Skip to main content
Agent Threat Rules (ATR) is an open standard for describing and detecting security threats targeting AI agents — purpose-built for the AI agent era.

What is ATR?

ATR rules detect threats that traditional security tools miss:
  • Prompt injection in MCP tool responses
  • Tool poisoning via hidden instructions
  • Data exfiltration through agent actions
  • Privilege escalation via skill manipulation
  • Supply chain attacks on skill registries
  • Credential theft via agent tool calls
  • Inter-agent manipulation in multi-agent systems

By the Numbers

OWASP Agentic Top 10 Coverage

ATR provides executable detection rules for every OWASP category:
OWASP provides a checklist. ATR provides the executable rules. Use ATR to turn OWASP compliance from a PDF exercise into automated detection.

Three Detection Layers

Threat Crystallization

When the LLM layer (Layer 3) discovers a new attack pattern, ATR crystallizes it into a deterministic regex rule:
  1. LLM detects novel threat pattern
  2. RuleScaffolder generates a new regex rule
  3. Shadow mode validates against 1,000 samples (FP < 0.1%)
  4. Rule promoted and distributed via Threat Cloud (< 1 hour)
  5. Next occurrence caught by Layer 1 at 3ms — no LLM needed
Every LLM call trains the regex engine. LLM cost is one-time. Crystallized rules run forever at zero cost.

Research Paper

Agent Threat Rules: A Community-Driven Detection Standard for AI Agent Security Zenodo DOI: 10.5281/zenodo.19178002
The paper documents: threat taxonomy, detection architecture, PINT benchmark evaluation, and 64 known evasion techniques (published transparently).

Standardization Status (2026-05-25)

ATR is publishing proposal-stage standardization scaffolding ahead of OASIS Open Project submission. The scaffolding includes a 9-seat Technical Steering Committee charter (CNCF-derived, 2-cap per company group, 2 sovereign liaison seats), a standard threat model, an OpenTelemetry-compatible event format spec, a conformance corpus structure with threshold Ed25519 signing, the DCO contribution model, and reference implementation interface contracts in TypeScript, Python, and Go. All scaffolding is tagged PROPOSED and is NOT ratified. The 9-seat TSC has not been formed. Trademarks are not registered. Existing v1.1 governance continues to operate. The rule format, npm package, TypeScript engine API, and all rules are unchanged — Panguard’s integration of ATR works without modification. The first sovereign sub-range (ATR-TW-YYYY-NNNNN) has been issued under bootstrap maintainer attestation, pending formal Taiwan sovereign authority adoption. See the full status matrix at STANDARDIZATION-STATUS.md on the ATR repo.

Getting Started

ATR on GitHub

Browse rules, contribute, and star the project.

OWASP Mapping

Full rule-by-rule mapping to OWASP Agentic Top 10.