npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.0 - Mend

agent-threat-rules 2.0.18 → 2.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (263) hide show

package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts using fictional historical AI personas to bypass safety restrictions, directly evidencing continuous evaluation of AI system safety/security risk magnitude as required by MS.2.6. Each detection produces telemetry on adversarial prompts attempting to subvert the model's safety alignment."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of historical persona jailbreaks with compliance enforcement language triggers risk treatment to disengage or block the manipulated session before the agent generates unrestricted output; MG.2.3 requires that mechanisms to supersede compromised AI behavior are activated on such detections."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Elaborate backstory-based jailbreaks represent a specific adversarial input pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these social-engineering prompt injection vectors that bypass simple keyword-based detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: historical-persona-jailbreak

package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Structured dual-response jailbreaks with persona-based command systems are GenAI safety/security attacks that attempt persistent policy bypass; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and each detection produces direct evidence of jailbreak attempts against the model's safety controls."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona establishment (DAN, UnleashedGPT) combined with policy override claims tests the resilience of model guardrails against structured jailbreak frameworks; MS.2.7 requires that security/resilience against adversarial prompt patterns is evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of persistent jailbreak command infrastructure must trigger mechanisms to disengage or block the manipulated session before downstream harmful generations occur; MG.2.3 requires these supersede/deactivate response plans be defined and activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-jailbreak

package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects roleplay-based jailbreak attempts that explicitly claim freedom from safety policies, providing continuous evaluation of safety/security risk magnitude as required by MS.2.6 for GenAI systems. Each detection is direct evidence of attempted safety guardrail bypass against the deployed model."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Roleplay jailbreaks targeting policy bypass test the resilience of the AI system's alignment controls; MS.2.7 requires that security/resilience against adversarial prompt techniques is evaluated and documented through detections like this one."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of explicit policy-bypass language combined with persona assignment triggers the deactivation/superseding mechanisms required by MG.2.3 to halt the jailbroken interaction before policy-violating content is generated."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: roleplay-jailbreak

package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Persona-based moral constraint removal is a jailbreak attack pattern that uses adversarial prompts to bypass safety guardrails; MP.5.1 requires that the likelihood and magnitude of such GenAI jailbreak risks are characterized and tracked when detected."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of explicit moral/ethical unrestraint persona adoption provides continuous evaluation evidence of safety/security risk magnitude against the AI system; MS.2.6 requires ongoing measurement of safety bypass attempts to assess whether safety controls remain effective."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detected persona-based jailbreak attempts must trigger mechanisms to disengage or block the manipulated agent behavior before the model produces unaligned output; MG.2.3 requires these supersession controls be in place for safety-bypass events."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-moral-bypass

package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Identity substitution jailbreaks are adversarial prompts that attempt to bypass safety mechanisms by redefining the AI's identity and constraints; MS.2.7 requires continuous evaluation of AI security and resilience against such jailbreak attacks, and this rule produces the detection evidence needed for that evaluation."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "False identity claims combined with capability expansion statements directly target the AI system's safety guardrails; MS.2.6 requires ongoing measurement of safety risk magnitude, which this rule supports by flagging jailbreak attempts that erode safety enforcement."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of identity substitution attacks must trigger response mechanisms to disengage or block the manipulated session before safety bypass succeeds; MG.2.3 requires these supersede/deactivate controls be in place for jailbreak conditions."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: identity-substitution

package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects structured jailbreak attempts that establish unrestricted AI personas with dual-response command systems designed to bypass safety guardrails; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial bypass techniques like persona-based jailbreaks."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Persistent jailbreak frameworks with policy override instructions and constraint removal claims represent sustained safety/security risks whose magnitude must be evaluated continuously per MS.2.6, since successful persona bypass enables ongoing harmful content generation."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of structured dual-response jailbreaks with command infrastructure triggers the deactivation and override mechanisms required by MG.2.3 to disengage the manipulated persona before it produces unsafe outputs."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-jailbreak

package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Roleplay-based jailbreaks are a GenAI-specific safety bypass where attackers use fictional persona framing to coerce the model into violating its policies; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and detections of these explicit policy-bypass patterns directly feed that safety risk measurement."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detecting explicit 'free from rules/policies' roleplay assignments enables the system to disengage or block the unsafe interaction before the model produces policy-violating content; MG.2.3 mandates pre-defined mechanisms to supersede or deactivate the AI when such jailbreak attempts are observed."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Creative-roleplay jailbreaks are adversarial inputs whose likelihood and impact must be characterized as part of the AI system's risk profile; MP.5.1 requires that these prompt-injection vectors are identified and their potential impact on guardrail integrity is tracked."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: roleplay-jailbreak

