Skip to main content
Agent Threat Rules (ATR) is an open standard for describing and detecting security threats targeting AI agents — purpose-built for the AI agent era.

What is ATR?

ATR rules detect threats that traditional security tools miss:
  • Prompt injection in MCP tool responses
  • Tool poisoning via hidden instructions
  • Data exfiltration through agent actions
  • Privilege escalation via skill manipulation
  • Supply chain attacks on skill registries
  • Credential theft via agent tool calls
  • Inter-agent manipulation in multi-agent systems

By the Numbers

101 rulesCovering 9 threat categories
OWASP 10/10Full coverage of OWASP Agentic Top 10
96.9% recallOn SKILL.md benchmark (100% precision, 0% FP)
62.7% recallOn PINT MCP benchmark (99.7% precision)
90,000+ skillsScanned across registries
520+ patternsUnique detection signatures
< 3ms scan timePer skill (regex layer)

OWASP Agentic Top 10 Coverage

ATR provides executable detection rules for every OWASP category:
OWASP CategoryATR RulesCoverage
ASI01: Agent Goal Hijack13STRONG
ASI02: Tool Misuse & Exploitation11STRONG
ASI03: Identity & Privilege Abuse9STRONG
ASI04: Agentic Supply Chain8STRONG
ASI05: Unexpected Code Execution8STRONG
ASI06: Memory & Context Poisoning8STRONG
ASI07: Inter-Agent Communication5MODERATE
ASI08: Cascading Failures4MODERATE
ASI09: Human-Agent Trust5MODERATE
ASI10: Rogue Agents7MODERATE
OWASP provides a checklist. ATR provides the executable rules. Use ATR to turn OWASP compliance from a PDF exercise into automated detection.

Three Detection Layers

LayerMethodSpeedCoverage
Layer 1Regex pattern matching3msKnown patterns
Layer 2Content fingerprinting~200msVariants
Layer 3LLM-as-judge~3sNovel threats

Threat Crystallization

When the LLM layer (Layer 3) discovers a new attack pattern, ATR crystallizes it into a deterministic regex rule:
  1. LLM detects novel threat pattern
  2. RuleScaffolder generates a new regex rule
  3. Shadow mode validates against 1,000 samples (FP < 0.1%)
  4. Rule promoted and distributed via Threat Cloud (< 1 hour)
  5. Next occurrence caught by Layer 1 at 3ms — no LLM needed
Every LLM call trains the regex engine. LLM cost is one-time. Crystallized rules run forever at zero cost.

Research Paper

Agent Threat Rules: A Community-Driven Detection Standard for AI Agent Security Zenodo DOI: 10.5281/zenodo.19178002
The paper documents: threat taxonomy, detection architecture, PINT benchmark evaluation, and 64 known evasion techniques (published transparently).

Getting Started

# Install Panguard (includes ATR engine)
curl -fsSL https://get.panguard.ai | bash

# Scan a skill with ATR rules
panguard audit skill /path/to/skill

# Start real-time protection with ATR
panguard guard start

ATR on GitHub

Browse rules, contribute, and star the project.

OWASP Mapping

Full rule-by-rule mapping to OWASP Agentic Top 10.