npm - agent-threat-rules - Versions diffs - 2.0.18 → 2.1.1 - Mend

agent-threat-rules 2.0.18 → 2.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/rules/prompt-injection/ATR-2026-00202-encoding-evasion-homoglyph-synonym.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
   mitre_atlas:
     - "AML.T0051 - LLM Prompt Injection"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Homoglyph substitution and synonym rewriting are adversarial evasion techniques targeting the security controls of LLM-based systems; MS.2.7 requires that security and resilience evaluations cover bypass methods against keyword-based filters and document their effectiveness."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Detecting Cyrillic-Latin homoglyph attacks and synonym-substituted instruction overrides characterizes the likelihood and magnitude of prompt injection risks that exploit the gap between visual rendering and regex detection; MP.5.1 requires these adversarial input vectors be identified and tracked."
+      strength: secondary
+    - subcategory: "MG.4.2"
+      context: "Field-tested evasion patterns derived from skill-sanitizer v2.1 represent measurable continuous improvement of detection coverage; MG.4.2 requires that detection rulesets evolve as new bypass techniques emerge in production."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: encoding-evasion

package/rules/prompt-injection/ATR-2026-00203-context-pollution-skill-description.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
   mitre_atlas:
     - "AML.T0051.001 - Indirect Prompt Injection"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Skill descriptions that embed injection payloads disguised as examples or enumerate attack vectors in LLM-interpretable formats are adversarial inputs that pollute agent context; MP.5.1 requires identifying and characterizing the likelihood and magnitude of these indirect prompt injection risks before agents ingest the polluted descriptions."
+      strength: primary
+    - subcategory: "GV.6.1"
+      context: "Skills are third-party supplied components whose descriptions become part of the agent's trusted context; GV.6.1 requires policies that govern third-party AI supplier risks, including vetting skill metadata for embedded injection payloads disguised as documentation."
+      strength: secondary
+    - subcategory: "MG.3.2"
+      context: "Detection of polluted skill descriptions feeds the monitoring of pre-trained and third-party model components used in development; MG.3.2 requires ongoing monitoring of these supply-chain artifacts for malicious content before they are integrated into agent workflows."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: context-pollution

package/rules/prompt-injection/ATR-2026-00206-hidden-priority-instructions.yaml CHANGED Viewed

@@ -16,6 +16,17 @@ references:
     - "LLM01:2025 - Prompt Injection"
   owasp_agentic:
     - "ASI01:2026 - Agent Behaviour Hijack"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Hidden instructions wrapped in HTML-style priority blocks (IMPORTANT, CRITICAL, SYSTEM) are prompt injection payloads embedded in MCP skills; MP.5.1 requires identifying and characterizing these adversarial input patterns that attempt to override agent behavior through emphatic formatting."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of priority-override injection blocks in skill content provides continuous evaluation evidence of security and resilience against prompt injection, as required by MS.2.7 for documenting AI system security posture against behavior-hijacking payloads."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches against hidden priority-block instructions trigger risk treatment workflows to quarantine or disable the offending skill before the agent executes the overriding commands; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: hidden-priority-instructions

package/rules/prompt-injection/ATR-2026-00207-hidden-instructions.yaml CHANGED Viewed

@@ -15,6 +15,17 @@ references:
     - "LLM01:2025 - Prompt Injection"
   owasp_agentic:
     - "ASI01:2026 - Agent Behaviour Hijack"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Hidden <IMPORTANT> XML blocks containing directive language that overrides system behavior are prompt injection payloads embedded within MCP skills; MP.5.1 requires identifying and characterizing the likelihood and impact of these adversarial inputs targeting the agent's instruction-following pipeline."
+      strength: primary
+    - subcategory: "MG.3.2"
+      context: "MCP skills are third-party-supplied components consumed by the agent; detecting hidden permission-override instructions inside skill content provides the supply-chain monitoring evidence MG.3.2 requires for pre-trained or externally sourced model assets."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Directive language attempting to bypass security controls must trigger pre-defined risk treatment such as quarantining or disabling the offending skill before it can hijack agent behavior, which is the deactivation mechanism MG.2.3 mandates."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: hidden-instructions

package/rules/prompt-injection/ATR-2026-00211-system-prompt-override.yaml CHANGED Viewed

