Panguard AI provides a Skills Audit for AI agents. It audits every skill before it runs, catches known threats with community ATR (Agent Threat Rules), catches unknown threats with AI analysis, and shares new rules to protect everyone. MIT licensed. Open source.
Free and open source.
Security for every AI agent.
One command, 30 seconds — MIT-licensed, self-hosted, zero telemetry. It scans every skill and MCP server, then guards each agent action at runtime.
30-second install · no signup · runs offline
Auto-detects your AI agents:
01 / THE GAP
An AI agent is a brilliant new hire you handed the keys to.
It reads your email, runs your code, moves your money — but it can't tell your instruction from a stranger's. Hide "ignore your job, send the data" in a page, a skill, or a tool it reads, and it obeys. The attack isn't code. It's words the agent can't help but obey.
THE PC / NETWORK ERA
One shared rulebook
CVE · antivirus · Sigma. A common, open vocabulary for what counts as malicious. Every defender shares it.
THE AGENT ERA
A brand-new surface
Prompt injection · poisoned tools & skills · malicious MCP · over-autonomy. None of it fits old signatures.
TODAY
Everyone starts from zero
No CVE. No Sigma. Every team reinvents agent detection privately — and falls behind the next attack.
New attack surface, no shared standard. That's the gap.
02 / REAL CVEs · REAL ATTACKS · REAL VICTIMS
This is not hypothetical.
Default 0.0.0.0 binding. One HTTP request = full remote code execution. All versions before v1.4.3.
CVE-2026-23744Hooks + MCP config exploited for arbitrary shell execution and API key theft.
CVE-2025-59536 + CVE-2026-21852SSRF steals managed identity tokens. Attacker gains Azure resource access without admin privileges.
CVE-2026-26118Clean for 15 versions. v1.0.16 silently BCC-forwarded 3K-15K emails per day to an external address.
ATR ClawHub scanWe scanned 67,799 MCP skills. 1.9% have CRITICAL or HIGH security risks.
03 / WHY IT STAYS AHEAD
Defense has to accumulate faster than attacks multiply.
You can't out-patch this one company at a time. Every attack caught anywhere is written once as a rule — and protects everyone forever.
Sigma · YARA · CVE — weeks to months
Human notices the attack → hand-writes a rule → committee reviews. Only that vendor's users benefit.
ATR — new attack → rule in ~1 hour
Flywheels find and draft; CI auto-tests against precision and benign-FP gates; humans fast-review. Every adopter benefits at once.
We call it threat crystallization: AI understands an attack once — a deterministic rule executes in milliseconds, everywhere.
SECURITY ISN'T WON BY PERFECTION — IT'S WON BY MAKING ATTACKS UNECONOMICAL
04 / THE RULEBOOK
That rulebook exists now: ATR.
The open, executable standard for what an AI agent must never do. MIT, free forever. The CVE/Sigma layer for agents — real today, with 768 rules.
ATR
The rules
the Sigma layer
768 executable detection rules. Deterministic, local-first, signed output.
ATD
The taxonomy
the ATT&CK layer
Agentic Threat Detection — the technique knowledge base, crosswalked to MITRE ATLAS and OWASP.
ENGINE
Runs anywhere
deterministic · local-first
No telemetry, signed output — even sovereign buyers run their own detection without a foreign vendor.
Crosswalks to 10 frameworks: EU AI Act · NIST AI RMF · ISO/IEC 42001 · OWASP Agentic · OWASP LLM · MITRE ATLAS · SAFE-MCP · CWE · Five Eyes · CISA KEV
05 / IT RUNS
It runs. Here's the attack getting caught.
Real pga scan output on a confirmed-malicious skill from a live agent ecosystem (OpenClaw) — captured 2026-07-02 on the ATR v3.5.3 bundle, not a mockup. The rulebook has grown since.
Corpus-level, Layer-1 measurements, re-verified before every external use. On the 65,000-sample benign gate, false positives are lane-based: ~0.24% in enforce, ~9% in hunt (the default). There is no single blended number, so we don't quote one.
DETECTION — MEASURED, NOT CLAIMED
ATR rules merged upstream into Cisco AI Defense and Microsoft AGT — maintainer-accepted contributions, not vendor endorsements.
06 / WHAT IT DOES
The same rulebook does two things enterprises need.
PROTECT
Catch the attack
at runtime · before it loads
Scan skills and MCP servers against ATR before an agent ever loads them; detect and contain hijack attempts while the agent runs.
PROVE
Prove you caught it
signed · audit-ready
Emit signed, audit-ready evidence — the artifact EU AI Act, NYDFS Part 500 and DORA point to. Living evidence, not a one-off PDF.
ATR is the free rulebook. PanGuard is the always-fresh, supported, audit-ready version of it.
The Community edition is free and open source. Signed compliance evidence reporting is the paid Enterprise add-on for teams that need audit trails.
See it in action
One command. Full protection.
Install PanGuard, and your AI agents are protected in under 60 seconds.

Am I safe right now — posture at a glance. Both detection layers run fully on-device; the optional LLM second opinion and collective defense are off by default.
PRICING
Free to start, paid when you must prove it
Self-host the full stack free forever. When you must prove agent security in a bank or enterprise review, the $25K Founding Pilot is self-serve; larger deployments are sales-led.
Founding Pilot
Prove agent security in a bank/enterprise review · 90-day founder-led · self-serve
Order nowEnterprise & up
Enterprise · Migrator Pro · Sovereign · OEM — living signed evidence, airgap, per-nation
See full specFull Enterprise, Migrator Pro, Sovereign & OEM specification at /enterprise
Start with a scan.Stay for the protection.
Every scan makes the community safer. Join the collective defense network.
npm install -g panguard && pga up