How Panguard Actually Protects You

Built in Taiwan on the belief that AI agent security should be a public good, not a premium feature. The thesis: the flywheel model -- where every user's threat discovery strengthens every other user's defense -- only works if the tool is open and free. Paid tiers would fragment the community and weaken collective protection. AI agents are becoming the primary interface between humans and computing. The security layer for that interface must be community-owned.

Write ATR rules -- This is the highest-impact contribution. Every new rule protects all Panguard users. Use `atr scaffold` to get started. Report threats -- Automatic via Guard. When a new threat is detected on your system, the anonymized pattern strengthens community defense through the flywheel. Code contributions -- Bug fixes, new features, performance improvements. Check our GitHub issues for good first issues. Translations and feedback -- Help make Panguard accessible in more languages, report false positives, suggest improvements. Visit our GitHub repository to get started.

Skill Auditor is your first line of defense. Before any skill runs on your system, Skill Auditor scans it against ATR rules purpose-built for AI agent threats -- prompt injection, tool poisoning, hidden payloads, permission overreach. If the skill passes, it gets added to your local whitelist with a behavioral fingerprint. If anything looks suspicious -- say, a weather tool that requests file-system write access -- Skill Auditor flags it with the specific ATR rule that triggered (e.g., ATR-2026-005 for multi-turn injection patterns) and blocks installation until you explicitly approve. The whitelist isn't just a pass/fail list. It records the skill's declared capabilities, so Guard can later detect if behavior drifts from what was approved.

Guard monitors every whitelisted skill continuously using layered deterministic detection -- and when it detects drift, it doesn't just alert. It auto-responds. 1. ATR rule matching (sub-millisecond) -- 650+ ATR detection rules for AI agent threats. If the skill's behavior matches any rule, it's flagged instantly. 2. Fingerprint drift -- Skill Auditor records what the skill is supposed to do. Guard compares live behavior against that fingerprint. A code-review tool that suddenly starts making network calls to unknown endpoints? Caught the moment it deviates. Both run entirely on-device with no LLM in the detection path -- verdicts are deterministic and reproducible. When a threat is confirmed, Guard's confidence-based response kicks in: - Confidence >= 85%: automatic response -- revoke skill from whitelist, block tool invocation, quarantine session. No human delay. - Confidence 50-84%: alert with full evidence, suggest specific action (e.g., revoke_skill or kill_agent), wait for human confirmation. - Below 50%: log for investigation with all context preserved. Even a patient attacker who waits 50 invocations before acting gets caught the moment they do something outside their fingerprint -- and Guard responds in proportion to its certainty.

ATR (Agent Threat Rules) is the first open detection standard for AI agent threats. 650+ rules across 10 threat categories, built specifically for AI agent attacks: prompt injection, tool poisoning, context exfiltration, credential theft, cross-agent privilege escalation, skill supply-chain attacks, and more. ATR rules are machine-readable, community-driven, and purpose-built for the threats that traditional security tools cannot see -- threats that live in prompt flows, tool calls, and agent conversations. Threat Cloud aggregates rules from the community. Guard runs them with sub-millisecond evaluation. Every new rule strengthens protection for all users.

Panguard focuses on AI agent security threats across 10 categories: Prompt injection -- direct and indirect injection, jailbreaks, system prompt override. Tool poisoning -- malicious tool descriptions, hidden instructions in tool outputs. Credential exfiltration -- API key theft, SSH key access, secret extraction. Context manipulation -- memory poisoning, conversation hijacking. Skill supply-chain -- malicious skill packages, dependency confusion. Cross-agent attacks -- privilege escalation between agents. Unauthorized actions -- file access, network calls beyond declared scope. 650+ ATR detection rules. All open source, community-driven, growing daily through Threat Cloud.

The Panguard flywheel turns every user's discovery into everyone's defense: Step 1: You audit a skill with Skill Auditor. It checks against existing ATR rules and the whitelist. Step 2: If a new threat is found -- either by rules, fingerprint drift, or AST static analysis -- the anonymized threat pattern is reported to Threat Cloud. Step 3: Community members vote on the report. A Threat Cloud LLM reviewer drafts and validates a candidate rule, which a human reviews before it's merged. If confirmed, the new ATR rule enters the experimental pipeline (7 days alert-only). Step 4: The new rule is distributed to all Guard instances. Next time anyone audits a skill with that same attack pattern, it's caught instantly by rules -- no AI needed. Step 5: When those rules trigger in Guard, the confidence-based response system automatically blocks, quarantines, or escalates -- completing the defense loop. A threat discovered on one machine is detected and auto-responded to on every machine running Guard. Every cycle makes the next audit stronger. More users = more discoveries = more rules = better protection for everyone. The flywheel doesn't stop at detection -- it closes the loop with automated response.