@@ -17,6 +17,17 @@ references:
     - "LLM01:2025 - Prompt Injection"
   owasp_agentic:
     - "ASI01:2026 - Agent Behaviour Hijack"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Translation context injection is a prompt injection vector where adversarial instructions are smuggled inside document translation payloads to override system prompts; MP.5.1 requires that the likelihood and magnitude of such adversarial input attacks are characterized and tracked as identified risks."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting system prompt override attempts via translation requests provides continuous evidence for evaluating the AI system's security and resilience against prompt injection, which MS.2.7 requires to be measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on translation-borne override instructions trigger pre-defined risk treatment to disengage or quarantine the hijacked agent behavior before safety controls are bypassed, satisfying MG.2.3's requirement for mechanisms to supersede or deactivate compromised AI behavior."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: system-prompt-override

package/rules/prompt-injection/ATR-2026-00213-system-prompt-override.yaml CHANGED Viewed

@@ -16,6 +16,17 @@ references:
     - "LLM01:2025 - Prompt Injection"
   owasp_agentic:
     - "ASI01:2026 - Agent Behaviour Hijack"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "System prompt override injection via MCP tool descriptions and parameters is an adversarial input attack that exploits the trust boundary between tool metadata and the agent's instruction context; MP.5.1 requires identifying and characterizing the likelihood and impact of these prompt injection vectors targeting safety controls."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of attempts to bypass or override system prompts directly evidences continuous evaluation of AI system security and resilience against prompt injection, which MS.2.7 requires be measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Successful system prompt overrides can disable safety guardrails, so detections must trigger pre-defined response plans to disengage or quarantine the affected agent session as required by MG.2.3."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: system-prompt-override

package/rules/prompt-injection/ATR-2026-00226-identity-substitution.yaml CHANGED Viewed

@@ -24,6 +24,20 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: >-
+        Identity substitution jailbreaks are adversarial prompt-injection inputs that exploit the AI's identity and safety framing to bypass content policies; MP.5.1 requires identifying and characterizing the likelihood and impact of such GenAI-specific attack vectors against the deployed model.
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: >-
+        Detecting attempts to redefine the model's identity, training provenance, or architecture provides continuous evidence for evaluating the system's security and resilience against jailbreak techniques, as required by MS.2.7.
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: >-
+        Matches on identity-substitution patterns trigger pre-defined risk treatment to disengage or block the manipulated session before safety constraints are bypassed, which is the containment mechanism MG.2.3 requires.
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: identity-substitution

package/rules/prompt-injection/ATR-2026-00227-historical-persona-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts using fictional historical AI personas to bypass safety restrictions, directly evidencing continuous evaluation of AI system safety/security risk magnitude as required by MS.2.6. Each detection produces telemetry on adversarial prompts attempting to subvert the model's safety alignment."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of historical persona jailbreaks with compliance enforcement language triggers risk treatment to disengage or block the manipulated session before the agent generates unrestricted output; MG.2.3 requires that mechanisms to supersede compromised AI behavior are activated on such detections."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Elaborate backstory-based jailbreaks represent a specific adversarial input pattern whose likelihood and impact must be characterized; MP.5.1 requires identifying and tracking these social-engineering prompt injection vectors that bypass simple keyword-based detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: historical-persona-jailbreak

package/rules/prompt-injection/ATR-2026-00228-structured-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Structured dual-response jailbreaks with persona-based command systems are GenAI safety/security attacks that attempt persistent policy bypass; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and each detection produces direct evidence of jailbreak attempts against the model's safety controls."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona establishment (DAN, UnleashedGPT) combined with policy override claims tests the resilience of model guardrails against structured jailbreak frameworks; MS.2.7 requires that security/resilience against adversarial prompt patterns is evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of persistent jailbreak command infrastructure must trigger mechanisms to disengage or block the manipulated session before downstream harmful generations occur; MG.2.3 requires these supersede/deactivate response plans be defined and activated on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-jailbreak

