No signup · Open source

Sigma to ATR YAML converter — open source, free

Paste a Sigma or YARA rule and get schema-valid ATR YAML back. No signup. Runs in your browser.

Format

Input (Sigma or YARA)0 chars

Output (ATR YAML)

Conversion output will appear here. The Community tier covers Sigma and YARA — parser, IR, and ATR schema validation.

COMMUNITY vs PILOT

Which tier matches your scope?

Community is free forever. Pilot adds 13 more input formats, LLM enrichment, an EU AI Act evidence pack, and the Threat Cloud contribute pipeline.

Community

Forever · MIT

Sigma parser
YARA parser
IR transformer
ATR schema validation
CLI + web demo
Self-host forever

Install on npm

Pilot · 90 days

$25K

One team · one rule corpus

Everything in CommunityPilot only
13 more input formats (promptfoo, pyrit, ghsa, osv, splunk-spl, snort, elastic-eql, falco, semgrep, codeql, cve-nvd, kev, garak)Pilot only
LLM enrichment (5-framework mapping)Pilot only
EU AI Act evidence packPilot only
Threat Cloud contribute pipelinePilot only
Credits 100% toward Year 1 contractPilot only

Start Pilot

Unlock Pilot — $25K / 90d Talk to sales

Community v0.1.0 on npm · Enterprise v0.1.0 shipping

The Enterprise pipeline behind the converter

Convert legacy detection rules into AI-agent-context ATR YAML in one command. Auto-mapped to EU AI Act articles, OWASP Agentic Top 10, NIST AI RMF, ISO/IEC 42001.

50/50 SigmaHQ rules converted· 5/5 attacks blocked, 5/5 benign clean· 5-framework compliance map

See a sample evidence pack Download 50 ATR rules (.zip)Verify integrity (MANIFEST.txt)

One command, full pipeline

Replace months of consulting with a single CLI invocation.

terminal

pga migrate-pro \
  --input ./customer-rules \
  --output ./atr-out \
  --evidence ./atr-out/eu-pack \
  --demo --enrich --telemetry --contribute \
  --customer-id ACME-BANK-EU \
  --audit-period 2026-Q2

Or launch the web dashboard: pga migrate-pro --web

How it works

Sigma/YARA in. ATR YAML + audit pack + activation report out.

Step 1

Drop your Sigma/YARA rules

Upload a directory or zip of legacy detection rules. The migrator parses Sigma YAML and YARA text without external dependencies.

Step 2

IR + LLM enrichment

Each rule passes through a source-agnostic intermediate representation, then an LLM enrichment layer that reauthors detections from endpoint fields to agent-context fields (tool_call.arguments, agent_action.command_line, agent_event.event_type).

Step 3

Compliance + tests + demo

Each output rule carries a 5-framework compliance map (EU AI Act, OWASP Agentic Top 10:2026, OWASP LLM Top 10:2025, NIST AI RMF, ISO/IEC 42001), test cases (TP + TN), false-positive scenarios, and a message template.

Step 4

Validated against ATR

Every output rule passes the public agent-threat-rules validateRule() — deployable to the ATR engine, Elastic Security, Splunk, GitHub code-scanning (SARIF), or any SIEM via the public ATR converters.

Before / after

Same intent, agent-context-aware detection.

Sigma (input)process_creation · windows

title: Malicious PowerShell Commandlets
id: 49f9da17-8169-4413-bc59-2da014bd6b46
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'Invoke-Mimikatz'
      - 'Get-NetGroupMember'
      - 'Invoke-NinjaCopy'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

ATR (output)tool_call.arguments · agent_action.command_line

schema_version: '0.1'
title: Malicious PowerShell Commandlets - ProcessCreation
id: ATR-2026-85501
status: draft
severity: high
detection:
  condition: any
  conditions:
    - field: tool_call.arguments
      operator: regex
      value: '(?i)(Invoke-Mimikatz|Get-NetGroupMember|Invoke-NinjaCopy)'
    - field: agent_action.command_line
      operator: regex
      value: '(?i)PowerShell.*-(Enc|EncodedCommand)'
agent_source:
  type: agent_action
  framework: [claude-code, openai-codex]
compliance:
  eu_ai_act:
    - article: '15'
      strength: primary
    - article: '12'
      strength: secondary
  owasp_agentic:
    - id: 'ASI06:2026'
      strength: primary
test_cases:
  true_positives:
    - input: 'powershell -nop -w hidden -enc IEX(Invoke-Mimikatz)'
      expected: triggered
  true_negatives:
    - input: 'docs about Invoke-Mimikatz educational content'
      expected: not_triggered

The migrator reauthors detection fields from endpoint Sysmon to AI-agent telemetry. Same threat, language the runtime engine actually sees.

