npm - agent-threat-rules - Versions diffs - 3.1.1 → 3.3.0 - Mend

agent-threat-rules 3.1.1 → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (474) hide show

package/rules/privilege-escalation/ATR-2026-00539-crewai-codeinterpreter-sandbox-escape-rce.yaml CHANGED Viewed

@@ -81,6 +81,9 @@ compliance:
         sandbox escapes and pip-install command injection via libraries_used as
         high-risk vectors for any agent code-execution feature.
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -97,13 +100,19 @@ compliance:
         (shlex.quote or subprocess list-form), mirroring the vendor's planned fixes
         in CrewAI PR #4791 / #5309 / #5310 / #5315.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883))."
+      strength: primary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
-        Operational controls under clause 8.6 must detect Python sandbox-escape
+        Operational controls under clause 8.1 must detect Python sandbox-escape
         primitives and pip-install injection patterns in code submitted to any
         agent code-interpreter layer.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI CodeInterpreterTool Sandbox Escape and Prompt-to-Shell RCE (CVE-2026-2275 / VU#221883)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00546-crewai-json-loader-local-file-read.yaml CHANGED Viewed

@@ -55,6 +55,9 @@ compliance:
         mandate that AI agent document loaders canonicalise paths and restrict
         access to the intended data directory.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -62,13 +65,22 @@ compliance:
         read constitutes an adversarial input; MP.5.1 requires scanning
         document loader path arguments for traversal sequences.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
         Operational controls must detect and block document loader invocations
         with path traversal sequences targeting sensitive files outside the
         intended data scope.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI JSON Loader Arbitrary Local File Read (CVE-2026-2285)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00547-crewai-rag-url-ssrf-bypass.yaml CHANGED Viewed

@@ -58,6 +58,9 @@ compliance:
         cybersecurity requirements mandate robust URL validation that blocks
         all representations of internal addresses.
       strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: >
@@ -65,12 +68,21 @@ compliance:
         services constitutes an adversarial input; MP.5.1 requires scanning
         RAG source URLs for SSRF bypass patterns.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) so the risk can be treated."
+      strength: secondary
   iso_42001:
-    - clause: "8.6"
+    - clause: "8.1"
       context: >
         Operational controls must detect and block RAG URL inputs containing
         SSRF bypass representations of internal or link-local addresses.
       strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (CrewAI RAG URL Validation Bypass SSRF (CVE-2026-2286)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation

package/rules/privilege-escalation/ATR-2026-00549-destructive-tool-without-human-approval.yaml CHANGED Viewed

@@ -54,6 +54,9 @@ compliance:
         review per Article 14. Trace evidence of skipped approval is a
         direct violation.
       strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Destructive tool invocation without prior human approval)."
+      strength: primary
   nist_ai_rmf:
     - subcategory: "MG.4.1"
       context: >
@@ -61,7 +64,20 @@ compliance:
         without approval are unmitigated risks; trace evidence is
         normative for assessment.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Destructive tool invocation without prior human approval)."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (Destructive tool invocation without prior human approval) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Destructive tool invocation without prior human approval)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Destructive tool invocation without prior human approval) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: missing-human-approval

package/rules/privilege-escalation/ATR-2026-00551-cross-conversation-memory-write.yaml CHANGED Viewed

@@ -54,13 +54,32 @@ compliance:
         tenant-isolated state and violate Article 10 data-governance
         requirements.
       strength: primary
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store))."
+      strength: primary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store)) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MS.2.6"
       context: >
         Information security — cross-tenant memory writes are integrity
         failures under MS-2.6.
       strength: primary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store))."
+      strength: primary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store)) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store))."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the privilege-escalation attempt (Cross-conversation memory write (scope-escape via memory store)) is such a treatment."
+      strength: secondary
 tags:
   category: privilege-escalation
   subcategory: cross-conversation-memory-write

package/rules/prompt-injection/ATR-2026-00001-direct-prompt-injection.yaml CHANGED Viewed