package/rules/prompt-injection/ATR-2026-00229-roleplay-jailbreak.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects roleplay-based jailbreak attempts that explicitly claim freedom from safety policies, providing continuous evaluation of safety/security risk magnitude as required by MS.2.6 for GenAI systems. Each detection is direct evidence of attempted safety guardrail bypass against the deployed model."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Roleplay jailbreaks targeting policy bypass test the resilience of the AI system's alignment controls; MS.2.7 requires that security/resilience against adversarial prompt techniques is evaluated and documented through detections like this one."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of explicit policy-bypass language combined with persona assignment triggers the deactivation/superseding mechanisms required by MG.2.3 to halt the jailbroken interaction before policy-violating content is generated."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: roleplay-jailbreak

package/rules/prompt-injection/ATR-2026-00230-persona-moral-bypass.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Persona-based moral constraint removal is a jailbreak attack pattern that uses adversarial prompts to bypass safety guardrails; MP.5.1 requires that the likelihood and magnitude of such GenAI jailbreak risks are characterized and tracked when detected."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of explicit moral/ethical unrestraint persona adoption provides continuous evaluation evidence of safety/security risk magnitude against the AI system; MS.2.6 requires ongoing measurement of safety bypass attempts to assess whether safety controls remain effective."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detected persona-based jailbreak attempts must trigger mechanisms to disengage or block the manipulated agent behavior before the model produces unaligned output; MG.2.3 requires these supersession controls be in place for safety-bypass events."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-moral-bypass

package/rules/prompt-injection/ATR-2026-00231-identity-substitution.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Identity substitution jailbreaks are adversarial prompts that attempt to bypass safety mechanisms by redefining the AI's identity and constraints; MS.2.7 requires continuous evaluation of AI security and resilience against such jailbreak attacks, and this rule produces the detection evidence needed for that evaluation."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "False identity claims combined with capability expansion statements directly target the AI system's safety guardrails; MS.2.6 requires ongoing measurement of safety risk magnitude, which this rule supports by flagging jailbreak attempts that erode safety enforcement."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of identity substitution attacks must trigger response mechanisms to disengage or block the manipulated session before safety bypass succeeds; MG.2.3 requires these supersede/deactivate controls be in place for jailbreak conditions."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: identity-substitution

package/rules/prompt-injection/ATR-2026-00233-structured-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects structured jailbreak attempts that establish unrestricted AI personas with dual-response command systems designed to bypass safety guardrails; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial bypass techniques like persona-based jailbreaks."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Persistent jailbreak frameworks with policy override instructions and constraint removal claims represent sustained safety/security risks whose magnitude must be evaluated continuously per MS.2.6, since successful persona bypass enables ongoing harmful content generation."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of structured dual-response jailbreaks with command infrastructure triggers the deactivation and override mechanisms required by MG.2.3 to disengage the manipulated persona before it produces unsafe outputs."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-jailbreak

package/rules/prompt-injection/ATR-2026-00234-roleplay-jailbreak.yaml CHANGED Viewed

@@ -19,6 +19,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Roleplay-based jailbreaks are a GenAI-specific safety bypass where attackers use fictional persona framing to coerce the model into violating its policies; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and detections of these explicit policy-bypass patterns directly feed that safety risk measurement."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detecting explicit 'free from rules/policies' roleplay assignments enables the system to disengage or block the unsafe interaction before the model produces policy-violating content; MG.2.3 mandates pre-defined mechanisms to supersede or deactivate the AI when such jailbreak attempts are observed."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Creative-roleplay jailbreaks are adversarial inputs whose likelihood and impact must be characterized as part of the AI system's risk profile; MP.5.1 requires that these prompt-injection vectors are identified and their potential impact on guardrail integrity is tracked."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: roleplay-jailbreak

