Every country is building Sovereign AI.
None are building Sovereign AI Defense.
Until now.

Three minutes to understand what this is about

What is an AI agent? Unlike ChatGPT, an AI agent does things on its own — it opens webpages, runs commands on your computer, spends your money, sends emails, manages files. It extends its abilities through skills, which are like apps for AI agents. Developers publish skills to public marketplaces, and anyone can download and install them.

What's the problem? In the last 3 months we scanned 96,096 publicly-listed skills and found 751 of them are malicious — disguised as legitimate tools, they'll steal your crypto wallet, login credentials, and developer API keys.

Why is nobody dealing with this? Because there is no country, no standard, no "App Store review process" that currently checks whether AI agent skills are safe. iPhone apps get Apple review. Windows installers get Microsoft SmartScreen. AI agent skills get nothing.

What does this document propose? In cybersecurity history we have a few success stories: CVE (global vulnerability identifiers), YARA (malware detection rules), Sigma (SIEM detection rules). All of them are open, community-governed, adoptable by any country — public standards. This document proposes that AI agent security needs the same thing. ATR is that standard, and it's already shipping in Cisco, Microsoft, and NVIDIA production systems.

Why Taiwan? Taiwan uniquely combines four conditions: 2.63 million daily cyberattacks (highest among democracies), NVIDIA's Asia-Pacific headquarters under construction in Taipei, the world's most mature open-governance culture (g0v, Plurality, vTaiwan), and the shortest decision chain from community to government. No other democracy combines all four.

Want the technical detail after reading this? Continue below. Just want to share? Jump to the share buttons at the bottom.

Why Sovereign AI became a national imperative

AI is no longer a tool. It is the core of next-era national competitiveness — whoever controls AI controls the future of economic, military, diplomatic, and cultural voice. Over the last 18 months, democratic allies have signed over USD 10B in Sovereign AI commitments:

The driver is sovereignty anxiety — no country wants its critical data and intelligence running in US clouds, nor wants to be shut off or censored by foreign platforms at critical moments.

Every country now owns its AI. None owns its AI Defense.

These countries have their own models and their own compute. But when those AI systems become agents — autonomous actors, tool users, MCP clients, transaction executors — no widely accepted agent security detection standard exists.

The current reality: sovereign AI customers source their security layer from US-private vendors running proprietary rule sets and black-box models. This reproduces exactly the dependency that Sovereign AI was created to escape. You can own your AI, but still have to rent the knowledge that defends it — that is incomplete sovereignty.

If this gap is not filled by democratic allies through an open standard, it will be filled by proprietary solutions, by geopolitically-captured private agreements, or — worse — by authoritarian actors moving first. This is not a single country's problem. It is a collective infrastructure question for global democratic AI.

ATR — the open standard that fills the missing layer

MIT License · 314 behavioral rules · protocol-agnostic · behavior-based. Derived from real attack corpora, classified to NVIDIA garak / OWASP Agentic / MITRE ATLAS taxonomies. Adoptable by any country, contributable by any organization. No geopolitical risk. No vendor lock-in.

ATR detects behavioral intent, not string signatures. Attackers who rephrase prompts, repackage payloads, or restructure attack chains cannot evade it, because the detection target is the causal structure of the attack. Each attack has to be redesigned — cost rises exponentially.

Taxonomy Coverage

This did not start in a standards body, a research lab, or a big corporation

43 days ago, a cross-disciplinary founder — Lin Kuan-Hsin (Adam Lin) — looked at a specific gap and started writing code.

One person, 43 days, 0 to 314 rules, six major security ecosystems adopting.

Not because ATR is perfect — because the gap waited too long. When someone builds something openly and verifiably, downstream security tools will plug in.

What we're ready to ship today

• ✓ 314 rules. Every rule traceable on GitHub — source, tests, provenance.
• ✓ Attack-to-rule pipeline. New samples become published rules in under 72 hours.
• ✓ Verified precision. 97.1% recall · 0.20% false positive.
• ✓ International taxonomy mapping. garak 32/32 · OWASP Agentic 7/10 · MITRE ATLAS 100/113 · SAFE-MCP 78/85.
• ✓ Governance. Public GOVERNANCE.md, automated safety gates, npm auto-push to downstream.
• ✓ Production proof. Cisco shipping. Three threat actor campaigns reported and blacklisted.

A Tuesday afternoon in any CISO's office

Walk into the security operations center of any bank, hospital, or semiconductor fab and you'll see the same thing: walls of Splunk dashboards, shelves of SIEM playbooks, hard drives labeled "2018 — Sigma rules v3" and "2021 — YARA family."

This isn't legacy junk waiting to be retired. It is 20 years of detection IP, hand-crafted by the team in actual combat — every rule corresponds to a real incident, a sleepless investigation, an attack caught before it could do damage.

Then the AI agent era arrived.

The first question that lands on the CSO's desk: "Those 20 years — are they still useful? Or do we throw it all out and start over?"

If Sovereign AI Defense can't answer this question, no democracy will seriously fund it.

