How Panguard Actually Protects You

Guard monitors every whitelisted skill continuously using multiple detection layers -- and when it detects drift, it doesn't just alert. It auto-responds. 1. ATR rule matching (sub-millisecond) -- 71 ATR detection rules for AI agent threats. If the skill's behavior matches any rule, it's flagged instantly. 2. Fingerprint drift -- Skill Auditor records what the skill is supposed to do. Guard compares live behavior against that fingerprint. A code-review tool that suddenly starts making network calls to unknown endpoints? Caught the moment it deviates. 3. LLM deep analysis -- For novel patterns that rules and fingerprinting miss, the AI analyzer examines behavior semantically. Its verdict is automatically distilled into a new ATR rule so the same attack is caught by rules alone next time. When a threat is confirmed, Guard's confidence-based response kicks in: - Confidence >= 85%: automatic response -- revoke skill from whitelist, block tool invocation, quarantine session. No human delay. - Confidence 50-84%: alert with full evidence, suggest specific action (e.g., revoke_skill or kill_agent), wait for human confirmation. - Below 50%: log for investigation with all context preserved. Even a patient attacker who waits 50 invocations before acting gets caught the moment they do something outside their fingerprint -- and Guard responds in proportion to its certainty.

ATR (Agent Threat Rules) is the first open detection standard for AI agent threats. 61 rules across 10 threat categories, built specifically for AI agent attacks: prompt injection, tool poisoning, context exfiltration, credential theft, cross-agent privilege escalation, skill supply-chain attacks, and more. ATR rules are machine-readable, community-driven, and purpose-built for the threats that traditional security tools cannot see -- threats that live in prompt flows, tool calls, and agent conversations. Threat Cloud aggregates rules from the community. Guard runs them with sub-millisecond evaluation. Every new rule strengthens protection for all users.

Panguard focuses on AI agent security threats across 9 categories: Prompt injection -- direct and indirect injection, jailbreaks, system prompt override. Tool poisoning -- malicious tool descriptions, hidden instructions in tool outputs. Credential exfiltration -- API key theft, SSH key access, secret extraction. Context manipulation -- memory poisoning, conversation hijacking. Skill supply-chain -- malicious skill packages, dependency confusion. Cross-agent attacks -- privilege escalation between agents. Unauthorized actions -- file access, network calls beyond declared scope. 71 ATR rules with 520 detection patterns. All open source, community-driven, growing daily through Threat Cloud.

The Panguard flywheel turns every user's discovery into everyone's defense: Step 1: You audit a skill with Skill Auditor. It checks against existing ATR rules and the whitelist. Step 2: If a new threat is found -- either by rules, fingerprint drift, or LLM analysis -- the anonymized threat pattern is reported to Threat Cloud. Step 3: Community members vote on the report. LLM review validates the pattern. If confirmed, a new ATR rule is generated and enters the experimental pipeline (7 days alert-only). Step 4: The new rule is distributed to all Guard instances. Next time anyone audits a skill with that same attack pattern, it's caught instantly by rules -- no AI needed. Step 5: When those rules trigger in Guard, the confidence-based response system automatically blocks, quarantines, or escalates -- completing the defense loop. A threat discovered on one machine is detected and auto-responded to on every machine running Guard. Every cycle makes the next audit stronger. More users = more discoveries = more rules = better protection for everyone. The flywheel doesn't stop at detection -- it closes the loop with automated response.

Guard syncs with Threat Cloud every hour, automatically pulling new ATR rules. No manual action needed. Locally distilled rules -- generated when your LLM analyzes a novel threat -- take effect immediately on your machine. Community-contributed rules go through a staged pipeline: peer review by other Panguard users, then experimental stage (alert-only for 7 days, no blocking), then stable (can auto-block). A rule needs confirmation from at least 3 independent Panguard nodes before promotion. You can check your current rule counts anytime with `panguard rules status`.

Panguard uses confidence-tiered actions to minimize impact: Low confidence: log only. You can review later. Medium confidence: alert + evidence snapshot. No blocking. High confidence: auto-block + alert + detailed report. Community feedback loop handles systemic issues: if a rule's false positive rate exceeds 20%, it's automatically deprecated across all users. Rules in the experimental stage that show high false positive rates never get promoted to stable. Locally, you can adjust confidence thresholds or disable specific rules in your config. Your overrides are preserved across rule updates.

