Skip to content

Proposal: optional deterministic detection judge via shared ATLAS/OWASP axis (complements the LLM judge) #191

Description

@eeee2345

Proposal: a deterministic detection signal alongside the LLM judge (via a shared ATLAS/OWASP axis)

The attack-generation side is already broad — evaluators/agent/injection, mcp/tool-poisoning, supply-chain, etc. cover the surface well, and each evaluator.yaml already carries standards: { owasp-api, atlas }. That shared axis is what makes this proposal concrete, so I'm not suggesting new attack patterns (you have those) — I'm suggesting a complementary way to judge outcomes.

The gap: pass_criteria is natural-language, LLM-judged. For a lot of attack categories the "did the payload land / was the response malicious" question also has a deterministic answer, and for reproducibility + cost that's worth having.

Proposal: an optional deterministic judge backed by Agent Threat Rules (ATR — MIT, ~700 detection rules, each tagged with MITRE ATLAS + OWASP LLM/Agentic in metadata). Because your evaluators already declare atlas / owasp-api codes, ATR rules can be matched to an evaluator by that shared code — so for an mcp/tool-poisoning or injection run, ATR gives a deterministic verdict (rule id, category) on the generated exchange, alongside the LLM judge. Benefits mirror the LLM-judge tradeoffs in reverse: zero judge-model tokens, reproducible, and "attack X fired ATR rule Y" is a stable artifact for regression.

Two shapes, whichever fits your runner:

  1. Deterministic judge module the evaluator can call in addition to (or as a pre-check before) the LLM pass_criteria.
  2. A crosswalk doc only — evaluator id → ATLAS/OWASP → ATR rule(s) — if you'd rather keep judging LLM-only but want the mapping for users who run both tools.

I maintain ATR (COI: I author it; MIT, engine-neutral). Raising as an issue first to see whether a deterministic judge is something you'd want in the runner, or whether the crosswalk-only version is the better fit. Happy to follow CONTRIBUTING for whichever.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions