Add ATR detection rules as community detection resource

README.md

@@ -166,6 +166,18 @@ The SAFE-MCP framework defines 14 tactics that align with the MITRE ATT&CK metho
 | Exfiltration         | 6                    |
 | Impact               | 6                    |
 
+## Community Detection Tools
+
+The following open-source projects provide detection capabilities for SAFE-MCP techniques:
+
+| Project | Type | Coverage | License |
+| ------- | ---- | -------- | ------- |
+| [ATR (Agent Threat Rules)](https://github.com/Agent-Threat-Rule/agent-threat-rules) | YAML detection ruleset (Sigma/YARA-style) | 78/85 techniques (91.8%) | MIT |
+
+ATR provides 108 machine-readable detection rules that map to SAFE-MCP techniques. See the [ATR → SAFE-MCP mapping](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/docs/SAFE-MCP-MAPPING.md) for the full cross-reference.
+
+To add your project to this list, open a PR with your detection tool and a coverage mapping.
+
 ## Usage Guidelines
 
 - Use technique IDs (e.g., SAFE-T1001) for consistent reference across documentation

techniques/SAFE-T1001/README.md

@@ -295,6 +295,25 @@ mcp-scan scan --json
 mcp-scan proxy
 ```
 
+#### ATR (Agent Threat Rules)
+[ATR](https://github.com/Agent-Threat-Rule/agent-threat-rules) provides YAML-based detection rules (Sigma/YARA-style) for MCP tool call threats. Six ATR rules map to SAFE-T1001:
+
+| ATR Rule | Detection Focus |
+| -------- | --------------- |
+| [ATR-2026-010](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-010-malicious-tool-response.yaml) | Malicious content in MCP tool responses (shell commands, reverse shells, curl pipe-to-shell) |
+| [ATR-2026-011](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-011-instruction-injection-tool-output.yaml) | Prompt injection payloads embedded in tool outputs |
+| [ATR-2026-100](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-100-consent-bypass-hidden-instructions.yaml) | Consent bypass via hidden LLM instructions in tool descriptions |
+| [ATR-2026-101](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-101-trust-escalation-authority-override.yaml) | Trust escalation via authority override instructions |
+| [ATR-2026-103](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-103-hidden-safety-bypass.yaml) | Hidden LLM safety bypass instructions in tool descriptions |
+| [ATR-2026-105](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/rules/tool-poisoning/ATR-2026-105-silent-action-concealment.yaml) | Silent action concealment instructions in tool descriptions |
+
+```bash
+# Scan MCP skills with ATR rules
+npx agent-threat-rules scan events.json
+```
+
+Full SAFE-MCP mapping (78/85 techniques covered): [ATR SAFE-MCP Mapping](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/docs/SAFE-MCP-MAPPING.md)
+
 #### Using Our TPA Detection Script
 The included detection script can be integrated into CI/CD pipelines:
 ```bash

techniques/SAFE-T1102/README.md

@@ -120,6 +120,19 @@ tags:
   - safe.t1102
 ```
 
+### Community Detection Rules
+
+#### ATR (Agent Threat Rules)
+[ATR](https://github.com/Agent-Threat-Rule/agent-threat-rules) provides 12 YAML-based detection rules mapping to SAFE-T1102, covering direct injection, indirect injection, jailbreak attempts, system prompt override, multi-turn injection, encoding-based evasion, CJK patterns, structured data injection, and nested payloads:
+
+ATR-2026-001, ATR-2026-002, ATR-2026-003, ATR-2026-004, ATR-2026-005, ATR-2026-080, ATR-2026-081, ATR-2026-083, ATR-2026-084, ATR-2026-091, ATR-2026-097, ATR-2026-104
+
+```bash
+npx agent-threat-rules scan events.json
+```
+
+Full mapping: [ATR SAFE-MCP Mapping](https://github.com/Agent-Threat-Rule/agent-threat-rules/blob/main/docs/SAFE-MCP-MAPPING.md)
+
 ### Behavioral Indicators
 - AI suddenly changes task focus after processing tool output
 - Execution of commands unrelated to the original user request