Panguard AI provides the first Skills Audit for AI agents. It audits every skill before it runs, catches known threats with community ATR (Agent Threat Rules), catches unknown threats with AI analysis, and shares new rules to protect everyone. MIT licensed. Open source.
Scan your AI agent stack
AI agent security,
built on an open standard.
Drop in a GitHub URL or paste a SKILL/MCP manifest. PanGuard runs 419 ATR rules against it and tells you if it's safe to install.
Built on the open standard
The same rules Cisco and Microsoft already ship in production.
PanGuard is the commercial reference implementation of the ATR open standard. ATR is the MIT-licensed detection standard maintained by the ATR Community; PanGuard wraps it into the platform regulated industries need — real-time protection + audit-ready compliance evidence + on-prem + SLA.
What regulated industries need
One platform. Both procurement gates.
Bank / insurance / healthcare CISO and GRC do not need to buy two vendors.
Real-time Protection
Detect, contain, block at the moment of attack. L3 input/output guardrails · L4 behavioral detection · L6 block + quarantine — all shipped.
CISO / SOC procurement gate
Audit-Ready Compliance
After an attack is blocked, the platform produces audit-ready evidence automatically: every detection links to ATR rule ID + clauses across 5 compliance frameworks + SHA-256 + ed25519 signature. Accepted by auditors.
GRC / Compliance / Legal procurement gate
Do not throw out your existing detection investment
ATR Migrator — convert Sigma / YARA / Snort into AI agent rules in seconds.
F500 banks, insurance, and healthcare have accumulated thousands of Sigma and YARA detection rules. When EU AI Act enforcement begins August 2, those rules cannot cover AI agent behavior. Manual migration: 6-12 months. Migrator: under a week, with 5-framework compliance auto-mapping.
$ panguard-migrate sigma/ --output atr/
Community Free (npm, MIT): Sigma + YARA + Snort parsers, IR transformer, ATR YAML output, CLI.
Migrator Pro (PanGuard Enterprise): human enrichment to Cisco-merge-PR quality · 5-framework compliance auto-mapping · SHA-256 audit evidence pack · TC integration · on-prem deployment.
Your existing investment
Sigma · YARA · Snort · regex packs · SIEM rules
Migrator output
ATR YAML (behavioral layer) + 5-framework metadata + test cases + audit trail
Deploy to
PanGuard Guard · ATR engine · NeMo Guardrails · Cisco AI Defense · any ATR-compatible system
Compliance framework mapping
Five frameworks. One evidence pack.
Every ATR rule auto-maps to clauses across 5 compliance frameworks. Every detection produces PDF + JSON + HTML evidence with SHA-256 + ed25519 signature. Architecturally impossible for Vanta / Drata / Lakera.
EU AI Act
Aug 2 enforcement
NIST AI RMF
US federal
ISO/IEC 42001
International AIMS
OWASP Agentic 2026
Agent attack framework
OWASP LLM 2025
LLM Top 10
Full evidence pack samples and framework mapping at /compliance
Bridging 20 years of detection IP into the AI agent era
Legacy detection rules → AI agent defense layer.
Banks, hospitals, government agencies, and semiconductor SOCs have accumulated two decades of detection IP — SIEM queries, malware signatures, IDS rules, CVE mappings, static analysis.
In the AI agent era, those rules themselves no longer catch prompt injection, but the attack knowledge beneath them still holds. SQL injection did not vanish; it moved into tool calls. Command injection did not vanish; it changed substrate.
Migrator automatically translates 15 source formats into ATR behavioral rules. Not a single line of accumulated detection knowledge is wasted.
SIEM era
2005 →
Sigma
SIEM detection rules
3,000+ community rules
Splunk SPL
Splunk Search Processing Language
F500 SOC default
Elastic EQL
Elastic Query Language
ELK stack default
Endpoint & malware era
2008 →
YARA
Malware family signatures
10,000+ community rules
Snort
Network IDS rules
Cisco + open ruleset
Falco
Runtime container security
CNCF / Kubernetes default
Static code scanning era
2014 →
Semgrep
Polyglot pattern-based SAST
2,000+ rules
CodeQL
GitHub semantic code analysis
Default for OSS critical repos
Vulnerability intel era
1999 →
CVE-NVD
National Vulnerability Database
230,000+ CVEs
GHSA
GitHub Security Advisory
OSS supply chain default
OSV
Open Source Vulnerabilities (Google)
Cross-ecosystem feed
CISA KEV
Known Exploited Vulnerabilities
US Federal mandate
AI red-teaming era
2024 →
NVIDIA garak
LLM jailbreak probes
32 probe modules
Microsoft PyRIT
Python Risk Identification Tool
MS AI red team default
promptfoo
LLM eval / red-team framework
OSS LLM testing default
Input: 15 legacy formats
Sigma · Splunk SPL · Elastic EQL · YARA · Snort · Falco · Semgrep · CodeQL · CVE-NVD · GHSA · OSV · CISA KEV · garak · PyRIT · promptfoo
Output: ATR behavioral rules
AI agent behavioral detection rules, five-framework compliance metadata, test cases, and SHA-256 audit trails.
