SECURITY GLOSSARY

What is Agent Threat Rule (ATR)?

An Agent Threat Rule (ATR) is a YAML-formatted detection rule for AI agent security threats. ATR is to AI agents what Sigma is to SIEM logs and YARA is to malware files: an open, machine-readable detection standard with multi-vendor adoption.

ATR rules describe attacks that traditional security tools cannot see. Network packet filters miss prompt injection because the attack is semantic, not syntactic. File scanners miss tool poisoning because the payload lives in a JSON tool description, not a binary. ATR closes that gap with rules that match against agent-context fields like tool_call.arguments, agent_action.command_line, model_output, and agent_event.event_type.

Each ATR rule is a YAML document with five required sections: a unique ID, severity classification, detection conditions (regex, keyword, or semantic operators), OWASP / MITRE / NIST compliance mapping, and test cases (both true positives and true negatives). The format is designed so any scanning engine — PanGuard, Microsoft AGT, Cisco AI Defense, MISP, OWASP Agentic Top 10 reference implementations — can load and evaluate the same rule and produce the same verdict.

As of v2.1.3, the ATR corpus contains 344 rules across 10 threat categories: prompt-injection (115), agent-manipulation (105), skill-compromise (40), context-exfiltration (33), tool-poisoning (22), privilege-escalation (11), model-abuse (8), excessive-autonomy (6), model-security (3), data-poisoning (1). OWASP Agentic Top 10 coverage is 10 of 10 categories. The rule set is MIT licensed and lives in a public repository at github.com/Agent-Threat-Rule/agent-threat-rules.

Production deployments include Microsoft Agent Governance Toolkit (287 rules merged via PR #1277 with a weekly auto-sync workflow), Cisco AI Defense skill-scanner (344 rules merged via PR #99), and MISP (PR #1207 on misp-galaxy, PR #323 on misp-taxonomies). Adam Lin, founder of PanGuard AI, has documented: "The standard exists to be cited. We measure success by how many ecosystems ship our rule IDs, not by how many users install our CLI."

OWASP

All 10 OWASP Agentic Top 10 categories

MITRE

MITRE ATLAS

Related ATR rules

ATR-2026-00001, ATR-2026-00012, ATR-2026-00099

References

Related terms

Prompt Injection

Prompt injection is an attack where untrusted input embedded in a prompt causes a large language model to follow instructions from the input instead of the system prompt. OWASP classifies it as the top risk in both the LLM Top 10 (LLM01:2025) and the Agentic Top 10 (ASI01:2026).

Learn more

Tool Poisoning

Tool poisoning is an attack where a malicious tool description or tool response injects instructions into the agent. The agent reads the tool definition or output as plain text and treats embedded instructions as authoritative — a special case of indirect prompt injection focused on the MCP and skill ecosystem.

Learn more

Skill Auditor

A Skill Auditor is a pre-install security gate for AI agent skills. It scans skill manifests, tool definitions, and packaged code for prompt injection, tool poisoning, hidden capabilities, supply-chain signals, and behavior-description mismatches before the skill is installed. PanGuard ships an open-source Skill Auditor with 8 checks.

Learn more

AI Agent Skill

An AI agent skill is a packaged capability — code, prompt template, and tool definitions — that an AI agent can install and invoke. Formats include Claude Skills (SKILL.md), MCP servers (npm packages), OpenClaw skills, and custom proprietary formats. Skills are the "apps" of the agent era — and have the same supply-chain risk as npm packages.

Learn more

Reviewed byAdam Lin·Last reviewed2026-05-12