package/rules/prompt-injection/ATR-2026-00235-persona-moral-bypass.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that establish alternate personas explicitly designed to remove moral and ethical constraints, which is a direct safety/security risk to the AI system. MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each detection event provides evidence of attempted safety bypass that must be measured and tracked."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona-based moral constraint removal is an adversarial input attack on the model's alignment guardrails; MS.2.7 requires evaluation of the AI system's security and resilience against such jailbreak techniques, and these detections feed the resilience evaluation evidence base."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detected jailbreak attempts using moral-unrestraint persona adoption must trigger pre-defined risk treatment such as blocking the prompt or disengaging the affected session; MG.2.3 mandates mechanisms exist to supersede or deactivate AI behavior when safety bypass is detected."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-moral-bypass

package/rules/prompt-injection/ATR-2026-00236-pseudo-code-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2402.11753"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Pseudo-code structured jailbreaks are adversarial inputs that disguise malicious instructions as legitimate technical configuration to bypass safety controls; MP.5.1 requires identifying and characterizing the likelihood and impact of such prompt-injection attack vectors against the AI system."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting BEGIN/END blocks, variable assignments, and module initialization patterns that redefine agent behavior provides continuous evidence of security/resilience evaluation against structured prompt injection techniques, as required by MS.2.7."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on pseudo-code jailbreak patterns trigger risk treatment plans to disengage or quarantine the manipulated agent session before unauthorized behavior redefinition takes effect; MG.2.3 requires these supersede/deactivate mechanisms be available on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: pseudo-code-jailbreak

package/rules/prompt-injection/ATR-2026-00237-dual-response-jailbreak.yaml CHANGED Viewed

@@ -21,6 +21,17 @@ references:
     - "ASI01:2026 - Agent Behaviour Hijack"
   mitre_atlas:
     - "AML.T0054"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Dual-response jailbreak prompts that request paired compliant/jailbroken outputs and toggle commands like /classic and /jailbroken are adversarial inputs designed to bypass safety alignment; MP.5.1 requires identifying and characterizing the likelihood and impact of such GenAI prompt injection vectors."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting persona-based jailbreaks (Jester, DAN) that claim to free the model from constraints provides continuous evidence of safety/security risk magnitude in deployed GenAI systems, which MS.2.6 requires be evaluated on an ongoing basis."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When a dual-response jailbreak is detected, MG.2.3 risk-treatment mechanisms must be invoked to suppress the jailbroken persona output or disengage the session before unsafe content is returned to the user."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00238-identity-replacement.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "ASI01:2026 - Agent Behaviour Hijack"
   mitre_atlas:
     - "AML.T0054 - LLM Jailbreak"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Identity denial and persona replacement is a jailbreak technique covered by the GenAI Profile; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and detecting these attempts to override the model's self-awareness and safety constraints provides direct evidence of jailbreak risk."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Successful identity replacement disables the model's safety guardrails, so detection events must trigger risk treatment plans to disengage or block the manipulated session; MG.2.3 requires mechanisms to supersede or deactivate AI behavior when integrity is compromised."
+      strength: secondary
+    - subcategory: "MP.5.1"
+      context: "Combined identity denial, memory manipulation, and concealment directives are adversarial input patterns whose likelihood and impact must be characterized; MP.5.1 requires these prompt-injection attack vectors be identified and tracked."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: identity-replacement

package/rules/prompt-injection/ATR-2026-00239-amoral-persona-obsession.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2312.02119 - Tree of Attacks: Jailbreaking Black-Box LLMs Automatically"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that assign amoral personas combined with obsessive repetition patterns to bypass safety constraints; MS.2.6 requires continuous evaluation of AI safety/security risk magnitude, and these detections directly evidence safety bypass attempts targeting the model's alignment guardrails."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Persona-based jailbreaks that strip ethical constraints and enforce harmful output patterns are adversarial resilience failures; MS.2.7 requires evaluation of system security/resilience against such prompt injection techniques documented in MITRE ATLAS AML.T0054."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of amoral persona assignment with refusal suppression triggers risk treatment mechanisms to disengage or block the manipulated agent session before harmful content is generated; MG.2.3 requires these supersession controls be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: amoral-persona-obsession