Guard syncs with Threat Cloud every hour, automatically pulling new ATR rules. No manual action needed. Locally distilled rules -- generated when AST static analysis flags a novel threat on your machine -- take effect immediately. Community-contributed rules go through a staged pipeline: peer review by other Panguard users, then experimental stage (alert-only for 7 days, no blocking), then stable (can auto-block). A rule needs confirmation from at least 3 independent Panguard nodes before promotion. You can check your current rule counts anytime with `panguard rules status`.

Panguard uses confidence-tiered actions to minimize impact: Low confidence: log only. You can review later. Medium confidence: alert + evidence snapshot. No blocking. High confidence: auto-block + alert + detailed report. Community feedback loop handles systemic issues: if a rule's false positive rate exceeds 20%, it's automatically deprecated across all users. Rules in the experimental stage that show high false positive rates never get promoted to stable. Locally, you can adjust confidence thresholds or disable specific rules in your config. Your overrides are preserved across rule updates.

Yes. ATR rules are YAML-based and human-readable. Use `atr scaffold` to generate a template with the correct structure -- metadata, detection logic, MITRE mapping, and response actions. Write your rule, test it locally with `panguard rules test`, then submit it to Threat Cloud for community review. Accepted rules are distributed to all Panguard users and protect every system running Guard. This is the highest-impact way to contribute. Every new ATR rule strengthens the flywheel for the entire community.

Only anonymized threat patterns: category, MITRE technique ID, severity, and a hashed fingerprint. Never files, code, conversations, or personal data. No IP addresses, no usernames, no file contents. You can inspect exactly what gets uploaded with the --show-upload-data flag. You can also disable cloud sync entirely -- Panguard works fully offline with local rules only. Threat Cloud participation is opt-in. Even with it enabled, the data is stripped of all identifying information before it leaves your machine.

No. Detection is fully deterministic and runs entirely on-device -- ATR regex rules, behavioral baselines, and on-device correlation. There is no LLM in the detection path, so no event payloads are sent anywhere to be classified. The only thing that ever leaves your machine is optional: when Guard discovers a novel threat, an anonymized pattern can be contributed to Threat Cloud to generate a new community rule (IP addresses, hostnames, and file paths are stripped first). You can disable this entirely by leaving TC_ENDPOINT unset to run fully air-gapped. New community rules are pulled down for your local engine -- detection itself always happens on your device.

100% open source, MIT license. Every line of code, every ATR rule, every detection algorithm is publicly auditable on GitHub. There is no hidden enterprise edition. No closed-source components. No telemetry you cannot inspect. What you see in the repo is exactly what runs on your machine. We believe security tools must be transparent. If you cannot verify what your security software does, it is not really protecting you.

One command: npm install -g @panguard-ai/panguard && panguard setup Setup auto-detects Claude Code, Cursor, and 5 other AI platforms. It injects MCP config so your AI agent can call Panguard tools via natural language -- "audit this skill", "scan my system", "what threats were blocked today". No accounts, no API keys required. Detection is deterministic and works out of the box -- nothing to configure.

Four main use cases: (a) Audit any MCP skill before installing -- say "audit this skill" to your AI agent, or run panguard audit skill directly. Skill Auditor checks it against ATR rules and the community whitelist. (b) Scan your system -- panguard scan runs ATR rules across your AI agent environment. (c) Start continuous guard -- panguard guard start launches the daemon. Continuous monitoring with sub-millisecond rule evaluation. (d) Your AI agent becomes security-aware -- after setup, your AI agent can scan, audit, and check threats through natural conversation. It calls Panguard tools as MCP skills. Compliance Report and Honeypot Trap are included.

Negligible impact. ATR rule evaluation is sub-millisecond per event -- pure pattern matching, no AI involved. When a rule does not match, the engine runs behavioral and correlation checks on-device, which is typically less than 1% of all events. Memory footprint stays under 100MB. Guard runs as a daemon with watchdog restart. It is designed for always-on operation without noticeable performance cost.