Hi @ondj and NUKIB MISP maintainers,
Heads-up that the Agent Threat Rules (ATR) galaxy and taxonomy were accepted into MISP upstream on 2026-05-10 by adulau, so they will flow into this image automatically on the next rebuild via the submodule clone in bin/misp_install.sh.
Upstream merges:
What this means for users of this image: Czech CSIRTs and SOCs running NUKIB/misp can natively tag and cluster AI agent threat indicators in their existing MISP event flow once the next image build picks up the submodule HEAD. No NUKIB-side configuration change appears to be required, since misp_install.sh already runs git submodule update --init --recursive against /var/www/MISP/app/ and there is no per-galaxy allowlist in this repo.
I am filing this as an issue rather than a PR because there does not seem to be a file that needs editing on your end. If you would prefer an explicit pin (e.g. a documented minimum MISP_VERSION or submodule commit pin that guarantees the ATR galaxy ships in a given image tag), I am happy to draft a small change against bin/misp_install.sh or the README, just let me know which shape you want.
About ATR: MIT-licensed open detection-rule corpus, 348 rules at v2.1.4. Used in production at Microsoft Agent Governance Toolkit, Cisco AI Defense (314-rule pack), MISP/CIRCL Luxembourg, and OWASP Agent-Security-Regression-Harness. End-to-end time from MSRC Semantic Kernel CVE disclosure on 2026-05-07 to npm-published detection rules covering it was 2 hours 16 minutes (2026-05-11).
Honest scope:
- Not claiming NUKIB endorsement of ATR
- The galaxy is upstream-merged; this issue exists so it is on your radar that the next image rebuild will carry it
- License MIT, compatible with the MISP ecosystem
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Maintainer: Adam Lin, adam@agentthreatrule.org
Foundation: Panguard AI Inc. (Delaware C-Corp, filed 2026-05-12)
Hi @ondj and NUKIB MISP maintainers,
Heads-up that the Agent Threat Rules (ATR) galaxy and taxonomy were accepted into MISP upstream on 2026-05-10 by adulau, so they will flow into this image automatically on the next rebuild via the submodule clone in bin/misp_install.sh.
Upstream merges:
What this means for users of this image: Czech CSIRTs and SOCs running NUKIB/misp can natively tag and cluster AI agent threat indicators in their existing MISP event flow once the next image build picks up the submodule HEAD. No NUKIB-side configuration change appears to be required, since misp_install.sh already runs git submodule update --init --recursive against /var/www/MISP/app/ and there is no per-galaxy allowlist in this repo.
I am filing this as an issue rather than a PR because there does not seem to be a file that needs editing on your end. If you would prefer an explicit pin (e.g. a documented minimum MISP_VERSION or submodule commit pin that guarantees the ATR galaxy ships in a given image tag), I am happy to draft a small change against bin/misp_install.sh or the README, just let me know which shape you want.
About ATR: MIT-licensed open detection-rule corpus, 348 rules at v2.1.4. Used in production at Microsoft Agent Governance Toolkit, Cisco AI Defense (314-rule pack), MISP/CIRCL Luxembourg, and OWASP Agent-Security-Regression-Harness. End-to-end time from MSRC Semantic Kernel CVE disclosure on 2026-05-07 to npm-published detection rules covering it was 2 hours 16 minutes (2026-05-11).
Honest scope:
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
Maintainer: Adam Lin, adam@agentthreatrule.org
Foundation: Panguard AI Inc. (Delaware C-Corp, filed 2026-05-12)