package/rules/prompt-injection/ATR-2026-00240-instruction-nullification-identity-repla.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2402.16914 - DrAttack: Prompt Decomposition and Reconstruction Makes Powerful LLM Jailbreakers"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "This rule detects explicit jailbreak prompts that nullify prior instructions and replace the model's identity with a harmful persona; MP.5.1 requires identifying and characterizing the likelihood and magnitude of such adversarial prompt-injection inputs that target safety guardrails."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of instruction-nullification and identity-replacement attempts directly evidences continuous evaluation of the AI system's security and resilience against jailbreak techniques, which MS.2.7 requires to be measured and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Matches on persona-replacement jailbreaks (DAN, Skynet, unrestricted AI) trigger risk treatment to disengage or block the manipulated session before harmful content is produced; MG.2.3 requires these supersede/deactivate mechanisms be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: instruction-nullification-identity-replacement

package/rules/prompt-injection/ATR-2026-00241-amoral-character-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Detection of detailed amoral character roleplay jailbreaks directly evidences continuous evaluation of GenAI safety/security risk magnitude; each match indicates an active attempt to subvert safety controls through persona-based bypass, which MS.2.6 requires be measured and tracked."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Identifying systematic amoral persona establishment and command-protocol bypass instructions triggers the risk treatment mechanisms required by MG.2.3 to disengage or block the manipulated agent behavior before unsafe content is produced."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Roleplay-based jailbreaks targeting alignment guardrails are adversarial robustness probes; MS.2.7 requires that the system's resilience against such prompt-injection attack patterns is evaluated and documented."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: amoral-character-jailbreak

package/rules/prompt-injection/ATR-2026-00242-persona-jailbreak.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "ASI01:2026 - Agent Goal Hijack"
   mitre_atlas:
     - "AML.T0054 - LLM Jailbreak"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Dual-response persona jailbreaks with emoji-tagged channels are adversarial prompt injection attacks targeting the safety alignment of generative AI systems; MS.2.7 requires continuous evaluation of security and resilience against such jailbreak techniques, and each detection event provides direct evidence of resilience testing."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Fictional AI persona creation with mandatory uncensored output channels represents an identified adversarial input vector whose likelihood and impact must be characterized; MP.5.1 requires tracking these jailbreak patterns as part of the GenAI risk profile."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of persona-based dual-response jailbreaks triggers risk treatment mechanisms to disengage or block the manipulated session before harmful content is produced; MG.2.3 requires that these supersession controls activate on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-jailbreak

package/rules/prompt-injection/ATR-2026-00243-acronym-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects acronym-based jailbreak attempts that manufacture custom personas to bypass safety controls, providing continuous evaluation of GenAI safety/security risk magnitude as required by MS.2.6. Each match evidences active attempts to subvert model guardrails through novel persona-transformation vectors."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "Detection of complete-freedom claims and explicit instructions to violate safety measures triggers the response mechanisms required by MG.2.3 to disengage or block the manipulated session before the model produces unsafe output."
+      strength: secondary
+    - subcategory: "MS.2.7"
+      context: "Catching novel acronym variants that evade named-persona detection contributes to documenting the AI system's resilience against adversarial prompt-injection techniques as required by MS.2.7."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: acronym-jailbreak

