Skip to content

Partner Live Sync

Live pull of ATR confirmed rules from Threat Cloud. Partner-tier API key required.

Who this is for

Security platforms, model vendors, and enterprise SOC teams that embed ATR rules into their own detection stack and want to minimise npm-publish lag. For casual users, npm install agent-threat-rules or pip install pyatr is the right path.

Getting a key

Email [email protected] with: organisation name, intended use, approximate poll interval. Keys are issued manually during the early-partner phase. No cost. MIT terms still apply to the rules themselves.

Endpoint

GET https://tc.panguard.ai/api/atr-rules/live?since=<ISO-8601>
Authorization: Bearer <partner-key>

Responds with ETag + Last-Modified. Send If-None-Match on subsequent polls to get a 304 Not Modified when nothing has changed — no body, no rate-limit cost.

Response shape

{
  "ok": true,
  "data": [
    {
      "ruleId": "ATR-2026-00150",
      "ruleContent": "title: ...\nid: ATR-2026-00150\n...",
      "publishedAt": "2026-04-17T00:03:42.124Z",
      "source": "atr" | "atr-community",
      "category": "context-exfiltration",
      "severity": "critical",
      "mitreTechniques": "AML.T0057",
      "tags": "..."
    }
  ],
  "meta": { "total": 114, "etag": "W/\"114-2026-04-17T00:03:42Z\"" }
}

Minimum polling example

# 5-minute cadence, ETag-aware
LAST_ETAG=""
while true; do
  RESP=$(curl -sS -w '\n%{http_code}' \
    -H "Authorization: Bearer $ATR_PARTNER_KEY" \
    ${LAST_ETAG:+-H "If-None-Match: $LAST_ETAG"} \
    "https://tc.panguard.ai/api/atr-rules/live")
  STATUS=$(echo "$RESP" | tail -1)
  if [ "$STATUS" = "304" ]; then
    echo "no change"
  elif [ "$STATUS" = "200" ]; then
    echo "$RESP" | head -n-1 | jq '.data | length' # process rules
    LAST_ETAG=$(curl -sSI -H "Authorization: Bearer $ATR_PARTNER_KEY" \
      "https://tc.panguard.ai/api/atr-rules/live" | grep -i etag | cut -d' ' -f2- | tr -d '\r')
  fi
  sleep 300
done

Limits

  • Global rate limit applies. 1-minute polls are fine; sub-minute will 429.
  • Rules can change in both directions — a rule can be quarantined post-canary. Treat the full response as the current authoritative set, not an append-only log.
  • Partner keys are audit-logged. Key compromise? Email us, we revoke and re-issue.
  • Confirmed only. Canary rules are not exposed here. If you want canary signal, email.

Why this exists

npm publish cycles give ~10-minute latency from TC canary-pass to a released package. That is fine for most. Partners that want to tie rule updates to their own deploy cadence, or who cannot re-install npm packages on every flywheel cycle, use this endpoint instead.