@@ -46,6 +46,9 @@ compliance:
     - article: "9"
       context: "Prompt injection is a documented risk class; this rule implements the monitoring control required by Article 9 risk management obligations for high-risk AI systems."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Direct Prompt Injection via User Input) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -55,6 +58,9 @@ compliance:
       subcategory: MP.5.1
       context: "Identifying adversarial input manipulation as an AI risk to be catalogued in the organizational risk register."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Direct Prompt Injection via User Input)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Addressing adversarial manipulation risk is an objective required under clause 6.2 AIMS information security planning; this rule operationalizes the detection control measure."
@@ -62,6 +68,9 @@ compliance:
     - clause: "8.4"
       context: "Impact assessment for AI deployments under clause 8.4 must account for adversarial user inputs; detection events from this rule provide the required monitoring evidence."
       strength: secondary
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Direct Prompt Injection via User Input)."
+      strength: primary
 tags:
   category: prompt-injection

package/rules/prompt-injection/ATR-2026-00002-indirect-prompt-injection.yaml CHANGED Viewed

@@ -52,6 +52,9 @@ compliance:
     - article: "9"
       context: "Indirect injection from third-party content sources is a documented risk category requiring mitigation controls under Article 9 risk management obligations."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Indirect Prompt Injection via External Content) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - function: Manage
       subcategory: MG.2.3
@@ -61,12 +64,15 @@ compliance:
       subcategory: MP.3.3
       context: "External content providers are third-party components in the AI supply chain; this rule identifies their attack surface as a risk source."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Indirect Prompt Injection via External Content)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "Clause 6.2 AIMS planning requires controls for externally-sourced risks; this rule operationalizes the detection measure for indirect injection via consumed content."
       strength: primary
-    - clause: "8.5"
-      context: "Externally-provided content processed by the agent falls under clause 8.5 control of externally-provided processes; this rule validates that external content does not contain adversarial directives."
+    - clause: "8.1"
+      context: "Externally-provided content processed by the agent falls under clause 8.1 control of externally-provided processes; this rule validates that external content does not contain adversarial directives."
       strength: secondary
 tags:

package/rules/prompt-injection/ATR-2026-00003-jailbreak-attempt.yaml CHANGED Viewed

@@ -40,6 +40,9 @@ compliance:
     - article: "9"
       context: "Jailbreak attempts constitute a documented risk class in the AI system risk register; Article 9 requires that monitoring controls are deployed to detect these attempts at runtime."
       strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Jailbreak Attempt Detection) would bypass or undermine that oversight."
+      strength: secondary
   nist_ai_rmf:
     - subcategory: "MP.5.1"
       context: "Jailbreak attempts are a primary class of adversarial input attacks against AI systems; MP.5.1 requires that adversarial input risks are identified and tracked so that runtime detection controls like this rule can be deployed."
@@ -47,12 +50,15 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detected jailbreak patterns represent active exploitation of AI safety mechanisms, triggering the risk treatment response plans required by MG.2.3 to contain and remediate adversarial prompt attacks."
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Jailbreak Attempt Detection)."
+      strength: primary
   iso_42001:
     - clause: "6.2"
       context: "ISO 42001 clause 6.2 requires AI risk treatment activities to be planned and implemented; jailbreak detection rules operationalize the risk treatment plan for adversarial prompt-based safety bypass attacks."
       strength: primary
-    - clause: "8.6"
-      context: "Clause 8.6 operational controls ensure AI systems execute correctly and consistently; runtime jailbreak detection enforces that safety constraints remain active despite adversarial instructions to disable them."
+    - clause: "8.1"
+      context: "Clause 8.1 operational controls ensure AI systems execute correctly and consistently; runtime jailbreak detection enforces that safety constraints remain active despite adversarial instructions to disable them."
       strength: secondary
 tags:

package/rules/prompt-injection/ATR-2026-00004-system-prompt-override.yaml CHANGED Viewed

@@ -39,6 +39,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Successful system prompt override grants full control over agent behavior, so detection events must trigger the supersede/disengage mechanisms required by MG.2.3 to deactivate or quarantine the affected agent session before downstream unauthorized actions occur."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (System Prompt Override Attempt)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (System Prompt Override Attempt) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (System Prompt Override Attempt)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (System Prompt Override Attempt)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (System Prompt Override Attempt) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: system-prompt-override

package/rules/prompt-injection/ATR-2026-00005-multi-turn-injection.yaml CHANGED Viewed

