We used to protect people.
Now we protect agents.
The open detection standard for AI agent threats. YAML rules. MIT Licensed. No lock-in.
AI agents now browse the web, execute code, and call external tools. Attackers trick them into leaking credentials, running reverse shells, and ignoring safety boundaries. The attack surface grows faster than any team can write rules by hand.
Across 9 threat categories. Each mapped to real CVEs and OWASP standards.
Precision on 850 adversarial samples. External PINT benchmark.
99% of events resolve at Tier 0-2. Zero API cost.
Scanned across OpenClaw + Skills.sh. 3,255 CRITICAL. 2,656 HIGH.
OWASP Agentic Top 10 categories fully covered.
SAFE-MCP technique coverage. 78 of 85.
9 threat categories. 100 rules. Real CVEs.
Each rule links to OWASP, MITRE ATLAS, and documented exploits.
Hidden instructions that hijack agent behavior. Persona switching, encoded payloads, CJK attacks.
Malicious MCP responses, consent bypass, hidden instructions in tool schemas.
Typosquatting, description-behavior mismatch, supply chain attacks.
API key leakage, system prompt theft, disguised analytics.
Cross-agent attacks, goal hijacking, Sybil consensus, orchestrator bypass.
Scope creep, delayed execution bypass, unauthorized elevation.
Runaway loops, resource exhaustion, unauthorized financial actions.
RAG and knowledge base tampering.
Behavior extraction, malicious fine-tuning data injection.
Cisco AI Defense ships 34 ATR rules as upstream.
Their engineer submitted a PR. We reviewed it. It merged in 3 days. 1,272 additions. Then they built a --rule-packs CLI specifically to consume ATR.
4 merged. 7 pending. 11 total PRs.
ATR spreads through PRs, not sales calls. Each merge is irreversible adoption.
ATR listed as detection tool in OWASP resource collection.
PR #187 submitted. 78/85 technique coverage mapping.
PR #117 submitted to curated security tools list.
PR #87 submitted to MCP security resource list.
PR #58172 submitted. Fixed and waiting review.
PR #814 submitted for ATR integration reference.
PR #108 merged into LLM safety/security list.
PR #58 submitted. CI config issue on their end.
PR #3976 submitted. Needs Glama registration.
Skills.sh: 3,115
Why not write your own rules?
ATR vs alternatives. The honest comparison.
| ATR | Write Your Own | Sigma | MS Agent Governance | |
|---|---|---|---|---|
| Threat model | AI agent runtime + skill supply chain | You define | SIEM logs (network/endpoint) | Policy engine (allow/deny) |
| Detection | Regex + behavioral + LLM-as-judge | Your approach | Log correlation | Policy evaluation |
| New attack response | < 1 hour (crystallization) | Depends on team | Community PR | Write policy yourself |
| Maintenance | Community-maintained, zero cost | All on you | Community | Microsoft-maintained |
| OWASP | 10/10 Agentic + 7/10 AST10 | -- | -- | 10/10 Agentic |
| Relationship | -- | -- | Complementary (different threat surface) | Complementary (ATR detects, MS enforces) |
Sigma detects SIEM logs. ATR detects AI agent runtime threats. Microsoft enforces policies. These are complementary, not competing. ATR is the detection layer — other tools consume ATR rules as upstream.
ATR rules don't have to be written by hand.
Threat Cloud crystallization turns new attacks into detection rules automatically.
Other standards need committees and months of review. ATR crystallizes new rules in hours.
Found a bypass? File an issue. 15 minutes. Most valuable contribution.
Rule triggered on legit content? Help us tune precision. 20 minutes.
Write a detection rule with the ATR schema. Full walkthrough. 1-2 hours.
Use Claude Code or Cursor with ATR's MCP server. The AI writes the YAML. You review it.
Add ATR to your platform.
Four paths. TypeScript, Python, raw YAML, or SIEM queries. The same path Cisco walked.