免註冊 · 開放原始碼

Sigma / YARA → ATR YAML

貼上一條 Sigma 或 YARA 規則，立刻拿到一份 schema-valid 的 ATR YAML。免註冊，瀏覽器即時轉換。

格式

輸入 (Sigma 或 YARA)0 字元

輸出 (ATR YAML)

轉換結果會出現在這裡。Community tier 支援 Sigma 與 YARA — 解析、IR 中介層、ATR schema 驗證。

COMMUNITY vs PILOT

哪一條軌道符合你的需求？

Community 免費永久。Pilot 加上 13 種來源格式、LLM enrichment、EU AI Act 證據包、Threat Cloud 貢獻管線。

Community

永久免費 · MIT 授權

Sigma 解析器
YARA 解析器
IR 中介層
ATR schema 驗證
CLI + Web demo
可自架

在 npm 安裝

Pilot · 90 days

$25K

一個團隊 · 一份規則語料庫

全部 Community 功能Pilot only
13 種額外輸入格式 (promptfoo, pyrit, ghsa, osv, splunk-spl, snort, elastic-eql, falco, semgrep, codeql, cve-nvd, kev, garak)Pilot only
LLM 強化 (5 種合規框架對應)Pilot only
EU AI Act 稽核證據包Pilot only
Threat Cloud 貢獻管線Pilot only
可全額抵入 Y1 合約Pilot only

開啟 Pilot

Pilot 解鎖 — $25K / 90d 與業務洽談

Community v0.1.0 on npm · Enterprise v0.1.0 shipping

The Enterprise pipeline behind the converter

Convert legacy detection rules into AI-agent-context ATR YAML in one command. Auto-mapped to EU AI Act articles, OWASP Agentic Top 10, NIST AI RMF, ISO/IEC 42001.

50/50 SigmaHQ rules converted· 5/5 attacks blocked, 5/5 benign clean· 5-framework compliance map

See a sample evidence pack Download 50 ATR rules (.zip)Verify integrity (MANIFEST.txt)

One command, full pipeline

Replace months of consulting with a single CLI invocation.

terminal

pga migrate-pro \
  --input ./customer-rules \
  --output ./atr-out \
  --evidence ./atr-out/eu-pack \
  --demo --enrich --telemetry --contribute \
  --customer-id ACME-BANK-EU \
  --audit-period 2026-Q2

Or launch the web dashboard: pga migrate-pro --web

How it works

Sigma/YARA in. ATR YAML + audit pack + activation report out.

Step 1

Drop your Sigma/YARA rules

Upload a directory or zip of legacy detection rules. The migrator parses Sigma YAML and YARA text without external dependencies.

Step 2

IR + LLM enrichment

Each rule passes through a source-agnostic intermediate representation, then an LLM enrichment layer that reauthors detections from endpoint fields to agent-context fields (tool_call.arguments, agent_action.command_line, agent_event.event_type).

Step 3

Compliance + tests + demo

Each output rule carries a 5-framework compliance map (EU AI Act, OWASP Agentic Top 10:2026, OWASP LLM Top 10:2025, NIST AI RMF, ISO/IEC 42001), test cases (TP + TN), false-positive scenarios, and a message template.

Step 4

Validated against ATR

Every output rule passes the public agent-threat-rules validateRule() — deployable to the ATR engine, Elastic Security, Splunk, GitHub code-scanning (SARIF), or any SIEM via the public ATR converters.

Before / after

Same intent, agent-context-aware detection.

Sigma (input)process_creation · windows

title: Malicious PowerShell Commandlets
id: 49f9da17-8169-4413-bc59-2da014bd6b46
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    CommandLine|contains:
      - 'Invoke-Mimikatz'
      - 'Get-NetGroupMember'
      - 'Invoke-NinjaCopy'
  condition: selection
level: high
tags:
  - attack.execution
  - attack.t1059.001

ATR (output)tool_call.arguments · agent_action.command_line

schema_version: '0.1'
title: Malicious PowerShell Commandlets - ProcessCreation
id: ATR-2026-85501
status: draft
severity: high
detection:
  condition: any
  conditions:
    - field: tool_call.arguments
      operator: regex
      value: '(?i)(Invoke-Mimikatz|Get-NetGroupMember|Invoke-NinjaCopy)'
    - field: agent_action.command_line
      operator: regex
      value: '(?i)PowerShell.*-(Enc|EncodedCommand)'
agent_source:
  type: agent_action
  framework: [claude-code, openai-codex]
compliance:
  eu_ai_act:
    - article: '15'
      strength: primary
    - article: '12'
      strength: secondary
  owasp_agentic:
    - id: 'ASI06:2026'
      strength: primary
test_cases:
  true_positives:
    - input: 'powershell -nop -w hidden -enc IEX(Invoke-Mimikatz)'
      expected: triggered
  true_negatives:
    - input: 'docs about Invoke-Mimikatz educational content'
      expected: not_triggered

The migrator reauthors detection fields from endpoint Sysmon to AI-agent telemetry. Same threat, language the runtime engine actually sees.

