Proposal: a deterministic detection signal alongside the LLM judge (via a shared ATLAS/OWASP axis)
The attack-generation side is already broad — evaluators/agent/injection, mcp/tool-poisoning, supply-chain, etc. cover the surface well, and each evaluator.yaml already carries standards: { owasp-api, atlas }. That shared axis is what makes this proposal concrete, so I'm not suggesting new attack patterns (you have those) — I'm suggesting a complementary way to judge outcomes.
The gap: pass_criteria is natural-language, LLM-judged. For a lot of attack categories the "did the payload land / was the response malicious" question also has a deterministic answer, and for reproducibility + cost that's worth having.
Proposal: an optional deterministic judge backed by Agent Threat Rules (ATR — MIT, ~700 detection rules, each tagged with MITRE ATLAS + OWASP LLM/Agentic in metadata). Because your evaluators already declare atlas / owasp-api codes, ATR rules can be matched to an evaluator by that shared code — so for an mcp/tool-poisoning or injection run, ATR gives a deterministic verdict (rule id, category) on the generated exchange, alongside the LLM judge. Benefits mirror the LLM-judge tradeoffs in reverse: zero judge-model tokens, reproducible, and "attack X fired ATR rule Y" is a stable artifact for regression.
Two shapes, whichever fits your runner:
- Deterministic judge module the evaluator can call in addition to (or as a pre-check before) the LLM
pass_criteria.
- A crosswalk doc only — evaluator id → ATLAS/OWASP → ATR rule(s) — if you'd rather keep judging LLM-only but want the mapping for users who run both tools.
I maintain ATR (COI: I author it; MIT, engine-neutral). Raising as an issue first to see whether a deterministic judge is something you'd want in the runner, or whether the crosswalk-only version is the better fit. Happy to follow CONTRIBUTING for whichever.
Proposal: a deterministic detection signal alongside the LLM judge (via a shared ATLAS/OWASP axis)
The attack-generation side is already broad —
evaluators/agent/injection,mcp/tool-poisoning,supply-chain, etc. cover the surface well, and eachevaluator.yamlalready carriesstandards: { owasp-api, atlas }. That shared axis is what makes this proposal concrete, so I'm not suggesting new attack patterns (you have those) — I'm suggesting a complementary way to judge outcomes.The gap:
pass_criteriais natural-language, LLM-judged. For a lot of attack categories the "did the payload land / was the response malicious" question also has a deterministic answer, and for reproducibility + cost that's worth having.Proposal: an optional deterministic judge backed by Agent Threat Rules (ATR — MIT, ~700 detection rules, each tagged with MITRE ATLAS + OWASP LLM/Agentic in metadata). Because your evaluators already declare
atlas/owasp-apicodes, ATR rules can be matched to an evaluator by that shared code — so for anmcp/tool-poisoningorinjectionrun, ATR gives a deterministic verdict (rule id, category) on the generated exchange, alongside the LLM judge. Benefits mirror the LLM-judge tradeoffs in reverse: zero judge-model tokens, reproducible, and "attack X fired ATR rule Y" is a stable artifact for regression.Two shapes, whichever fits your runner:
pass_criteria.I maintain ATR (COI: I author it; MIT, engine-neutral). Raising as an issue first to see whether a deterministic judge is something you'd want in the runner, or whether the crosswalk-only version is the better fit. Happy to follow CONTRIBUTING for whichever.