ATR vs Sigma — open detection rule standards compared
Sigma rules detect threats in log events. ATR rules detect threats in AI agent behavior. They solve different problems and are designed to coexist — Sigma in SIEM, ATR in agent runtime. PanGuard Migrator converts Sigma to ATR for organizations bridging both.
Sigma is the open detection standard for SIEM (Security Information and Event Management). Rules describe log patterns — Windows Event ID 4625 with logon type 3 and source IP outside the allowlist — and SIEM engines (Splunk, ELK, Microsoft Sentinel) load and evaluate them. Sigma is a decade old, has thousands of community rules, and is the de-facto language for detection engineering.
ATR is the open detection standard for AI agents. Rules describe agent-context patterns — `tool_call.arguments` containing a base64-encoded reverse shell, `model_output` containing markdown image references with credential parameters, `agent_event.event_type` of unauthorized_file_read — and ATR engines (PanGuard Guard, Microsoft AGT, Cisco AI Defense skill-scanner) load and evaluate them. ATR is two years old, has 344 rules, and is becoming the de-facto language for AI agent detection.
Feature comparison
Feature
ATR (Agent Threat Rules)
Sigma
Detection target
Agent behavior + tool calls + model output
Log events + system telemetry
Maturity
2 years, 344 rules
10+ years, thousands of community rules
Prompt injection detection
Native (115 rules)
Not designed for it
Tool call monitoring
Native (22 rules)
Not designed for it
SIEM integration
Via SARIF export
Native (all major SIEMs)
Vendor adoption
Microsoft AGT, Cisco AI Defense, MISP, OWASP A-S-R-H
Splunk, Elastic, Microsoft Sentinel, Sumo Logic, every SIEM
License
MIT
DRL (Detection Rule License)
YAML format
Yes
Yes
OWASP Agentic Top 10 mapping
10/10 native
No mapping
OWASP LLM Top 10 mapping
Native
No mapping
Migration path
PanGuard Migrator converts Sigma → ATR
—
Green highlights which side is stronger for that feature. "context" (amber) means "depends on use case, neither wins overall".
When to choose ATR (Agent Threat Rules)
You are protecting AI agent workloads — Claude Code, Cursor, OpenClaw, MCP servers, custom in-house agents. The threats are prompt injection, tool poisoning, indirect injection through retrieved content, agent supply-chain attacks. Sigma cannot see these because they happen in semantic space, not in syslog.
When to choose Sigma
You are protecting infrastructure — servers, endpoints, network. The threats are credential stuffing, lateral movement, malware, ransomware. Sigma is the right tool because the threats produce log events and SIEM is where you already have detection-engineering infrastructure.
Bottom line
Use both. Run Sigma in your SIEM for infrastructure. Run ATR in your agent runtime for AI agent workloads. If you have legacy Sigma detection engineering investment and you are starting on AI agent security, PanGuard Migrator converts your Sigma corpus to ATR with five-framework compliance metadata in one CLI invocation.