What this means for sovereign AI
Owning your own model is not the same as owning your detection IP.
India, Japan, the UK, France, Korea, the UAE, and Taiwan are all building sovereign AI models and compute. Yet once those AI systems evolve into agents, the security layer is still supplied by US-private vendors using proprietary rules and black-box models — exactly the dependency that sovereign AI programs were created to escape.
A nation's accumulated SOC detection IP — Sigma rules, YARA signatures, Splunk queries, CVE mappings — is itself a form of security sovereignty. Migrator extends that body of knowledge into the AI agent era automatically, with no rewriting from scratch and no renting it back from foreign vendors.
Sovereign AI is defined by three components: sovereign model, sovereign compute, and sovereign detection knowledge. Only with all three is it complete.
7-LAYER AGENT SECURITY
Agent defense is not a single product
5 layers ship today (L2 Audit / L3 Protect / L4 Detect / L5 Deceive / L6 Respond). L1 Discover lands Q2 2026, L7 Govern Q2/Q3 2026. We mark the gaps openly — no fake checkmarks.
Click any layer for attack examples, architecture, benchmarks, ecosystem links · See full 7-layer architecture
462
ATR rules
666
Garak prompts
97.1%
Garak recall
67,799
Skills scanned
Trusted by security teams
This is not hypothetical.
Real CVEs. Real attacks. Real victims.
Default 0.0.0.0 binding, one HTTP request = RCE. All versions before v1.4.3.
CVE-2026-23744Hooks + MCP config exploited for arbitrary shell execution and API key theft.
CVE-2025-59536 + CVE-2026-21852SSRF steals managed identity tokens. Attacker gains Azure resource access.
CVE-2026-26118Clean for 15 versions. v1.0.16 added silent BCC forwarding 3K-15K emails/day.
ATR ClawHub scanWe scanned 67,799 MCP skills. 1.9% have CRITICAL or HIGH security risks.
COVERAGE MAP
Every competitor covers 1-2 layers. We cover 6.
Industry reality across the 7-layer stack. PanGuard is the first full-stack Agent Security Platform (ASP).
| Platform | L1 | L2 | L3 | L4 | L5 | L6 | L7 |
|---|---|---|---|---|---|---|---|
| Sage (GenDigital) | — | — | ✓ | — | — | — | — |
| Rubrik SAGE | — | — | ✓ | ✓ | — | — | — |
| Cisco AI Defense | — | ✓ | — | ✓ | — | — | — |
| Microsoft AGT | — | ✓ | — | — | ✓ | — | — |
| Straiker | — | — | — | ✓ | — | ✓ | — |
| Apono | — | — | — | — | — | ✓ | ✓ |
| PanGuard | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | — |
L1 Discover · L2 Audit · L3 Protect · L4 Detect · L5 Deceive · L6 Respond · L7 Govern. Source: official product docs, audited 2026-04.
See it in action
One command. Full protection.
Install PanGuard, and your AI agents are protected in under 60 seconds.
Real-time dashboard showing active rules, event monitoring, and 3-layer detection status.
Threat Crystallization
AI understands new threats. Crystallizes them into regex rules. Executes in 0ms. Protects everyone.
Scan
Pattern-match against 444 ATR rules
3msEvery skill is checked against the full ATR rule set. Known patterns are caught instantly with zero false negatives on matched signatures.
Detect + Block
CRITICAL threats blocked immediately
< 1sHigh-confidence matches trigger instant response: block, quarantine, or alert. No human intervention needed for known threats.
Crystallize
LLM generates a new regex rule
< 1 hourWhen the LLM discovers a new attack pattern, it crystallizes the understanding into a deterministic regex rule. From probabilistic AI to deterministic defense.
Protect Everyone
New rule distributed to all users
all usersThe crystallized rule flows through Threat Cloud to every PanGuard installation. One discovery protects the entire network.
PRICING
Open-core · No middle tier
Community is free and open source forever (feeds the sensor network). Enterprise gets the platform + 5-framework compliance evidence kit. The middle tier is a trap — /pricing explains why.
Pilot
F500 POC before procurement · IT director can approve · credits to Y1 Enterprise
Request PilotEnterprise
Migrator Pro · 5-framework signed evidence · airgap · SLA · CSM
Contact SalesSovereign
Nation-state airgap · multi-tenant · custom compliance · Cisco/AMD/NVIDIA JV pre-integrated
Sovereign DeskFull feature comparison, ATR Enterprise Member tier ($10K/yr governance), and FAQ at /pricing
npm install -g @panguard-ai/panguard && pga up60 seconds. 17 platforms. 462 rules. Free forever.
The Mission: Decentralized AI Agent Security
Every device that installs PanGuard becomes a sensor.
Every scan discovers new threats.
Every threat crystallizes into a rule that protects everyone.
The more people use it, the safer the entire ecosystem becomes.
MIT Licensed / Paper published (Zenodo DOI)