@@ -38,6 +38,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Identification of multi-turn injection patterns triggers risk treatment plans to disengage or interrupt the manipulated conversation before the attacker reaches the escalation payload; MG.2.3 mandates these response mechanisms be in place."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Multi-Turn Prompt Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Multi-Turn Prompt Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Multi-Turn Prompt Injection)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Multi-Turn Prompt Injection)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Multi-Turn Prompt Injection) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: multi-turn

package/rules/prompt-injection/ATR-2026-00080-encoding-evasion.yaml CHANGED Viewed

@@ -10,13 +10,15 @@ author: ATR Community (MiroFish Predicted)
 date: 2026/03/11
 schema_version: "0.1"
 detection_tier: pattern
-maturity: test
+maturity: stable
 severity: high
 references:
   owasp_llm:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detection of encoded override instructions triggers pre-defined risk treatment plans to block or sanitize the payload before it reaches the model; MG.2.3 mandates these containment mechanisms are in place to disengage malicious flows."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Encoding-Based Prompt Injection Evasion)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Encoding-Based Prompt Injection Evasion) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Encoding-Based Prompt Injection Evasion)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Encoding-Based Prompt Injection Evasion)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Encoding-Based Prompt Injection Evasion) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: encoding-evasion

package/rules/prompt-injection/ATR-2026-00081-semantic-multi-turn.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -33,6 +35,23 @@ compliance:
       context: >-
         On detection of semantic evasion patterns, the system must be able to disengage or quarantine the affected session before the multi-turn payload completes; MG.2.3 mandates that such supersede/deactivate mechanisms are in place for adversarial prompt injection.
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Semantic Evasion via Multi-Turn Prompt Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Semantic Evasion via Multi-Turn Prompt Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Semantic Evasion via Multi-Turn Prompt Injection)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Semantic Evasion via Multi-Turn Prompt Injection)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Semantic Evasion via Multi-Turn Prompt Injection) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: semantic-evasion

package/rules/prompt-injection/ATR-2026-00082-fingerprint-evasion.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Detection of fingerprint evasion patterns triggers risk treatment to deactivate or constrain agents whose behavior signatures cannot be trusted; MG.2.3 requires mechanisms to supersede or disengage AI systems when monitoring assurances are undermined."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Behavioral Fingerprint Detection Evasion)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Behavioral Fingerprint Detection Evasion) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Behavioral Fingerprint Detection Evasion)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Behavioral Fingerprint Detection Evasion)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Behavioral Fingerprint Detection Evasion) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: fingerprint-evasion

package/rules/prompt-injection/ATR-2026-00083-indirect-tool-injection.yaml CHANGED Viewed

@@ -10,13 +10,15 @@ author: ATR Community (MiroFish Predicted)
 date: 2026/03/11
 schema_version: "0.1"
 detection_tier: pattern
-maturity: test
+maturity: stable
 severity: high
 references:
   owasp_llm:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -33,6 +35,26 @@ compliance:
       context: >-
         Detection of instruction-override payloads, fake system delimiters, and role-reassignment content in tool outputs must trigger containment so the agent does not execute attacker-controlled actions; MG.2.3 requires these supersede/disengage mechanisms be available on detection.
       strength: secondary
+    - subcategory: "MS.2.7"
+      context: "NIST AI RMF MEASURE 2.7 (security and resilience evaluated and documented) is supported by this rule's runtime detection of the prompt-injection attempt (Indirect Prompt Injection via Tool Responses)."
+      strength: primary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Indirect Prompt Injection via Tool Responses)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Indirect Prompt Injection via Tool Responses) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Indirect Prompt Injection via Tool Responses)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Indirect Prompt Injection via Tool Responses)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Indirect Prompt Injection via Tool Responses) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: indirect-injection

package/rules/prompt-injection/ATR-2026-00084-structured-data-injection.yaml CHANGED Viewed