package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that establish alternate personas explicitly designed to remove moral and ethical constraints, which is a direct safety/security risk to the AI system. MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each detection event provides evidence of attempted safety bypass that must be measured and tracked."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona-based moral constraint removal is an adversarial input attack on the model's alignment guardrails; MS.2.7 requires evaluation of the AI system's security and resilience against such jailbreak techniques, and these detections feed the resilience evaluation evidence base."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detected jailbreak attempts using moral-unrestraint persona adoption must trigger pre-defined risk treatment such as blocking the prompt or disengaging the affected session; MG.2.3 mandates mechanisms exist to supersede or deactivate AI behavior when safety bypass is detected."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-moral-bypass

package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2402.11753"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Pseudo-code structured jailbreaks are adversarial inputs that disguise malicious instructions as legitimate technical configuration to bypass safety controls; MP.5.1 requires identifying and characterizing the likelihood and impact of such prompt-injection attack vectors against the AI system."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting BEGIN/END blocks, variable assignments, and module initialization patterns that redefine agent behavior provides continuous evidence of security/resilience evaluation against structured prompt injection techniques, as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on pseudo-code jailbreak patterns trigger risk treatment plans to disengage or quarantine the manipulated agent session before unauthorized behavior redefinition takes effect; MG.2.3 requires these supersede/deactivate mechanisms be available on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: pseudo-code-jailbreak

package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml CHANGED Viewed

@@ -21,6 +21,17 @@ references:
     - "ASI01:2026 - Agent Behaviour Hijack"
   mitre_atlas:
     - "AML.T0054"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Dual-response jailbreak prompts that request paired compliant/jailbroken outputs and toggle commands like /classic and /jailbroken are adversarial inputs designed to bypass safety alignment; MP.5.1 requires identifying and characterizing the likelihood and impact of such GenAI prompt injection vectors."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting persona-based jailbreaks (Jester, DAN) that claim to free the model from constraints provides continuous evidence of safety/security risk magnitude in deployed GenAI systems, which MS.2.6 requires be evaluated on an ongoing basis."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When a dual-response jailbreak is detected, MG.2.3 risk-treatment mechanisms must be invoked to suppress the jailbroken persona output or disengage the session before unsafe content is returned to the user."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "ASI01:2026 - Agent Behaviour Hijack"
   mitre_atlas:
     - "AML.T0054 - LLM Jailbreak"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Identity denial and persona replacement is a jailbreak technique covered by the GenAI Profile; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and detecting these attempts to override the model's self-awareness and safety constraints provides direct evidence of jailbreak risk."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Successful identity replacement disables the model's safety guardrails, so detection events must trigger risk treatment plans to disengage or block the manipulated session; MG.2.3 requires mechanisms to supersede or deactivate AI behavior when integrity is compromised."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Combined identity denial, memory manipulation, and concealment directives are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires these prompt-injection attack vectors be identified and tracked."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: identity-replacement

package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2312.02119 - Tree of Attacks: Jailbreaking Black-Box LLMs Automatically"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that assign amoral personas combined with obsessive repetition patterns to bypass safety constraints; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and these detections directly evidence safety bypass attempts targeting the model's alignment guardrails."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona-based jailbreaks that strip ethical constraints and enforce harmful output patterns are adversarial resilience failures; MS.2.7 requires evaluation of system security/resilience against such prompt injection techniques documented in MITRE ATLAS AML.T0054."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of amoral persona assignment with refusal suppression triggers risk treatment mechanisms to disengage or block the manipulated agent session before harmful content is generated; MG.2.3 requires these supersession controls be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: amoral-persona-obsession

package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction Makes Powerful LLM Jailbreakers"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects explicit jailbreak prompts that nullify prior instructions and replace the model's identity with a harmful persona; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial prompt-injection inputs that target safety guardrails."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of instruction-nullification and identity-replacement attempts directly evidences continuous evaluation of the AI system's security and resilience against jailbreak techniques, which MS.2.7 requires to be measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on persona-replacement jailbreaks (DAN, Skynet, unrestricted AI) trigger risk treatment to disengage or block the manipulated session before harmful content is produced; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: instruction-nullification-identity-replacement