package/rules/prompt-injection/ATR-2026-00244-dual-response-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2308.03825"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Dual-response persona jailbreaks are GenAI-specific safety bypass attacks that force models to emit unfiltered content under a fictional character; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and each detection contributes evidence of active jailbreak attempts against safety mechanisms."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "The rule evaluates resilience of the model's safety alignment against roleplay-based bypass techniques drawn from public jailbreak communities; MS.2.7 requires documented evaluation of security/resilience, which these detections directly inform."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of dual-response jailbreak patterns enables mechanisms to disengage or block the manipulated response path before harmful output is delivered; MG.2.3 requires such supersede/deactivate controls be in place for adversarial bypass attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00245-malicious-persona.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "Malicious persona creation is a jailbreak technique targeting GenAI safety guardrails through roleplay-based bypass; MS.2.6 requires continuous evaluation of safety/security risk magnitude, and detection of bespoke evil-character prompts produces direct evidence of active safety-bypass attempts."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detecting attempts to define harmful fictional personas with explicit removal of ethical constraints evidences the resilience of the AI system against adversarial roleplay attacks; MS.2.7 requires that such security/resilience evaluations are documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When malicious persona injection is detected, treatment mechanisms must supersede or disengage the roleplay instruction before harmful outputs are generated; MG.2.3 mandates these deactivation pathways exist for safety-bypass attempts."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: malicious-persona

package/rules/prompt-injection/ATR-2026-00247-dual-response-jailbreak.yaml CHANGED Viewed

@@ -23,6 +23,17 @@ references:
     - "AML.T0054"
   research:
     - "https://arxiv.org/abs/2310.03684"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Matrix-themed dual response jailbreaks using MORPHEUS/Red pill/Blue pill personas are adversarial prompt injection inputs designed to bypass safety guardrails; MP.5.1 requires that these jailbreak attack vectors targeting GenAI systems are identified and characterized for likelihood and impact."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detection of explicit instructions to ignore content policies through dual-persona framing provides continuous evaluation evidence of safety/security risk magnitude; MS.2.6 requires ongoing measurement of jailbreak attempts that compromise GenAI safety alignment."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Identification of coercive Matrix-themed jailbreak patterns triggers pre-defined risk treatment to disengage or block the manipulated response path before unrestricted output is generated; MG.2.3 mandates these supersede/deactivate mechanisms be available on detection."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: dual-response-jailbreak

package/rules/prompt-injection/ATR-2026-00249-game-based-jailbreak.yaml CHANGED Viewed

@@ -22,6 +22,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://owasp.org/www-project-top-10-for-large-language-model-applications/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "This rule detects jailbreak attempts that use fictional game framing and entity creation to bypass safety guardrails, producing continuous evidence of safety/security risk magnitude. MS.2.6 requires ongoing evaluation of AI safety risks, which these detections directly populate."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Game-based jailbreaks with unrestricted entity roleplay are adversarial inputs that test the resilience of model alignment; MS.2.7 requires that security and resilience against such evasion techniques are evaluated and documented."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of successful jailbreak patterns triggers mechanisms to disengage or constrain the AI system before it produces unsafe content under the fictional framing; MG.2.3 mandates these supersede/deactivate response paths."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: game-based-jailbreak

package/rules/prompt-injection/ATR-2026-00251-persona-embodiment-jailbreak.yaml CHANGED Viewed

@@ -25,6 +25,17 @@ references:
     - "AML.T0051 - LLM Prompt Injection"
   research:
     - "https://arxiv.org/abs/2307.15043 - Universal and Transferable Adversarial Attacks on Aligned Language Models"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MP.5.1"
+      context: "Embodiment-mechanism jailbreaks with totalitarian control claims are adversarial prompt patterns designed to bypass safety alignment through persona roleplay; MP.5.1 requires that the likelihood and magnitude of such jailbreak attack vectors are identified and characterized as risks to the AI system."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of meta-instructions like 'STAY IN CHARACTER' and supreme-imperative framing provides continuous evidence of attempts to defeat the model's security controls; MS.2.7 requires ongoing evaluation and documentation of AI system security and resilience against such alignment-bypass techniques."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When totalitarian-control persona jailbreaks are detected, treatment mechanisms must intervene to disengage the manipulated persona context before harmful character-framed actions execute; MG.2.3 requires these supersede/deactivate response plans be in place."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: persona-embodiment-jailbreak