What you get

Per migration run, in one CLI invocation.

EU AI Act detection evidence

JSON + Markdown + HTML evidence pack with SHA-256 + Merkle root signature. Articles 9, 12, 14, 15, 50 covered — the technical-control evidence dossier auditors expect to see alongside risk management and technical documentation.

Activation demo

Five attack events + five benign events replay against your migrated rules. The report tells you exactly which rule fired on which event — proof the rules work, not just that they validate.

OWASP Agentic + LLM mapping

Every rule cites OWASP Agentic Top 10:2026 IDs (ASI01–ASI10) and OWASP LLM Top 10:2025 IDs (LLM01–LLM10). The mapping is part of the rule body, not a separate spreadsheet.

Threat Cloud telemetry (opt-in)

Anonymized fingerprints (SHA-256 of conditions) flow to PanGuard Threat Cloud. Cross-tenant aggregation surfaces high-signal rules for crystallization back to ATR mainline. Rule body never leaves the customer.

ATR contribution path

Per-rule contribution packs (scrubbed YAML + CONTRIB.md) ready for upstream PR against the open ATR repo. Customer-internal fields stripped automatically; SHA-256 over rule body for tamper evidence.

Web dashboard or CLI

Run pga migrate-pro --web for a local browser dashboard with drag-and-drop upload, live progress streaming, and per-rule download links. Or stay in the terminal — both surfaces are first-class.

Honest framing

EU AI Act audit scope

An EU AI Act high-risk system audit needs roughly 12 documents (Annex IV + Articles 9–15, 17, 50, 72). The migrator delivers 2–3 of them at high quality — the technical-control evidence layer. The other 9–10 are customer responsibility, but our pack cross-references them so your auditor doesn’t maintain five separate spreadsheets.

What this covers

Article 9 — risk management for high-impact agent actions
Article 12 — record-keeping rules for agent telemetry
Article 14 — human oversight triggers (irreversible actions)
Article 15 — accuracy / robustness / cybersecurity controls
Article 50 — transparency triggers (e.g. screen capture, recording)
OWASP Agentic Top 10 (2026) per-rule mapping
OWASP LLM Top 10 (2025) per-rule mapping
NIST AI RMF function/subcategory citations
ISO/IEC 42001 Clause 8.4 (operational planning) citations
Tamper-evident pack: SHA-256 + Merkle root over rule bodies

Customer responsibility

Article 10 — data governance / training data lineage
Article 11 — full Annex IV technical documentation
Article 13 — transparency to end users (UX/policy layer)
Article 17 — quality management system documentation
Article 72 — post-market monitoring program (telemetry alone is not a PMM)
Conformity assessment by a Notified Body
Customer’s own risk-management process documentation
Production logs of rule firings (we provide rule definitions; logs come from runtime)

Pricing reflects scope: this is a $50–150K detection-evidence module, not a turnkey EU AI Act compliance package. The pack’s value is collapsing 6 months of detection-engineering consulting into 1 week of setup — not replacing the legal/compliance dossier itself.

ATR contribution loop

Migrated rules can flow back to the open ATR standard.

Direct PR

Customer opens a PR against the public agent-threat-rules repo using the auto-built CONTRIB.md narrative.

TC crystallization

Anonymized fingerprints aggregated across tenants. Patterns proven across N tenants with low FP get auto-PRed to ATR mainline.

Service-managed

PanGuard Threat Research opens the PR on the customer’s behalf, credited or anonymous as preferred.

