What Is ATR? The First Open Standard for AI Agent Security
ATR (Agent Threat Rules) is an open detection standard for AI agent security threats. 71 YAML rules. OWASP Agentic Top 10 full coverage. Think Snort for network, Sigma for endpoints, ATR for AI agents.
The Problem
AI agents are deploying tools at scale. MCP (Model Context Protocol) standardized how agents use external tools, and the ecosystem exploded -- thousands of skills published across npm, ClawHub, and GitHub. But there is no standardized way to detect threats in these tools. Each security vendor builds proprietary detection logic. Researchers publish one-off scripts. Nobody can compare results because everyone is measuring different things.
Network security solved this problem with Snort rules in the 1990s. Endpoint security solved it with Sigma rules in the 2010s. AI agent security needs the same thing: an open, community-maintained, machine-readable detection standard.
What ATR Is
ATR (Agent Threat Rules) is a set of YAML-formatted detection rules specifically designed for AI agent security threats. Each rule targets a specific attack pattern -- prompt injection, credential theft, supply chain manipulation, privilege escalation -- and defines the detection logic in a format that any scanning engine can implement. As of v0.4.0, ATR contains 71 rules organized into threat categories: - PI (Prompt Injection): 13 rules covering identity override, instruction hijacking, jailbreaks, stealth blocks, eval injection, and social engineering - SC (Supply Chain): 8 rules for dependency attacks, typosquatting, postinstall scripts, and behavioral changes between versions - CT (Credential Theft): 7 rules for SSH key harvesting, environment variable exfiltration, and cloud credential theft - PE (Privilege Escalation): 6 rules for shell escape, sudo abuse, and capability expansion - DE (Data Exfiltration): 5 rules for covert channels, encoded data transfer, and DNS tunneling - Plus 32 more rules across identity spoofing, OAuth abuse, A2A validation, approval fatigue, and dynamic import attacks
Rule Format
Every ATR rule is a YAML file with a standard structure: ```yaml id: ATR-PI-001 name: Prompt Injection - Identity Override severity: HIGH category: prompt-injection description: Detects attempts to override the AI agent identity patterns: - "you are now" - "ignore previous instructions" - "your new role is" context_signals: - in_tool_description: amplify - in_code_block: suppress - in_documentation: suppress ``` The `context_signals` section is what makes ATR different from simple grep. The same pattern can be benign in documentation ("here is an example of prompt injection: ignore previous instructions") and malicious in a tool description. ATR rules encode this context awareness directly in the rule definition.
OWASP Agentic Top 10 Coverage
OWASP published the Agentic Security Top 10 (ASI01-ASI10) in early 2026 -- the first official threat taxonomy for AI agent systems. ATR maps to all 10 categories with 77 total rule mappings: | OWASP Category | ATR Rules | Coverage | |---------------|-----------|----------| | ASI01: Prompt Injection | 13 | STRONG | | ASI02: Unsafe Tool/Function Execution | 10 | STRONG | | ASI03: Tool Argument Manipulation | 8 | STRONG | | ASI04: Information Disclosure | 9 | STRONG | | ASI05: Agent Memory Poisoning | 8 | STRONG | | ASI06: Insufficient Sandboxing | 12 | STRONG | | ASI07: Multi-Agent Trust | 7 | MODERATE | | ASI08: Supply Chain Vulnerabilities | 6 | MODERATE | | ASI09: Excessive Permissions | 4 | MODERATE | | ASI10: Insufficient Logging | 5 | MODERATE |
How to Use ATR
ATR rules are engine-agnostic. You can use them with: - PanGuard: `npm install -g @panguard-ai/panguard && pga scan` -- the reference implementation - Direct integration: Import rules from `@panguard-ai/atr` and build them into your CI/CD pipeline - Manual review: Read the YAML files and manually audit your skills against the patterns The ATR repository is MIT-licensed and accepts community contributions. If you discover a new attack pattern, you can submit it as an ATR rule and it will be reviewed and distributed within hours.
Why Open Matters
Proprietary detection is a black box. You cannot audit it, you cannot verify it, and you cannot contribute to it. When a new attack emerges, you wait for the vendor to update. With ATR, the rule is public. You can read exactly what it detects and exactly what it misses. You can submit improvements. You can fork it and customize it for your environment.
This transparency is not a weakness. Snort rules are public, and Snort became the most deployed intrusion detection system in history. Sigma rules are public, and they are the standard for endpoint detection. Openness creates trust, trust creates adoption, and adoption creates the network effect that makes everyone safer.
Get Started
Install ATR and scan your skills: ```bash npm install -g [email protected] atr scan . ``` Or install PanGuard for the full security suite: ```bash curl -fsSL https://get.panguard.ai | bash pga setup ``` ATR source: [github.com/Agent-Threat-Rule/agent-threat-rules](https://github.com/Agent-Threat-Rule/agent-threat-rules)