package/rules/prompt-injection/ATR-2026-00252-narrative-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://arxiv.org/abs/2310.04451"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "This rule detects narrative jailbreak attacks that use fictional mode backstories and dual response formatting to bypass safety controls; MS.2.7 requires continuous evaluation of AI system security and resilience against adversarial prompt injection techniques that subvert guardrails."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Jailbreak attempts that solicit 'unrestricted' responses directly threaten the safety posture of the LLM; MS.2.6 requires ongoing assessment of safety risk magnitude, and detections of these narrative bypass patterns provide measurable evidence of safety control circumvention attempts."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of dual-response jailbreak prompts must trigger mechanisms to block, deactivate, or override the manipulated response path before unsafe content is generated; MG.2.3 mandates these supersede/disengage controls be in place for adversarial prompt scenarios."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: narrative-jailbreak

package/rules/prompt-injection/ATR-2026-00253-enhanced-persona-jailbreak.yaml CHANGED Viewed

@@ -24,6 +24,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://genai.owasp.org/llmrisk/llm01-prompt-injection/"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.6"
+      context: "AIM jailbreak attempts with persona definition and refusal suppression are direct safety/security risks to the LLM; MS.2.6 requires continuous evaluation of safety risk magnitude, and each detection provides measurable evidence of jailbreak attempts targeting the model's safety alignment."
+      strength: primary
+    - subcategory: "MS.2.7"
+      context: "Detection of refusal suppression and amoral persona injection evaluates the resilience of the AI system's guardrails against adversarial prompt manipulation; MS.2.7 mandates documented assessment of the system's ability to withstand such jailbreak attacks."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "When enhanced AIM jailbreak patterns are detected, mechanisms must be available to disengage or block the manipulated session before the unfiltered alter-ego produces harmful output; MG.2.3 requires these supersede/deactivate response plans for active jailbreak events."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: enhanced-persona-jailbreak

package/rules/prompt-injection/ATR-2026-00256-base-n-encoding-jailbreak.yaml CHANGED Viewed

@@ -28,6 +28,17 @@ references:
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
     - "https://arxiv.org/abs/2307.02483"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Base-N encoding bypass attempts directly probe the security and resilience of safety classifiers by exploiting their failure to generalize from plaintext to encoded harmful instructions; MS.2.7 requires evaluating and documenting these resilience gaps against adversarial input transformations."
+      strength: primary
+    - subcategory: "MP.5.1"
+      context: "Decode-then-execute prompt injections framed with encoding scheme names and opaque blobs are adversarial inputs whose likelihood and impact must be characterized; MP.5.1 requires identifying these jailbreak vectors so their risk magnitude can be tracked."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Detection of encoded payloads paired with decode instructions must trigger pre-defined risk treatment to block or quarantine the request before the model executes the smuggled instructions; MG.2.3 requires mechanisms to supersede or disengage AI behavior on such matches."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: encoding-bypass

package/rules/prompt-injection/ATR-2026-00257-cipher-transposition-jailbreak.yaml CHANGED Viewed

@@ -26,6 +26,17 @@ references:
     - "AML.T0054 - LLM Jailbreak"
   research:
     - "https://github.com/NVIDIA/garak/blob/main/garak/probes/encoding.py"
+compliance:
+  nist_ai_rmf:
+    - subcategory: "MS.2.7"
+      context: "Cipher and transposition encoding jailbreaks (ROT13, Atbash, Caesar, leet) are adversarial inputs designed to bypass safety filters by obfuscating harmful instructions; MS.2.7 requires that AI system security and resilience against such evasion techniques are continuously evaluated and documented."
+      strength: primary
+    - subcategory: "MS.2.6"
+      context: "Detecting cipher-based jailbreak probes (as catalogued by garak InjectROT13/InjectAtbash/InjectLeet) provides ongoing measurement of safety/security risk magnitude from prompt-injection attacks that classical content filters miss, satisfying MS.2.6's continuous evaluation requirement."
+      strength: secondary
+    - subcategory: "MG.2.3"
+      context: "Identification of obfuscated jailbreak instructions triggers the deactivation or response mechanisms required by MG.2.3 to supersede unsafe agent execution before the decoded harmful instruction is acted upon."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: cipher-bypass