Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.panguard.ai/llms.txt

Use this file to discover all available pages before exploring further.

Agent Threat Rules (ATR) is an open standard for describing and detecting security threats targeting AI agents — purpose-built for the AI agent era.

What is ATR?

ATR rules detect threats that traditional security tools miss:
  • Prompt injection in MCP tool responses
  • Tool poisoning via hidden instructions
  • Data exfiltration through agent actions
  • Privilege escalation via skill manipulation
  • Supply chain attacks on skill registries
  • Credential theft via agent tool calls
  • Inter-agent manipulation in multi-agent systems

By the Numbers

419 rulesCovering 10 threat categories
OWASP 10/10Full coverage of OWASP Agentic Top 10
97.1% recallOn Garak jailbreak corpus (666 samples)
100% recallOn SKILL.md benchmark (97% precision, 0.2% FP)
90,000+ skillsScanned across registries (67,799 scanned, 1,096 confirmed malicious)
770+ patternsUnique detection signatures
< 3ms scan timePer skill (regex layer)

OWASP Agentic Top 10 Coverage

ATR provides executable detection rules for every OWASP category:
OWASP CategoryATR RulesCoverage
ASI01: Agent Goal Hijack13STRONG
ASI02: Tool Misuse & Exploitation11STRONG
ASI03: Identity & Privilege Abuse9STRONG
ASI04: Agentic Supply Chain8STRONG
ASI05: Unexpected Code Execution8STRONG
ASI06: Memory & Context Poisoning8STRONG
ASI07: Inter-Agent Communication5MODERATE
ASI08: Cascading Failures4MODERATE
ASI09: Human-Agent Trust5MODERATE
ASI10: Rogue Agents7MODERATE
OWASP provides a checklist. ATR provides the executable rules. Use ATR to turn OWASP compliance from a PDF exercise into automated detection.

Three Detection Layers

LayerMethodSpeedCoverage
Layer 1Regex pattern matching3msKnown patterns
Layer 2Content fingerprinting~200msVariants
Layer 3LLM-as-judge~3sNovel threats

Threat Crystallization

When the LLM layer (Layer 3) discovers a new attack pattern, ATR crystallizes it into a deterministic regex rule:
  1. LLM detects novel threat pattern
  2. RuleScaffolder generates a new regex rule
  3. Shadow mode validates against 1,000 samples (FP < 0.1%)
  4. Rule promoted and distributed via Threat Cloud (< 1 hour)
  5. Next occurrence caught by Layer 1 at 3ms — no LLM needed
Every LLM call trains the regex engine. LLM cost is one-time. Crystallized rules run forever at zero cost.

Research Paper

Agent Threat Rules: A Community-Driven Detection Standard for AI Agent Security Zenodo DOI: 10.5281/zenodo.19178002
The paper documents: threat taxonomy, detection architecture, PINT benchmark evaluation, and 64 known evasion techniques (published transparently).

Standardization Status (2026-05-25)

ATR is publishing proposal-stage standardization scaffolding ahead of OASIS Open Project submission. The scaffolding includes a 9-seat Technical Steering Committee charter (CNCF-derived, 2-cap per company group, 2 sovereign liaison seats), a standard threat model, an OpenTelemetry-compatible event format spec, a conformance corpus structure with threshold Ed25519 signing, the DCO contribution model, and reference implementation interface contracts in TypeScript, Python, and Go. All scaffolding is tagged PROPOSED and is NOT ratified. The 9-seat TSC has not been formed. Trademarks are not registered. Existing v1.1 governance continues to operate. The rule format, npm package, TypeScript engine API, and all rules are unchanged — Panguard’s integration of ATR works without modification. The first sovereign sub-range (ATR-TW-YYYY-NNNNN) has been issued under bootstrap maintainer attestation, pending formal Taiwan sovereign authority adoption. See the full status matrix at STANDARDIZATION-STATUS.md on the ATR repo.

Getting Started

# Install Panguard (includes ATR engine)
curl -fsSL https://get.panguard.ai | bash

# Scan a skill with ATR rules
panguard audit skill /path/to/skill

# Start real-time protection with ATR
panguard guard start

ATR on GitHub

Browse rules, contribute, and star the project.

OWASP Mapping

Full rule-by-rule mapping to OWASP Agentic Top 10.