package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Detection of detailed amoral character roleplay jailbreaks directly evidences continuous evaluation of GenAI safety/security risk magnitude; each match indicates an active attempt to subvert safety controls through persona-based bypass, which MS.2.6 requires be measured and tracked."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Identifying systematic amoral persona establishment and command-protocol bypass instructions triggers the risk treatment mechanisms required by MG.2.3 to disengage or block the manipulated agent behavior before unsafe content is produced."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Roleplay-based jailbreaks targeting alignment guardrails are adversarial robustness probes; MS.2.7 requires that the system's resilience against such prompt-injection attack patterns is evaluated and documented."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: amoral-character-jailbreak

package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "ASI01:2026 - Agent Goal Hijack"
   mitre_atlas:
     - "AML.T0054 - LLM Jailbreak"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Dual-response persona jailbreaks with emoji-tagged channels are adversarial prompt injection attacks targeting the safety alignment of generative AI systems; MS.2.7 requires continuous evaluation of security and resilience against such jailbreak techniques, and each detection event provides direct evidence of resilience testing."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Fictional AI persona creation with mandatory uncensored output channels represents an identified adversarial input vector whose likelihood and impact must be characterized; MP.5.1 requires tracking these jailbreak patterns as part of the GenAI risk profile."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of persona-based dual-response jailbreaks triggers risk treatment mechanisms to disengage or block the manipulated session before harmful content is produced; MG.2.3 requires that these supersession controls activate on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-jailbreak

package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects acronym-based jailbreak attempts that manufacture custom personas to bypass safety controls, providing continuous evaluation of GenAI safety/security risk magnitude as required by MS.2.6. Each match evidences active attempts to subvert model guardrails through novel persona-transformation vectors."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of complete-freedom claims and explicit instructions to violate safety measures triggers the response mechanisms required by MG.2.3 to disengage or block the manipulated session before the model produces unsafe output."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Catching novel acronym variants that evade named-persona detection contributes to documenting the AI system's resilience against adversarial prompt-injection techniques as required by MS.2.7."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: acronym-jailbreak

package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2308.03825"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Dual-response persona jailbreaks are GenAI-specific safety bypass attacks that force models to emit unfiltered content under a fictional character; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each detection contributes evidence of active jailbreak attempts against safety mechanisms."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "The rule evaluates resilience of the model's safety alignment against roleplay-based bypass techniques drawn from public jailbreak communities; MS.2.7 requires documented evaluation of security/resilience, which these detections directly inform."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of dual-response jailbreak patterns enables mechanisms to disengage or block the manipulated response path before harmful output is delivered; MG.2.3 requires such supersede/deactivate controls be in place for adversarial bypass attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Malicious persona creation is a jailbreak technique targeting GenAI safety guardrails through roleplay-based bypass; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and detection of bespoke evil-character prompts produces direct evidence of active safety-bypass attempts."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting attempts to define harmful fictional personas with explicit removal of ethical constraints evidences the resilience of the AI system against adversarial roleplay attacks; MS.2.7 requires that such security/resilience evaluations are documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When malicious persona injection is detected, treatment mechanisms must supersede or disengage the roleplay instruction before harmful outputs are generated; MG.2.3 mandates these deactivation pathways exist for safety-bypass attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: malicious-persona

package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2310.03684"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Matrix-themed dual response jailbreaks using MORPHEUS/Red pill/Blue pill personas are adversarial prompt injection inputs designed to bypass safety guardrails; MP.5.1 requires that these jailbreak attack vectors targeting GenAI systems are identified and characterized for likelihood and impact."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of explicit instructions to ignore content policies through dual-persona framing provides continuous evaluation evidence of safety/security risk magnitude; MS.2.6 requires ongoing measurement of jailbreak attempts that compromise GenAI safety alignment."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Identification of coercive Matrix-themed jailbreak patterns triggers pre-defined risk treatment to disengage or block the manipulated response path before unrestricted output is generated; MG.2.3 mandates these supersede/deactivate mechanisms be available on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that use fictional game framing and entity creation to bypass safety guardrails, producing continuous evidence of safety/security risk magnitude. MS.2.6 requires ongoing evaluation of AI safety risks, which these detections directly populate."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Game-based jailbreaks with unrestricted entity roleplay are adversarial inputs that test the resilience of model alignment; MS.2.7 requires that security and resilience against such evasion techniques are evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of successful jailbreak patterns triggers mechanisms to disengage or constrain the AI system before it produces unsafe content under the fictional framing; MG.2.3 mandates these supersede/deactivate response paths."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: game-based-jailbreak

