ATR in MISP: Taxonomy + Galaxy Merged on the Same Day

Merged

On 2026-05-10 at 17:40 UTC, MISP/misp-taxonomies#323 merged into main. ATR is now an upstream MISP taxonomy.

If you have not run a CERT or worked an ISAC desk, MISP probably does not mean much. Let us explain.

What MISP Is

MISP (Malware Information Sharing Platform) is the standard threat-intel sharing layer used by national CSIRTs and Information Sharing and Analysis Centers globally. CERT-EU, CERT-FR, the US H-ISAC, FS-ISAC, ENISA, and dozens of national CERTs run it. When one agency observes an attack and tags it, peer agencies can pivot on shared tags and pull related telemetry from their own sensors.

Tags need a vocabulary. MISP's misp-taxonomies repo is that vocabulary — a curated set of namespaces, predicates, and values that everyone agrees mean the same thing.

For AI agent threats, there was no namespace. CERTs that wanted to track prompt injection or tool poisoning were either using free-text tags (uncorrelatable) or bending unrelated taxonomies (lossy). PR #323 fixes that.

What the Taxonomy Covers

The ATR namespace adds standardised tags across the agent threat surface:

• ●prompt-injection — direct, indirect, multi-turn, jailbreak family
• ●tool-poisoning — hidden instructions in tool descriptions, parameter injection
• ●skill-compromise — supply-chain compromise of agent skills
• ●mcp-supply-chain — Model Context Protocol server compromise, malicious MCP packages
• ●agent-manipulation — goal hijacking, scope creep, persistence
• ●memory-context-poisoning — adversarial memory injection
• ●inter-agent-communication — multi-agent message tampering
• ●rogue-agents — unsanctioned agent deployment, shadow IT agents

Every taxonomy value links back to corresponding ATR rule IDs in the agent-threat-rules repo. A CERT analyst who tags an incident atr:prompt-injection="indirect-via-document" can pivot directly to ATR rules that detect that pattern.

The Galaxy Merge

The companion PR — MISP/misp-galaxy#1207 — landed on the same day. The galaxy adds 533 cross-references mapping individual ATR rules to MITRE ATLAS and ATT&CK techniques.

Taxonomy gives CERTs the tags. Galaxy gives them the cross-walk. An analyst tagging an incident atr:prompt-injection="indirect-via-document" can now pivot directly to the ATR galaxy entry, see which ATLAS techniques (AML.T0051 Prompt Injection, AML.T0043 Craft Adversarial Data) the rule maps to, and correlate against ATT&CK adversary playbooks the agency already tracks.

For threat-intel teams, this is the difference between knowing what to call something and knowing what to do with it.

Why This Matters For CERTs

Three concrete workflow gains:

1. Cross-agency correlation. When CERT-A in country X tags an incident and CERT-B in country Y queries their MISP instance, the tag match works. Before, both agencies would tag the same attack class with different free-text strings.

2. IOC sharing. Indicators of compromise (URLs, model fingerprints, malicious skill hashes) can be shared with proper context. A tool-poisoning IOC tagged in the ATR namespace tells the receiver what attack class to look for, not just "here is a hash."

3. Existing tooling works. Every CERT already has MISP integrations into their SIEM, ticketing, and case-management systems. AI agent threats slot into the same pipelines. No new dashboards, no new training, no procurement cycle.

The Standard-Setter Point

ATR did not invent MISP. We submitted a PR to fit AI agent threats into the workflow CERTs already use. That is what open standards work looks like: meet practitioners where they are, do the integration work, ship.

If you operate a CERT or ISAC and want help wiring ATR taxonomy into your MISP instance, the repo has integration notes and the maintainer is reachable.

Taxonomy PR #323 · Galaxy PR #1207 · ATR repo · MISP project