How Cisco Ships ATR Rules in AI Defense
Cisco AI Defense merged 34 ATR rules as upstream. Then they built a CLI to consume ATR rule packs. Here is how the integration works.
From PR to Production in 3 Days
On March 2026, an engineer from Cisco AI Defense submitted a pull request to the ATR repository. PR #79: 1,272 additions. 34 ATR detection rules ported into their skill-scanner codebase.
We reviewed it. Merged in 3 days.
Then something interesting happened: Cisco built a dedicated `--rule-packs` CLI flag specifically to consume ATR rules. They did not just copy the rules -- they built infrastructure to stay in sync with ATR as a dependency.
This is what it looks like when an enterprise adopts a detection standard.
What They Integrated
34 rules covering:
- •Prompt injection patterns (system prompt override, instruction hijacking)
- •Tool poisoning (hidden instructions in tool descriptions)
- •Context exfiltration (data leakage via agent responses)
- •Credential harvesting (environment variable access, key file reads)
These rules run in Cisco AI Defense's production skill scanner. When a skill is submitted to their platform, it is scanned against ATR rules before being approved.
The Integration Pattern
Cisco's integration demonstrates a replicable pattern for any platform:
# 1. Install ATR rules
npm install agent-threat-rules
# 2. Rules are YAML files in node_modules/agent-threat-rules/rules/
# 3. Parse YAML in your language of choice
# 4. Run regex patterns against your inputATR rules are deliberately simple. YAML format. Regex patterns. No runtime dependencies. Any language can consume them.
Cisco chose to build a TypeScript wrapper. A Python shop could use PyYAML. A Go shop could use gopkg.in/yaml. The rules are the standard -- the engine is whatever you build.
Why This Matters
When a Fortune 500 security vendor builds tooling specifically to consume your rule format, it validates the standard in a way that benchmarks cannot.
It means:
1. **The format is production-ready.** Cisco's security engineers reviewed 34 rules and found them reliable enough for their production scanner.
2. **The rules catch real threats.** These are not academic exercises. They detect attacks that Cisco's customers face.
3. **The pattern is replicable.** Any platform can follow the same integration path. Install, parse, run.
The Upstream Model
ATR operates like a Linux distribution's package repository. ATR publishes detection content. Consumers (Cisco, and soon others) pull rules as an upstream dependency.
When ATR adds new rules, consumers can update by bumping their dependency version. When consumers find false positives or evasions, they report back and improve the shared ruleset.
This is the network effect: every consumer makes the rules better for every other consumer.
Your Platform Can Do This
If you build any product that processes AI agent tool calls, you can integrate ATR rules today:
1. Install: `npm install agent-threat-rules`
2. Load rules from `rules/` directory
3. Scan inputs against regex patterns
4. Block or flag based on severity
Integration guide: [agentthreatrule.org/en/integrate](https://agentthreatrule.org/en/integrate)
PR #79 on GitHub: [cisco-ai-defense/skill-scanner#79](https://github.com/cisco-ai-defense/skill-scanner/pull/79)
---
*ATR is the open detection standard for AI agent security. 108 rules. MIT licensed.*