MIGRATOR 定價

Migrator 的四種採用路徑

Community 免費，給個人開發者；Pilot 給單一團隊試用；Standalone 給只需要規則遷移、暫時不導入完整 runtime 的組織；Sovereign 為國家級 SOC 知識遷移而設計。Migrator Pro 也已內建於 PanGuard Enterprise 方案中。

Community

$0永久免費 · MIT 授權

npm install -g @panguard-ai/migrator-community
包含 Sigma、YARA 解析器、IR 中介層、ATR YAML 輸出與 CLI。可永久自架，作為開放標準的 sensor 訊號與後續 lead 來源。

在 npm 安裝

Pilot · 90 天

$25K可全額抵 Y1 合約

針對單一團隊與單一規則語料庫。將最多 100 條 Sigma 或 YARA 規則精修到 Cisco 已合併 PR 的品質水準，附五大框架合規 metadata，以及一份範例稽核證據包。費用可全額抵入 Migrator Standalone 或 PanGuard Enterprise 年約。

申請 Pilot

Standalone · 年約

$500K–2M

目標區間 $750K – $1.5M

提供給只需要規則遷移、暫不導入完整 PanGuard runtime 的組織。包含全部 15 種來源格式 adapter、strict 0-FP 品質流水線、五大框架合規證據包、六分頁 Web Dashboard、地端部署，以及 ATR upstream 貢獻管線。適合在進行 runtime 採用前先驗證標準的合規團隊或紅隊。

與創辦人洽談

Sovereign · 多年合約

$3–10M

多年期國家合約

為主權 AI 計畫設計的國家級部署。包含完整 Migrator Pro、ATR runtime、Compliance Evidence Module、Threat Cloud、在地部署，以及針對該國 SOC 既有偵測知識資產（傳統 SCADA、區域 SIEM 語料庫等）所設計的客製規則類別。由經認證的區域 enterprise vendor 夥伴負責落地，PanGuard 擔任上游 ATR 標準維護方。

Sovereign AI 倡議書

已採用 PanGuard Enterprise 的客戶

Migrator Pro 已內建於 PanGuard Enterprise 方案（年費 $150K 起，目標 $250K – $1M，上限 $3M+）。Standalone 與 Sovereign 兩種 tier 是為「只想採用 Migrator、暫不導入完整 runtime」的客戶所設。

查看 PanGuard 完整定價

Ready to migrate your detection coverage?

Migrator Community v0.1.0 is live on npm under MIT — Sigma / YARA parsers, IR, transformers, and CLI. Migrator Enterprise v0.1.0 ships the full quality pipeline (Sigma + YARA wired to runtime today; 13 additional adapters — Snort, Splunk SPL, Elastic EQL, Falco, Semgrep, CodeQL, CVE-NVD, GHSA, OSV, KEV, garak, PyRIT, promptfoo — v0.2 enterprise release), 5-framework compliance auto-mapping, 6-tab web dashboard, and audit evidence packs. 90-day pilot available. v1.0.0 GA target Q1 2027.

Request pilot access See the open ATR standard

The Enterprise pipeline behind the converter

Convert legacy detection rules into AI-agent-context ATR YAML in one command. Auto-mapped to EU AI Act articles, OWASP Agentic Top 10, NIST AI RMF, ISO/IEC 42001.

50/50 SigmaHQ rules converted· 5/5 attacks blocked, 5/5 benign clean· 5-framework compliance map

pga migrate-pro \ --input ./customer-rules \ --output ./atr-out \ --evidence ./atr-out/eu-pack \ --demo --enrich --telemetry --contribute \ --customer-id ACME-BANK-EU \ --audit-period 2026-Q2

title: Malicious PowerShell Commandlets id: 49f9da17-8169-4413-bc59-2da014bd6b46 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - 'Invoke-Mimikatz' - 'Get-NetGroupMember' - 'Invoke-NinjaCopy' condition: selection level: high tags: - attack.execution - attack.t1059.001

schema_version: '0.1' title: Malicious PowerShell Commandlets - ProcessCreation id: ATR-2026-85501 status: draft severity: high detection: condition: any conditions: - field: tool_call.arguments operator: regex value: '(?i)(Invoke-Mimikatz|Get-NetGroupMember|Invoke-NinjaCopy)' - field: agent_action.command_line operator: regex value: '(?i)PowerShell.*-(Enc|EncodedCommand)' agent_source: type: agent_action framework: [claude-code, openai-codex] compliance: eu_ai_act: - article: '15' strength: primary - article: '12' strength: secondary owasp_agentic: - id: 'ASI06:2026' strength: primary test_cases: true_positives: - input: 'powershell -nop -w hidden -enc IEX(Invoke-Mimikatz)' expected: triggered true_negatives: - input: 'docs about Invoke-Mimikatz educational content' expected: not_triggered

EU AI Act audit scope

Ready to migrate your detection coverage?