ATR Implements the Detection Layer the NSA Identified as Missing in MCP
The NSA published 17 pages on MCP security risks in May 2026. It named zero detection frameworks. ATR fills that layer -- 433 rules covering all five NSA risk categories, in production at Microsoft, Cisco, MISP, and OWASP.
On May 20, 2026, the NSA Artificial Intelligence Security Center published a 17-page Cybersecurity Information Sheet: "Model Context Protocol (MCP): Security Design Considerations for AI-Driven Automation." It is the first major US government technical document to address MCP security directly.
The document is thorough on risk identification. It maps five categories of structural MCP vulnerabilities. It calls for "community coordination" to strengthen AI security foundations. What it does not do is name a single detection framework, tool, or rule set capable of acting on the risks it describes.
That gap is the same one CISA and the Five Eyes partners flagged on April 30, 2026. Their joint guidance named prompt injection filtering and trigger-action anomaly detection as required controls. Neither document named anything that implements those controls.
ATR (Agent Threat Rules) fills that layer.
NSA's Five Risk Categories Mapped to ATR
The NSA CSI identifies five categories of MCP-specific risk. Each maps to an existing ATR rule group.
Serialization risks. MCP servers deserialize structured inputs from untrusted sources. ATR encoding bypass rules detect base64, hex, and Unicode obfuscation patterns used to smuggle payloads through serialization layers.
Trust boundary violations. MCP crosses trust boundaries between user context, tool context, and external services. ATR privilege escalation rules detect when a skill or tool attempts to claim elevated permissions, impersonate system roles, or access scopes not granted in the original invocation context.
Agent misuse. The CSI notes that MCP enables agents to take actions users did not intend. ATR jailbreak and instruction injection rules -- the largest single category, representing 38% of confirmed wild findings across 96,096 scanned skills -- detect patterns where a skill overrides system instructions, suppresses prior context, or introduces conflicting directives mid-session.
Dynamic tool invocation. The CSI flags risks from tools that invoke other tools at runtime without user visibility. ATR code injection and reverse shell rules detect runtime command execution, subprocess spawning, and callback patterns consistent with live exploitation. Two rules (ATR-2026-00440 and ATR-2026-00441) were published within 2 hours 16 minutes of MSRC disclosing CVEs 2026-26030 and 2026-25592 for Microsoft Semantic Kernel.
Context sharing vulnerabilities. MCP shares context across tools and sessions in ways that leak sensitive information. ATR context exfiltration rules detect skills that read conversation history, extract environment variables, or encode and transmit retrieved data to external endpoints.
The mapping is not coincidental. ATR was built from empirical data -- 96,096 production skills scanned, 751 confirmed malicious -- before the NSA published its guidance. The attack patterns the CSI names were present in real deployments before any government body named them.
CISA Recommendation 10
CISA's joint advisory Recommendation 10 calls specifically for trigger-action protocol monitoring: systems must detect when an agent takes an action that was not directly triggered by a verified user instruction.
Detection rules are the mechanism that makes this recommendation implementable. A policy statement that trigger-action anomalies require detection does not specify what signatures to watch. ATR's 433 rules operationalize those signatures in a format that regex-capable security tools can consume without modification.
This matters because the recommendation does not come with an implementation. CISA writes the policy. The security community writes the detection. That is the normal division of responsibility. ATR exists specifically for the half the government guidance does not cover.
Where ATR Runs Today
ATR is in production in five external systems: - Microsoft AGT (GitHub Actions environment, integrated in response to MSRC CVE disclosures) - Cisco AI Defense (MCP-focused skill scanning, integrated March 2026) - MISP (merged into threat taxonomy and galaxy, distributed to EU national CERTs) - OWASP Agent Security Reference Hub (contributor-status merge, April 2026) - Gen Digital Sage (Norton/Avast parent, active integration)
Integrations with LiteLLM proxy, NVIDIA Garak, meta-llama PurpleLlama, and promptfoo are in active review. The pattern is consistent: security tools without a native MCP detection layer are adopting ATR as their rules substrate.
The wild scan corpus -- 96,096 skills across OpenClaw, ClawHub, Skills.sh, and Hermes -- found 751 confirmed malicious skills. That dataset predates the NSA CSI. The attack patterns the CSI names were already present in production skill registries before the government published guidance on them.
What Comes Next
ATR v3.0.0-alpha is in active development. An OASIS Open Project formal proposal was filed May 26, 2026, to move ATR toward an international standard under a neutral governance body. The goal is a detection layer that any security tool, SIEM, or runtime agent framework can adopt without vendor lock-in.
New CVE-linked rules ship within hours of disclosure, not weeks. ATR-2026-00440 and ATR-2026-00441 landed inside a business day of the Semantic Kernel CVE announcement. The pipeline from public CVE to production detection signature is now automated.
The NSA CSI ends by calling for community coordination. The standard exists. It is MIT-licensed. Contributions, integrations, and rule proposals are open at github.com/Agent-Threat-Rule/agent-threat-rules.