Yes. ATR rules are YAML-based and human-readable. Use `atr scaffold` to generate a template with the correct structure -- metadata, detection logic, MITRE mapping, and response actions. Write your rule, test it locally with `panguard rules test`, then submit it to Threat Cloud for community review. Accepted rules are distributed to all Panguard users and protect every system running Guard. This is the highest-impact way to contribute. Every new ATR rule strengthens the flywheel for the entire community.

Only anonymized threat patterns: category, MITRE technique ID, severity, and a hashed fingerprint. Never files, code, conversations, or personal data. No IP addresses, no usernames, no file contents. You can inspect exactly what gets uploaded with the --show-upload-data flag. You can also disable cloud sync entirely -- Panguard works fully offline with local rules only. Threat Cloud participation is opt-in. Even with it enabled, the data is stripped of all identifying information before it leaves your machine.

Only if you explicitly configure it. Panguard supports three LLM modes: 1. Rules-only (default) -- No AI, no external calls. Guard runs ATR rules locally. This is the default mode and provides strong protection without any data leaving your device. 2. Ollama (local AI) -- Runs entirely on your machine. AI-enhanced analysis with zero external data transfer. 3. Your own API key -- You choose the provider (Anthropic, OpenAI, etc.) and control what gets sent. The LLM only sees the specific event being analyzed, not your files or conversations. The encrypted LLM config (~/.panguard/llm.enc) is stored locally, encrypted with your machine's identity. It never leaves your device.

100% open source, MIT license. Every line of code, every ATR rule, every detection algorithm is publicly auditable on GitHub. There is no hidden enterprise edition. No closed-source components. No telemetry you cannot inspect. What you see in the repo is exactly what runs on your machine. We believe security tools must be transparent. If you cannot verify what your security software does, it is not really protecting you.

One command: npm install -g @panguard-ai/panguard && panguard setup Setup auto-detects Claude Code, Cursor, and 5 other AI platforms. It injects MCP config so your AI agent can call Panguard tools via natural language -- "audit this skill", "scan my system", "what threats were blocked today". No accounts, no API keys required. Rules-only mode works out of the box. Add an LLM key later if you want AI-enhanced analysis.

Four main use cases: (a) Audit any MCP skill before installing -- say "audit this skill" to your AI agent, or run panguard audit skill directly. Skill Auditor checks it against ATR rules and the community whitelist. (b) Scan your system -- panguard scan runs ATR rules across your AI agent environment. (c) Start 24/7 guard -- panguard guard start launches the daemon. Continuous monitoring with sub-millisecond rule evaluation. (d) Your AI agent becomes security-aware -- after setup, your AI agent can scan, audit, and check threats through natural conversation. It calls Panguard tools as MCP skills. Compliance Report and Honeypot Trap are coming soon.

Negligible impact. ATR rule evaluation is sub-millisecond per event -- pure pattern matching, no AI involved for known threats. AI analysis only triggers for events that rules cannot classify, which is typically less than 1% of all events. Memory footprint stays under 100MB. Guard runs as a daemon with watchdog restart. It is designed for always-on operation without noticeable performance cost.

Yes. 100% free, open source, MIT license. No paid tiers, no feature gating, no usage limits. Scan, Guard, Skill Auditor, Threat Cloud, all 71 ATR detection rules -- all free, all open source. Compliance Report and Honeypot Trap are coming soon and will also be free. No credit card, no signup, no "contact sales for pricing."

Built in Taiwan by a team that believes AI agent security should be a public good, not a premium feature. Our thesis: the flywheel model -- where every user's threat discovery strengthens every other user's defense -- only works if the tool is open and free. Paid tiers would fragment the community and weaken collective protection. AI agents are becoming the primary interface between humans and computing. The security layer for that interface must be community-owned.

Write ATR rules -- This is the highest-impact contribution. Every new rule protects all Panguard users. Use `atr scaffold` to get started. Report threats -- Automatic via Guard. When a new threat is detected on your system, the anonymized pattern strengthens community defense through the flywheel. Code contributions -- Bug fixes, new features, performance improvements. Check our GitHub issues for good first issues. Translations and feedback -- Help make Panguard accessible in more languages, report false positives, suggest improvements. Visit our GitHub repository to get started.