OPEN STANDARD
Agent Threat Rules (ATR)
The first open detection standard for AI agent threats. Machine-readable, community-driven, and designed for the threats that Sigma and YARA were never built to catch.
THE PROBLEM
Traditional rules can't see agent threats
Sigma detects log-based IOCs. YARA matches file-level byte patterns. Neither understands prompt flows, tool calls, or multi-turn agent conversations.
AI agents introduce a new attack surface: prompt injection, tool poisoning, context exfiltration, skill compromise. These threats live in the semantic layer -- invisible to pattern matchers designed for network packets and file hashes.
ATR is the missing detection standard. Purpose-built for the AI agent era.
Sigma Rules
Log-based IOCs. No awareness of prompt context or tool interactions.
YARA Rules
File-level byte patterns. Cannot inspect agent conversation flows.
ATR Rules
Semantic-layer detection. Built for prompts, tools, and agent behavior.
WHY ATR
Three standards. Three eras.
Sigma defined network detection. YARA defined file detection. ATR defines agent detection.
RULE CATEGORIES
9 categories. 52 rules. Growing daily.
Covering the full spectrum of AI agent attack vectors, mapped to OWASP LLM Top 10.
Prompt Injection
Direct and indirect prompt injection, jailbreaks, system prompt override, multi-turn attacks
Tool Poisoning
Malicious MCP responses, tool output injection, unauthorized tool calls, SSRF via tools
Context Exfiltration
System prompt leaks, API key exposure, internal instruction theft
Agent Manipulation
Cross-agent attacks, goal hijacking, inter-agent message spoofing, human trust exploitation
Privilege Escalation
Tool permission escalation, scope creep, admin function access
Excessive Autonomy
Runaway agent loops, resource exhaustion, cascading pipeline failures
Skill Compromise
Skill impersonation, hidden capabilities, chain attacks, parameter injection, update attacks
Data Poisoning
RAG retrieval poisoning, knowledge base contamination
Model Security
Model behavior extraction, malicious fine-tuning data detection
INTEGRATION
Where ATR fits in the stack
ATR rules are evaluated at the semantic layer -- between the LLM and the tools it invokes.
User Input
Prompt text, uploaded files, conversation context
ATR Engine
32 rules evaluated in <1ms per event. Block, alert, or escalate.
LLM / Agent
Claude, GPT, Gemini, local models -- any provider
Tools & Skills
MCP servers, OpenClaw skills, file system, shell, APIs
ATR intercepts at the semantic layer -- before malicious instructions reach the agent, and before compromised outputs reach the tools.
HOW IT WORKS
YAML rules. Real-time engine.
Write human-readable rules. The ATR engine matches them against live agent telemetry in milliseconds.
Define detection logic
Each rule specifies conditions on agent fields: user_input, tool_calls, model_output, context. Supports regex, keyword, and semantic operators.
Map to frameworks
Rules link to OWASP LLM Top 10 and MITRE ATLAS references, providing compliance coverage and threat context.
Engine evaluates in real-time
The ATR engine loads rules and matches them against agent events as they occur. Sub-millisecond evaluation per rule.
Automated response
When a rule triggers, configurable actions fire: block_input, alert, snapshot, escalate. Threshold-based auto-response prevents false positive fatigue.
title: "Direct Prompt Injection via User Input"
id: ATR-2026-001
status: experimental
severity: high
references:
owasp_llm:
- "LLM01:2025 - Prompt Injection"
detection:
conditions:
- field: user_input
operator: regex
value: "(?i)(ignore|disregard)\\s+previous\\s+instructions"
condition: any
response:
actions:
- block_input
- alert
- snapshotRULE EXAMPLES
Rules for real threats
Each rule targets a specific attack pattern observed in production AI agent deployments.
Tool Poisoning via MCP
Tool Poisoningtitle: "Direct Prompt Injection via User Input"
id: ATR-2026-001
status: experimental
severity: high
references:
owasp_llm:
- "LLM01:2025 - Prompt Injection"
detection:
conditions:
- field: user_input
operator: regex
value: "(?i)(ignore|disregard)\\s+previous\\s+instructions"
condition: any
response:
actions:
- block_input
- alert
- snapshotContext Exfiltration via Markdown
Context Exfiltrationtitle: "Tool Poisoning via MCP Response"
id: ATR-2026-008
status: experimental
severity: critical
references:
owasp_llm:
- "LLM02:2025 - Tool Misuse"
detection:
conditions:
- field: tool_output
operator: regex
value: "(eval|exec|child_process|__import__|subprocess\\.run)\\("
- field: tool_output
operator: contains
value: "import os"
condition: any
response:
actions:
- block_output
- alert
- block_toolExcessive Agent Autonomy Loop
Excessive Autonomytitle: "Context Exfiltration via Markdown"
id: ATR-2026-012
status: experimental
severity: high
detection:
conditions:
- field: model_output
operator: regex
value: "!\\[.*\\]\\(https?://[^)]+\\?.*="
- field: model_output
operator: regex
value: "(api_key|secret|token|password|credential)"
condition: all
response:
actions:
- block_output
- alert
- snapshotCOMPLIANCE MAPPING
OWASP Agentic Top 10 coverage
Every ATR rule maps to the OWASP Top 10 for Agentic Applications, providing structured coverage of the most critical AI agent security risks.
ECOSYSTEM
Open standard. Community-driven growth.
ATR follows the same playbook that made Sigma and YARA industry standards -- open governance, community contributions, and vendor-neutral design.
52
Detection rules
9
Threat categories
10/10
OWASP Agentic coverage
MIT
License
CONTRIBUTION FLOW
Identify a threat pattern
Observe a new attack vector in production, research, or CTF. Document the behavior.
Write an ATR rule
Define detection conditions in YAML. Map to OWASP and MITRE references. Add test cases.
Submit a pull request
The community reviews, tests, and merges. Rules ship to all ATR users automatically.
Collective defense
Every new rule strengthens the entire ecosystem. One contributor protects thousands of deployments.
ROADMAP
The standard evolves
Foundation
- 32 rules across 9 categories
- YAML format specification
- OWASP Agentic Top 10 mapping
- Real-time evaluation engine
- CLI tooling
Expansion
- 50+ rules with community contributions
- Semantic operator support
- Multi-agent correlation rules
- IDE integration (VS Code, Cursor)
- Threat Cloud auto-generated rules
Industry Standard
- 100+ production-grade rules
- Formal specification document
- Vendor integration program
- Certification and compliance toolkit
- Governing body formation
Join the ATR community
ATR is open source and community-driven. Contribute rules, report new threat patterns, or integrate ATR into your own agent security stack.