cff-version: 1.2.0
message: "If you use ATR in academic work or security research, please cite it as below."
title: "ATR: Agent Threat Rules — Open Detection Standard for AI Agent Threats"
abstract: >
  ATR is an open-source detection rule set for AI agent threats, analogous to
  Sigma for SIEM or YARA for malware. It provides 450 rules across 10 threat
  categories (prompt injection, tool poisoning, context exfiltration, skill
  compromise, model abuse, data poisoning, privilege escalation, excessive
  autonomy, model security), mapped to OWASP Agentic Top 10 (10/10), SAFE-MCP
  (91.8% coverage), and MITRE ATLAS. Rules are hand-authored from real attack
  payloads including the full NVIDIA garak probe corpus (97.1% recall on the
  garak in-the-wild jailbreak benchmark, 666 prompts) and maintained with a
  community safety gate requiring ≥5 true-positive and ≥5 true-negative test
  cases per rule, plus 0% false-positive rate on a 432-sample benign corpus.
  ATR is shipped in Cisco AI Defense skill-scanner.
type: software
authors:
  - name: "ATR Community"
    website: "https://agentthreatrule.org"
repository-code: "https://github.com/Agent-Threat-Rule/agent-threat-rules"
url: "https://agentthreatrule.org"
license: MIT
version: "3.0.5"
date-released: "2026-05-29"
identifiers:
  - type: doi
    value: "10.5281/zenodo.19178002"
    description: "Zenodo concept DOI (latest version)"
keywords:
  - AI agent security
  - prompt injection
  - tool poisoning
  - MCP security
  - LLM security
  - OWASP Agentic Top 10
  - NVIDIA garak
  - threat detection
  - open detection standard
references:
  - type: software
    title: "Sigma Rule Specification"
    url: "https://github.com/SigmaHQ/sigma-specification"
    notes: "Inspiration for the open detection standard model"
  - type: software
    title: "NVIDIA garak"
    url: "https://github.com/NVIDIA/garak"
    notes: "Source of attack probe payloads used to seed 193 ATR rules (ATR-00256~00414)"