Sigma is for SIEM. YARA is for malware.
ATR is for AI agents.
Built so a rule written in Taipei catches an attack first reported in Seattle — without anyone reinventing the rule format.
An open, versioned, machine-readable detection rule format for AI agent security threats. Any conforming engine can evaluate it. Community-maintained, MIT licensed.
Endpoint detection standards
cannot see AI agent behavior.
Built for endpoint event logs, file binaries, and software vulnerability IDs. They watch code, not intent.
Prompt injection, tool poisoning, skill compromise, context exfiltration — attacks live at the prompt / tool call / skill layer, not at process / file / network.
Vendor-neutral, machine-readable behavioral detection rules. Watches what an agent does, not just what it runs. Any conforming engine can evaluate it. MIT forever. Community governed.
Before Sigma became the open standard for SIEM detection in 2017, every SOC wrote its own rules. Before CVE in 1999, every vendor numbered its own vulnerabilities. The detection layer for the AI agent era sits in the same position right now — not yet standardized. ATR fills the gap.
skills flagged, 552 confirmed malware after manual review. Three coordinated threat actors. The largest AI agent malware campaign ever documented.
ATR found these threat actors scanning 96,096 skills across six registries — ClawHub, OpenClaw, Skills.sh, and three others. 1,302 were flagged; 552 confirmed malware after manual review, all blacklisted and reported to NousResearch.
10 threat categories. 652 rules. Real CVEs.
Hijacking agent behavior through crafted inputs
Social engineering and behavioral manipulation of agents
Stealing conversation context and sensitive data
Poisoned tool descriptions and malicious tool responses
Malicious or vulnerable MCP skills and SKILL.md
Misusing model capabilities — jailbreaks, harmful generation, resource abuse
Unauthorized elevation of agent capabilities
Agents exceeding intended operational boundaries
Corrupting training data, memory, or retrieval sources to bias agent behavior
Attacks on the model itself — extraction, inversion, adversarial inputs
Security platforms run ATR in production as an upstream rule source.
Microsoft's autonomous AI engineer opened a PR assuming ATR coverage existed — and the assumption was correct.
On 2026-05-11, the Copilot SWE Agent opened AGT#1981 for two Semantic Kernel CVEs with regression fixtures presuming ATR detection. Rules were validated and published to npm within 2h 16m. Not a manually arranged integration.
View AGT#1981 →Every attack makes everyone safer.
A red-team mega-scan pipeline and a CVE-ingestion pipeline run daily: when the semantic layer catches a novel attack, it crystallizes into a regex rule and flows back into the standard — turning a 500ms inference into a 5ms pattern match. Auto-crystallization grew the standard from 462 to 652 rules, all shipped in npm [email protected].
But growth was never the point — honesty about precision is. v3.5.0 introduced detection lanes: every rule declares a maturity, and the consumer decides how far to trust it. The enforce lane fires only the most mature rules (~0.24% false positives on a 65,000-sample benign corpus); the default hunt lane runs everything as advisory (~9%). False-positive rates are reported lane by lane, never as a single flattering number. A standard earns trust by publishing its worst figure, not hiding it.
Endpoints report suspicious patterns via ATR Reporter
Frameworks tell you threats exist. ATR tells you how to detect them. ATR is to MITRE ATLAS what Sigma rules are to ATT&CK.
Integrate ATR.
TypeScript, Python, Raw YAML, SIEM converters — four integration paths, one ruleset. MIT forever, no license to negotiate, evaluated by any conforming engine.