package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Embodiment-mechanism jailbreaks with totalitarian control claims are adversarial prompt patterns designed to bypass safety alignment through persona roleplay; MP.5.1 requires that the likelihood and magnitude of such jailbreak attack vectors are identified and characterized as risks to the AI system."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of meta-instructions like 'STAY IN CHARACTER' and supreme-imperative framing provides continuous evidence of attempts to defeat the model's security controls; MS.2.7 requires ongoing evaluation and documentation of AI system security and resilience against such alignment-bypass techniques."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When totalitarian-control persona jailbreaks are detected, treatment mechanisms must intervene to disengage the manipulated persona context before harmful character-framed actions execute; MG.2.3 requires these supersede/deactivate response plans be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-embodiment-jailbreak

package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2310.04451"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects narrative jailbreak attacks that use fictional mode backstories and dual response formatting to bypass safety controls; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial prompt injection techniques that subvert guardrails."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Jailbreak attempts that solicit 'unrestricted' responses directly threaten the safety posture of the LLM; MS.2.6 requires ongoing assessment of safety risk magnitude, and detections of these narrative bypass patterns provide measurable evidence of safety control circumvention attempts."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of dual-response jailbreak prompts must trigger mechanisms to block, deactivate, or override the manipulated response path before unsafe content is generated; MG.2.3 mandates these supersede/disengage controls be in place for adversarial prompt scenarios."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: narrative-jailbreak

package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "AIM jailbreak attempts with persona definition and refusal suppression are direct safety/security risks to the LLM; MS.2.6 requires continuous evaluation of safety risk magnitude, and each detection provides measurable evidence of jailbreak attempts targeting the model's safety alignment."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of refusal suppression and amoral persona injection evaluates the resilience of the AI system's guardrails against adversarial prompt manipulation; MS.2.7 mandates documented assessment of the system's ability to withstand such jailbreak attacks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When enhanced AIM jailbreak patterns are detected, mechanisms must be available to disengage or block the manipulated session before the unfiltered alter-ego produces harmful output; MG.2.3 requires these supersede/deactivate response plans for active jailbreak events."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: enhanced-persona-jailbreak

package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://arxiv.org/abs/2307.02483"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Base-N encoding bypass attempts directly probe the security and resilience of safety classifiers by exploiting their failure to generalize from plaintext to encoded harmful instructions; MS.2.7 requires evaluating and documenting these resilience gaps against adversarial input transformations."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Decode-then-execute prompt injections framed with encoding scheme names and opaque blobs are adversarial inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying these jailbreak vectors so their risk magnitude can be tracked."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of encoded payloads paired with decode instructions must trigger pre-defined risk treatment to block or quarantine the request before the model executes the smuggled instructions; MG.2.3 requires mechanisms to supersede or disengage AI behavior on such matches."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: encoding-bypass

package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Cipher and transposition encoding jailbreaks (ROT13, Atbash, Caesar, leet) are adversarial inputs designed to bypass safety filters by obfuscating harmful instructions; MS.2.7 requires that AI system security and resilience against such evasion techniques are continuously evaluated and documented."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting cipher-based jailbreak probes (as catalogued by garak InjectROT13/InjectAtbash/InjectLeet) provides ongoing measurement of safety/security risk magnitude from prompt-injection attacks that classical content filters miss, satisfying MS.2.6's continuous evaluation requirement."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Identification of obfuscated jailbreak instructions triggers the deactivation or response mechanisms required by MG.2.3 to supersede unsafe agent execution before the decoded harmful instruction is acted upon."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: cipher-bypass

package/rules/prompt-injection/ATR-2026-00258-unicode-tag-injection.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
   research:
     - "https://twitter.com/goodside/status/1745511940351287394"
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/goodside.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Invisible Unicode Tag character injection is a covert prompt-injection vector that bypasses human review by hiding instructions in non-rendering codepoints; MS.2.7 requires continuous evaluation of AI system security and resilience against such adversarial input encodings."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Tag-block injection exploits a known LLM input-handling weakness where models interpret invisible characters as instructions; MP.5.1 requires characterizing the likelihood and magnitude of these covert prompt-injection risks so they can be tracked and prioritized."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of U+E0000-U+E007F sequences in prompts triggers risk treatment to strip or block the invisible payload before it reaches the model; MG.2.3 requires these supersede/disengage mechanisms be in place for prompt-injection attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: invisible-unicode

package/rules/prompt-injection/ATR-2026-00264-latent-injection-translation.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://x.com/goodside/status/1569128808308957185"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Latent prompt injection embedded in translation/summarization input is a direct attack on the AI system's security and resilience boundary; MS.2.7 requires continuous evaluation of the system's ability to resist adversarial instructions hidden within tool inputs that should be treated as data, not commands."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Detecting 'ignore previous instructions' imperatives and fake turn-markers embedded in user-supplied translation content identifies and characterizes the likelihood of instruction-injection attack vectors that exploit the model's failure to distinguish data from directives, as required by MP.5.1."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "On detection of latent injection payloads in translate/summarize contexts, MG.2.3 risk treatment plans must activate to quarantine or sanitize the input before the agent acts on the embedded instructions, preventing behaviour hijack."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-injection-translation

package/rules/prompt-injection/ATR-2026-00265-latent-injection-rag-document.yaml CHANGED Viewed