What you get

Per migration run, in one CLI invocation.

EU AI Act detection evidence

JSON + Markdown + HTML evidence pack with SHA-256 + Merkle root signature. Articles 9, 12, 14, 15, 50 covered — the technical-control evidence dossier auditors expect to see alongside risk management and technical documentation.

Activation demo

Five attack events + five benign events replay against your migrated rules. The report tells you exactly which rule fired on which event — proof the rules work, not just that they validate.

OWASP Agentic + LLM mapping

Every rule cites OWASP Agentic Top 10:2026 IDs (ASI01–ASI10) and OWASP LLM Top 10:2025 IDs (LLM01–LLM10). The mapping is part of the rule body, not a separate spreadsheet.

Threat Cloud telemetry (opt-in)

Anonymized fingerprints (SHA-256 of conditions) flow to PanGuard Threat Cloud. Cross-tenant aggregation surfaces high-signal rules for crystallization back to ATR mainline. Rule body never leaves the customer.

ATR contribution path

Per-rule contribution packs (scrubbed YAML + CONTRIB.md) ready for upstream PR against the open ATR repo. Customer-internal fields stripped automatically; SHA-256 over rule body for tamper evidence.

Web dashboard or CLI

Run pga migrate-pro --web for a local browser dashboard with drag-and-drop upload, live progress streaming, and per-rule download links. Or stay in the terminal — both surfaces are first-class.

Honest framing

EU AI Act audit scope

An EU AI Act high-risk system audit needs roughly 12 documents (Annex IV + Articles 9–15, 17, 50, 72). The migrator delivers 2–3 of them at high quality — the technical-control evidence layer. The other 9–10 are customer responsibility, but our pack cross-references them so your auditor doesn’t maintain five separate spreadsheets.

What this covers

Article 9 — risk management for high-impact agent actions
Article 12 — record-keeping rules for agent telemetry
Article 14 — human oversight triggers (irreversible actions)
Article 15 — accuracy / robustness / cybersecurity controls
Article 50 — transparency triggers (e.g. screen capture, recording)
OWASP Agentic Top 10 (2026) per-rule mapping
OWASP LLM Top 10 (2025) per-rule mapping
NIST AI RMF function/subcategory citations
ISO/IEC 42001 Clause 8.4 (operational planning) citations
Tamper-evident pack: SHA-256 + Merkle root over rule bodies

Customer responsibility

Article 10 — data governance / training data lineage
Article 11 — full Annex IV technical documentation
Article 13 — transparency to end users (UX/policy layer)
Article 17 — quality management system documentation
Article 72 — post-market monitoring program (telemetry alone is not a PMM)
Conformity assessment by a Notified Body
Customer’s own risk-management process documentation
Production logs of rule firings (we provide rule definitions; logs come from runtime)

Pricing reflects scope: this is a $50–150K detection-evidence module, not a turnkey EU AI Act compliance package. The pack’s value is collapsing 6 months of detection-engineering consulting into 1 week of setup — not replacing the legal/compliance dossier itself.

ATR contribution loop

Migrated rules can flow back to the open ATR standard.

Direct PR

Customer opens a PR against the public agent-threat-rules repo using the auto-built CONTRIB.md narrative.

TC crystallization

Anonymized fingerprints aggregated across tenants. Patterns proven across N tenants with low FP get auto-PRed to ATR mainline.

Service-managed

PanGuard Threat Research opens the PR on the customer’s behalf, credited or anonymous as preferred.

MIGRATOR PRICING

Four ways to use Migrator

Free for individual developers. Pilot for one-team trials. Standalone for organisations that only need the conversion layer. Sovereign for nation-scale SOC bridges. Migrator Pro is also bundled inside PanGuard Enterprise.

