PoC + PR #1277 production) integrates rules as PolicyDocument (287 rules at time of PR, auto-synced to ATR main since via a weekly workflow); Gen Digital Sage (PR #33) ships the rule pack inside the agentic-AI risk-scoring layer. These three count as upstream adoption, separate from Action usage.

Schema Stability Guarantee

If you depend on ATR as upstream, you need to know the format won't break. Here's our commitment:

ATR-SPEC-v1 (stable)

Published and stable. All new fields are optional additions. No existing field will be removed or renamed without a major version bump.

Backward Compatibility

Breaking changes only happen on major version transitions (v1 → v2). We provide migration guides and a minimum 6-month overlap period where both versions are supported.

Update Frequency

New rules are added continuously (avg 2-5 per week during active periods). Every rule passes CI validation + precision test before merge. Subscribe to GitHub Releases for changelogs.

Sync Methods
git submodulepin to tag, update on your schedule
npm installsemver, lockfile controls version
GitHub ActionCI scans with latest rules automatically

Why ATR Instead of Writing Your Own?

Coverage
ATR708 rules, 106 CVEs mapped, 10 threat categories
DIYYou build your own rule set
New attack response
ATRCommunity + CI pipeline add rules continuously, targeting hours (optional Threat Cloud can speed up reporting)
DIYDepends on your team's bandwidth
Evasion testing
ATR64 documented evasion techniques, with per-rule evasion_tests
DIYRequires dedicated effort to build
OWASP / MITRE mapping
ATRPre-built. 10/10 Agentic + MITRE ATLAS per rule
DIYHours of manual mapping work
Maintenance
ATRCommunity-maintained. MIT. Zero cost.
DIYRequires ongoing engineering effort
Ecosystem
ATRCisco, Microsoft, MISP integrated; OWASP PRs under review
DIYMaintained independently, no shared rules
 ATRInternal Rules

License & Legal

MIT License

Use commercially, modify, distribute, sublicense. No restrictions.

No CLA

No Contributor License Agreement. Contributions are MIT-licensed and belong to the community.

Vendor Neutral

ATR is not owned by any company. It is a community-governed open standard.

Integrated by
Cisco AI Defense

Full ATR rule pack · skill-scanner production (PR #99)

708 detection rules

10 threat categories

96,096 skills scanned

6 registries · 552 confirmed malware

34 ecosystem integrations

20 merged · 14 under review

Threat Cloud — Optional Reference Service

Threat Cloud is an optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it.

If you choose to connect it: when your scanner finds a new threat, you can submit it to Threat Cloud, where maintainers crystallize it into a detection rule, review it, and merge it into the MIT rule set for distribution. The technical docs below cover connecting it — entirely optional.

Method 1: CLI (simplest)
$ npx agent-threat-rules scan . --report-to-cloud
Method 2: Library (platform integration)
// Auto-report when your platform detects threats
import { ATREngine, createTCReporter } from 'agent-threat-rules';
const engine = new ATREngine({
reporter: createTCReporter(), // anonymous, no API key
});
// detections auto-batched to TC
Method 3: API (fully custom)
# Direct TC API call
curl -X POST https://tc.agentthreatrule.org/api/threats \
-H 'Content-Type: application/json' \
-d '{"ruleId":"ATR-2026-00121","severity":"critical",
"contentHash":"abc123","scanTarget":"my-skill"}
What happens after reporting
1. Aggregate
TC collects signals from endpoints
2. Crystallize
AI analyzes patterns, drafts rules
3. Review
Human reviews FP + attack classification
4. Distribute
Merged to ATR → npm publish → global update

Case Study: How Cisco Did It

full pack
in skill-scanner production
2 PRs
PoC (#79) → production (#99)
3 days
first PR to merge

Cisco's AI Defense team integrated ATR rules as an upstream dependency. The first PR #79 (2026-04-03) merged a 34-rule PoC in three days. Follow-up PR #80 built the --rule-packs CLI to consume ATR as a first-class rule source. Production PR #99 (2026-04-22) landed the full ATR rule pack inside Cisco AI Defense's skill-scanner.

After you ship
  1. 1

    Stuck? Open an Integration Request

    Spec walkthrough, design review, sample code for your language. Maintainers respond within seven days.

    Open issue →
  2. 2

    Shipped? List yourself in ADOPTERS.md

    Adopters self-declare via PR — no pre-approval. A schema-conforming entry with a verifiable evidence link gets merged. Your PR is the record.

    Adopter PR template →
  3. 3

    You join the wall — evidence re-verified weekly

    The ecosystem page renders straight from ADOPTERS.md, and CI re-verifies every evidence link against GitHub weekly, stamping the date.

    See the wall →