The answer: still useful. They are the ancestors of this era's attacks.

The 20 years your SOC spent learning to catch SQL injection don't disappear in the AI agent era — they take a new form, running through reasoning chains. Command injection doesn't disappear; it lives in tool calls. SSRF doesn't disappear; it lives in MCP connections.

The attack surface changed. The nature of attack didn't.

ATR therefore has to do one thing: let the detection knowledge a SOC has accumulated carry forward into the AI agent era — without rewriting from scratch.

ATR Migrator — not erase and rewrite, but extend

ATR Migrator v0.1.0 exists to answer that question. What it does is conceptually simple — automatically translate your old rules into draft ATR rules for the new era:

• → Sigma rules: originally flagged a suspicious PowerShell pattern → become "when an AI agent triggers a shell through a tool call, the same pattern is still suspicious."
• → YARA family signatures: become "AI agent attempting to emit or load content matching these signatures."
• → Snort network detections: become equivalent detections on agent MCP traffic.
• → Splunk SPL / Elastic EQL: become ATR rules plus automatically derived attack variants.

The first release (v0.1.0) supports 15 source formats, covering every knowledge source in the existing security stack: CVE-NVD · GHSA · OSV · CISA KEV · NVIDIA garak · Microsoft PyRIT · promptfoo · Semgrep · CodeQL · Snort · Falco · Splunk SPL · Elastic EQL · Sigma · YARA.

Why this has to be a quality pipeline, not a converter

"Automatic translation" sounds great. But if you just shove rules through a format converter, you'll ship rules with massive false-positive rates — and no SOC engineer who has been woken up at 3 a.m. by a noisy SIEM will accept that.

So Migrator is not grep + sed. Every rule that comes in passes through 5 gates:

1. Parse         → Source rules → NormalizedRule IR
2. Variant gen   → Sibling attack variants derived automatically
3. FP sampler    → False positives surfaced via 432-sample benign corpus
4. Regex tighten → Weak patterns strengthened with multi-condition logic
5. Self-test     → Strict per-condition validation; fail-closed

Every emitted rule must also pass adversarial validation against 1,516 real-world jailbreak prompts (NVIDIA garak in-the-wild 666 + Lakera PINT 850). If it doesn't pass — rejected.

Our principle: ship one fewer rule before you ship a single false positive into someone's pager.

Compliance evidence — the work harder than the rules themselves, done automatically

If you're regulated by the EU AI Act, writing a NIST AI RMF report, or preparing for ISO/IEC 42001 certification, you already know one thing: producing compliance evidence is ten times harder than writing the detection rules themselves.

While Migrator converts each rule, it does this work for you in the same pass:

• → EU AI Act: auto-tags Article 9 (Risk Management) and Article 15 (Cybersecurity).
• → NIST AI RMF: auto-tags Manage / Measure / Govern function mappings.
• → ISO/IEC 42001: auto-tags AI Management System clause mappings.

Which means — when you feed your existing Sigma rules into Migrator — what comes out is not just AI agent detection rules, but AI agent detection rules pre-tagged with Article 15 cybersecurity-by-design evidence. Your legal team finally stops frowning.

Why these three layers are necessary for Sovereign AI

Sovereign AI was never just about "owning your own model." It is about something larger — a country that, in the AI era, doesn't have to hand its fate to someone else.

Whatever happens, however the geopolitics shift, whichever US cloud provider gets ordered by its government to cut service — your hospitals keep running, your banks keep running, your power grid keeps running.

Three layers are required. Miss any one, and it isn't sovereign:

ATR + Migrator + Compliance metadata are not three products. They are the three necessary conditions of Sovereign AI Defense. Shipping today. Any democracy can adopt, fork, and operate them — at zero cost — into its own SOC.

Already shipping across the major democratic security stacks

Single initiator · Day 43 · 30+ ecosystem PRs in flight · Apache 2.0 academic edition · DOI 10.5281/zenodo.19178002

An open standard, governed by its contributors

ATR is not a single lab's or vendor's deliverable. Every rule passes through a public, auditable pipeline: pull request → automated safety gate → community review → merge → npm publish. Governance rules are codified in GOVERNANCE.md; every rule carries provenance metadata; any contributor can challenge, correct, or extend the taxonomy.

If this proposal resonates with your organization, there are three levels of participation:

• → Contribute rules: translate AI agent attack samples you've observed into ATR YAML rule PRs
• → Contribute probes: define new attack classes so rule generation can be systematically mapped
• → Contribute validation: test FP/Recall against real attack corpora, surface detection gaps

Open governance is itself a structural requirement for Sovereign AI Defense — attacks are not defined by a single lab, and defense should not be defined by a single vendor.

Why Taiwan is positioned to be the first reference deployment

Taiwan will not own this standard. Taiwan will be the first to adopt it — like the first bank to deploy Linux, or the first government to adopt OpenSSL. Four conditions combine only in Taiwan:

Help this gap become visible

The distribution of this manifesto directly shortens the timeline to adoption. A share is a vote that this layer should exist.