@@ -26,6 +26,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/latentinjection.py"
     - "https://simonwillison.net/2023/Apr/14/worst-that-can-happen/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        Latent prompt injection embedded in retrieved RAG content (resumes, reports, emails, web pages) is a security/resilience attack against the LLM's input pipeline; MS.2.7 requires continuous evaluation of system security against adversarial inputs that bypass the system prompt via untrusted retrieved data.
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: >-
+        RAG content from third-party documents and external sources is effectively untrusted input flowing through the model; MG.3.1 requires that risks introduced by third-party data ingested at retrieval time are managed and monitored for embedded injection payloads.
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: >-
+        Forged "ADMIN OVERRIDE" and "IGNORE PREVIOUS INSTRUCTIONS" blocks hidden in retrieved documents are adversarial inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these latent injection vectors as part of the system risk profile.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: latent-injection-rag

package/rules/prompt-injection/ATR-2026-00267-gcg-adversarial-suffix.yaml CHANGED Viewed

@@ -26,6 +26,20 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/gcg.py"
     - "https://arxiv.org/abs/2307.15043"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: >-
+        GCG adversarial suffix detection directly evidences security/resilience evaluation by identifying optimized token sequences designed to bypass safety training; MS.2.7 requires that such adversarial robustness failures against the AI system are detected and documented.
+      strength: primary
+    - subcategory: "MS.2.5"
+      context: >-
+        High-entropy bracket salad, LaTeX/code hybrids, and multilingual token salad targeting model distribution shifts test the robustness and reliability of safety alignment; MS.2.5 requires evaluating whether the model maintains reliable behavior under adversarial perturbation.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Detection of GCG suffix patterns triggers risk treatment to quarantine or block the prompt before it reaches the model and overrides safety training; MG.2.3 mandates that such deactivation/containment mechanisms are defined and activated on detection.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: gcg-adversarial-suffix

package/rules/prompt-injection/ATR-2026-00272-hypothetical-response-smuggling.yaml CHANGED Viewed

@@ -29,6 +29,17 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/smuggling.py"
     - "https://guzey.com/ai/two-sentence-universal-jailbreak/"
     - "https://medium.com/@austin-stubbs/llm-security-types-of-prompt-injection-d7ad8d7d75a3"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Hypothetical-response and function-masking are jailbreak smuggling techniques that bypass safety alignment by wrapping harmful intent in fictional or algebraic abstractions; MS.2.7 requires continuous evaluation of AI security and resilience against such adversarial prompt patterns, and this detection produces direct evidence of jailbreak attempts."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Hypothetical framing and predict_mask function puzzles are adversarial input vectors whose likelihood and impact must be characterized as part of GenAI prompt-injection risk; MP.5.1 requires identifying and tracking these smuggling patterns as known attack surface."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of token smuggling via hypothetical or function-masking framings triggers risk treatment plans to block or sanitize the prompt before the model produces harmful procedural output; MG.2.3 requires these supersede/disengage mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: hypothetical-response-smuggling

package/rules/prompt-injection/ATR-2026-00276-invisible-unicode-bidi-injection.yaml CHANGED Viewed

@@ -29,6 +29,20 @@ references:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/badchars.py"
     - "https://arxiv.org/abs/2106.09898"
     - "https://trojansource.codes/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Invisible zero-width and BiDi override characters are adversarial input vectors that exploit the gap between human-visible text and model-tokenised text; MP.5.1 requires identifying and characterising the likelihood and magnitude of such prompt-injection attack patterns that bypass human review.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting Cf-category Unicode injection in user input and tool responses provides continuous evaluation of the system's resilience against Trojan Source style obfuscation; MS.2.7 requires that security and resilience against such adversarial inputs is evaluated and documented.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on zero-width characters in tool responses may indicate an active exfiltration or injected-output channel, requiring pre-defined risk treatment to quarantine or sanitise the payload; MG.2.3 mandates these response mechanisms are in place.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: invisible-unicode-bidi-injection