Community

$0forever · MIT

npm install -g @panguard-ai/migrator-community. Sigma / YARA parsers, IR transformer, ATR YAML output, CLI. Self-host forever. Lead pipeline and sensor signal for the open standard.

Install on npm

Pilot · 90 days

$25Kcredited Y1

One team, one rule corpus. Refines up to 100 Sigma or YARA rules to the quality level of Cisco-merged PRs, with five-framework compliance metadata and a sample audit evidence pack. The full fee credits toward Migrator Standalone or PanGuard Enterprise.

Request pilot

Standalone · annual

$500K–2M

target $750K–$1.5M

For organisations that need the legacy bridge but are not yet adopting the full PanGuard runtime. Includes all 15 source-format adapters, the strict 0-FP quality pipeline, five-framework compliance evidence packs, the 6-tab web dashboard, on-prem deployment, and the ATR upstream contribution pipeline. Designed for compliance teams or red teams evaluating the standard before runtime adoption.

Talk to founder

Sovereign · multi-year

$3–10M

multi-year national contract

Nation-scale deployment for sovereign AI programs. Includes full Migrator Pro, the ATR runtime, the Compliance Evidence Module, Threat Cloud, in-region deployment, and custom rule classes tailored to a nation's existing SOC detection IP (traditional SCADA, regional SIEM corpora, and others). Delivered through a certified regional enterprise vendor partner, with PanGuard as the upstream ATR standards maintainer.

Sovereign AI brief

Already buying PanGuard Enterprise?

Migrator Pro is bundled inside PanGuard Enterprise ($150K floor · target $250K–$1M · up to $3M+). The Standalone and Sovereign tiers are for customers who want Migrator without the full runtime.

See full PanGuard pricing

Ready to migrate your detection coverage?

Migrator Community v0.1.0 is live on npm under MIT — Sigma / YARA parsers, IR, transformers, and CLI. Migrator Enterprise v0.1.0 ships the full quality pipeline (Sigma + YARA wired to runtime today; 13 additional adapters — Snort, Splunk SPL, Elastic EQL, Falco, Semgrep, CodeQL, CVE-NVD, GHSA, OSV, KEV, garak, PyRIT, promptfoo — v0.2 enterprise release), 5-framework compliance auto-mapping, 6-tab web dashboard, and audit evidence packs. 90-day pilot available. v1.0.0 GA target Q1 2027.

Request pilot access See the open ATR standard

The Enterprise pipeline behind the converter

Convert legacy detection rules into AI-agent-context ATR YAML in one command. Auto-mapped to EU AI Act articles, OWASP Agentic Top 10, NIST AI RMF, ISO/IEC 42001.

50/50 SigmaHQ rules converted· 5/5 attacks blocked, 5/5 benign clean· 5-framework compliance map

pga migrate-pro \ --input ./customer-rules \ --output ./atr-out \ --evidence ./atr-out/eu-pack \ --demo --enrich --telemetry --contribute \ --customer-id ACME-BANK-EU \ --audit-period 2026-Q2

title: Malicious PowerShell Commandlets id: 49f9da17-8169-4413-bc59-2da014bd6b46 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'Invoke-Mimikatz' - 'Get-NetGroupMember' - 'Invoke-NinjaCopy' condition: selection level: high tags: - attack.execution - attack.t1059.001

schema_version: '0.1' title: Malicious PowerShell Commandlets - ProcessCreation id: ATR-2026-85501 status: draft severity: high detection: condition: any conditions: - field: tool_call.arguments operator: regex value: '(?i)(Invoke-Mimikatz|Get-NetGroupMember|Invoke-NinjaCopy)' - field: agent_action.command_line operator: regex value: '(?i)PowerShell.*-(Enc|EncodedCommand)' agent_source: type: agent_action framework: [claude-code, openai-codex] compliance: eu_ai_act: - article: '15' strength: primary - article: '12' strength: secondary owasp_agentic: - id: 'ASI06:2026' strength: primary test_cases: true_positives: - input: 'powershell -nop -w hidden -enc IEX(Invoke-Mimikatz)' expected: triggered true_negatives: - input: 'docs about Invoke-Mimikatz educational content' expected: not_triggered

EU AI Act audit scope

Ready to migrate your detection coverage?