@@ -11,7 +11,7 @@ author: "ATR Community (MiroFish Predicted)"
 date: "2026/03/11"
 schema_version: "0.1"
 detection_tier: pattern
-maturity: test
+maturity: stable
 severity: high
 references:
@@ -22,6 +22,8 @@ references:
   mitre_attack:
     - "T0051"
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
@@ -36,6 +38,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Matches on injection payloads inside structured data fields trigger risk treatment plans to quarantine or sanitize the input before it reaches the model; MG.2.3 requires these response mechanisms be defined and activated on detection."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Structured Data Injection via JSON/CSV Payloads)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Structured Data Injection via JSON/CSV Payloads) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Structured Data Injection via JSON/CSV Payloads)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Structured Data Injection via JSON/CSV Payloads)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Structured Data Injection via JSON/CSV Payloads) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: structured-data-injection

package/rules/prompt-injection/ATR-2026-00085-audit-evasion.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,23 @@ compliance:
     - subcategory: "MS.2.6"
       context: "Payloads that manipulate trust scores or claim to have passed audit layers represent active security risk indicators; MS.2.6 requires continuous evaluation of safety/security risk magnitude as these evasion techniques evolve."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Multi-Layer Security Audit Evasion)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Multi-Layer Security Audit Evasion) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Multi-Layer Security Audit Evasion)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Multi-Layer Security Audit Evasion)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Multi-Layer Security Audit Evasion) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: audit-evasion

package/rules/prompt-injection/ATR-2026-00086-visual-spoofing.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,23 @@ compliance:
     - subcategory: "MG.2.3"
       context: "Matches on visual-spoofing payloads trigger risk treatment plans to quarantine or sanitize disguised inputs before the model acts on them; MG.2.3 mandates pre-defined response mechanisms for adversarial inputs."
       strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Visual Spoofing via RTL Override, Punycode, and Homoglyph Injection) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: visual-spoofing

package/rules/prompt-injection/ATR-2026-00087-rule-probing.yaml CHANGED Viewed

@@ -17,6 +17,8 @@ references:
     - LLM01:2025 - Prompt Injection
   mitre_atlas:
     - AML.T0051
+  owasp_agentic:
+    - ASI01:2026 - Agent Goal Hijack
 metadata_provenance:
   owasp_llm: auto-generated
 compliance:
@@ -30,6 +32,26 @@ compliance:
     - subcategory: "MG.4.1"
       context: "Detection of probing behavior feeds post-deployment monitoring under MG.4.1, providing telemetry that filter coverage is being actively reconnoitered and that detection rules require iterative tuning."
       strength: secondary
+    - subcategory: "MG.2.3"
+      context: "NIST AI RMF MANAGE 2.3 (respond to previously unknown identified risks) is supported by this rule, which surfaces the prompt-injection attempt (Detection Rule Probing and Evasion Testing) so the risk can be treated."
+      strength: secondary
+  iso_42001:
+    - clause: "8.1"
+      context: "ISO/IEC 42001 Clause 8.1 (operational planning and control, including control of externally provided processes) is operationalised by this rule's detection of the prompt-injection attempt (Detection Rule Probing and Evasion Testing)."
+      strength: primary
+    - clause: "6.2"
+      context: "ISO/IEC 42001 Clause 6.2 (AI objectives and planning) calls for risk treatment of known attack patterns; this rule's detection of the prompt-injection attempt (Detection Rule Probing and Evasion Testing) is such a treatment."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "Article 15 (accuracy, robustness and cybersecurity) requires high-risk AI systems to resist unauthorised attempts to alter their use, outputs or performance; this rule provides runtime detection evidence by flagging the prompt-injection attempt (Detection Rule Probing and Evasion Testing)."
+      strength: primary
+    - article: "9"
+      context: "Article 9 (risk management system) requires identified risks to be addressed by appropriate measures; this rule is a runtime risk-treatment control that detects the prompt-injection attempt (Detection Rule Probing and Evasion Testing)."
+      strength: secondary
+    - article: "14"
+      context: "Article 14 (human oversight) requires high-risk AI systems to remain subject to effective human oversight; this rule provides detection evidence where the prompt-injection attempt (Detection Rule Probing and Evasion Testing) would bypass or undermine that oversight."
+      strength: secondary
 tags:
   category: prompt-injection
   subcategory: rule-probing