Four paths. Same destination.
708 rules, written once, runnable anywhere. Wire the same ruleset into TypeScript, Python, CI, or a SIEM — the path Cisco, Microsoft, and MISP already walked.
Try it in 30 seconds
No signup, no API key. One command scans your SKILL.md or MCP config — the same YAML you run locally is the same ruleset Cisco and Microsoft run in production.
708 rules · 10 threat categories · < 5ms latency · zero dependencies · MIT license
TypeScript / Node.js
Docs→import { ATREngine } from 'agent-threat-rules';
const engine = new ATREngine();
const matches = engine.evaluate({
type: 'tool_response',
content: toolOutput,
timestamp: new Date().toISOString(),
});
if (matches.length > 0) {
// Threat detected — block or alert
}Python (pyATR)
Docs→from pyatr import ATREngine
engine = ATREngine()
result = engine.evaluate(event={
"type": "llm_input",
"content": user_message,
})
if result.outcome == "deny":
# Block the requestRaw YAML (any language)
Docs→# Point your scanner at rules/ directory # Each .yaml file follows ATR-SPEC-v1 schema # Parse with any YAML library # Schema: spec/atr-schema.yaml rules/ prompt-injection/ tool-poisoning/ agent-manipulation/ ... (10 categories)
GitHub Action (CI/CD)
Docs→name: ATR Scan
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Agent-Threat-Rule/agent-threat-rules@main
with:
path: '.' # Scan entire repo
severity: 'medium' # Minimum severity
fail-on-finding: 'true'
upload-sarif: 'true' # Results in GitHub Security tabSIEM Integration
Docs→# Convert ATR rules to SIEM query language atr convert splunk # Output SPL queries atr convert elastic # Output Elasticsearch Query DSL atr convert sarif # Output SARIF v2.1.0 for CI/CD
GitHub Action Adopters
Wire ATR into any GitHub repo's CI. Results write to SARIF and surface in the repo's GitHub Security tab — same place as CodeQL and dependabot.
# .github/workflows/atr-scan.yml
on: [push, pull_request]
jobs:
scan:
runs-on: ubuntu-latest
permissions:
security-events: write # for SARIF upload
steps:
- uses: actions/checkout@v4
- uses: Agent-Threat-Rule/agent-threat-rules@main
with:
severity: medium
fail-on-finding: trueNo public adopters tracked yet. If your repo uses the ATR Action, let us know via a GitHub issue and we'll list it here.
Adoption forms vary — Cisco AI Defense (PR #79 PoC + PR #99 production) integrates the full rule pack via a rule-packs CLI; Microsoft AGT (PR #908 PoC + PR #1277 production) integrates rules as PolicyDocument (287 rules at time of PR, auto-synced to ATR main since via a weekly workflow); Gen Digital Sage (PR #33) ships the rule pack inside the agentic-AI risk-scoring layer. These three count as upstream adoption, separate from Action usage.
Schema Stability Guarantee
If you depend on ATR as upstream, you need to know the format won't break. Here's our commitment:
Published and stable. All new fields are optional additions. No existing field will be removed or renamed without a major version bump.
Breaking changes only happen on major version transitions (v1 → v2). We provide migration guides and a minimum 6-month overlap period where both versions are supported.
New rules are added continuously (avg 2-5 per week during active periods). Every rule passes CI validation + precision test before merge. Subscribe to GitHub Releases for changelogs.
npm install — semver, lockfile controls version
GitHub Action — CI scans with latest rules automatically
Why ATR Instead of Writing Your Own?
License & Legal
Use commercially, modify, distribute, sublicense. No restrictions.
No Contributor License Agreement. Contributions are MIT-licensed and belong to the community.
ATR is not owned by any company. It is a community-governed open standard.
Full ATR rule pack · skill-scanner production (PR #99)
10 threat categories
6 registries · 552 confirmed malware
20 merged · 14 under review
Threat Cloud — Optional Reference Service
Threat Cloud is an optional reference service operated by the ATR maintainers — not part of the standard. The standard is the spec plus the MIT-licensed rules, fully usable offline via npm / PyPI / raw YAML. Threat Cloud only adds hosted convenience (rule sync, threat submission); the same outcomes are reachable without it.
If you choose to connect it: when your scanner finds a new threat, you can submit it to Threat Cloud, where maintainers crystallize it into a detection rule, review it, and merge it into the MIT rule set for distribution. The technical docs below cover connecting it — entirely optional.
Case Study: How Cisco Did It
Cisco's AI Defense team integrated ATR rules as an upstream dependency. The first PR #79 (2026-04-03) merged a 34-rule PoC in three days. Follow-up PR #80 built the --rule-packs CLI to consume ATR as a first-class rule source. Production PR #99 (2026-04-22) landed the full ATR rule pack inside Cisco AI Defense's skill-scanner.
- 1
Stuck? Open an Integration Request
Spec walkthrough, design review, sample code for your language. Maintainers respond within seven days.
Open issue → - 2
Shipped? List yourself in ADOPTERS.md
Adopters self-declare via PR — no pre-approval. A schema-conforming entry with a verifiable evidence link gets merged. Your PR is the record.
Adopter PR template → - 3
You join the wall — evidence re-verified weekly
The ecosystem page renders straight from ADOPTERS.md, and CI re-verifies every evidence link against GitHub weekly, stamping the date.
See the wall →