Panguard's three-stage security pipeline — Detect, Analyze, and Respond — processes threats through a three-tier AI funnel where 90% of threats are caught by local rules, 7% by local AI, and only 3% require cloud analysis.
HOW IT WORKS
How Panguard Protects You
Five layers of defense. Three levels of AI analysis. One command to deploy.
AT A GLANCE
Security that thinks in layers
Each layer catches what the previous one misses. Together, they form a defense system that adapts to your environment.
<50ms
Average detection time
90%
Threats caught by rules alone
7 days
To learn your normal
FIVE DETECTION STAGES
Five stages that catch what others miss
From static analysis to contextual memory, each stage adds intelligence.
Environment Discovery
Automatically maps your infrastructure: OS, services, open ports, installed packages, running processes.
This is how Panguard learns what "normal" looks like for your specific environment.
Rules Engine
110 ATR detection rules for AI agent security.
Catches 90% of known threats in under 50ms. No AI needed.
Behavioral Baseline
7-day learning period. Panguard observes your system without acting, builds a model of normal behavior.
Switches to protection mode on day 8. No false positives from day one.
AI Analysis
When rules can't explain a behavior, AI steps in. Local fingerprint & heuristic analysis first (zero-config, fully offline). Cloud LLM only when needed.
Three-tier funnel: 90% rules / 7% local heuristic / 3% cloud AI. Cloud analysis runs server-side on Threat Cloud -- free for all users.
Automated Response
11 response actions: log_only, notify, block_ip, kill_process, disable_account, isolate_file, block_tool, kill_agent, quarantine_session, revoke_skill, reduce_permissions. ATR-specific actions for AI agent threats.
Confidence >= 85%: automatic. 50-84%: alerts with evidence, suggests action. < 50%: logs for investigation. Rate limited: kill_agent 3/min, block_tool 10/min.
AI FUNNEL
Three tiers. Minimum cost. Maximum accuracy.
90% of threats don't need AI. We use rules first, AI second, cloud last.
Rules Engine
90%- 110 ATR detection rules
- 714 detection patterns
- 10 threat categories
- Behavioral baseline deviations
- Community-driven rule updates
<50ms per event
Local AI
7%- Fingerprint & heuristic analysis
- Zero-config -- works out of the box
- Fully offline -- data never leaves
- Handles ambiguous events rules can't classify
~2s per analysis
Cloud AI
3%- Claude Sonnet 4 on Threat Cloud
- Only invoked when local analysis is uncertain
- Server-side -- free for all users
- Multi-step reasoning chains (up to 8 steps)
~5s per analysis
AGENT PIPELINE
Four AI Agents. One Investigation Engine.
Each agent has a specialized role. Together, they form an autonomous security team.
DetectAgent
Monitors 5 sources: network, processes, filesystem, system logs, normalized events.
AnalyzeAgent
Correlates alerts, determines severity, maps to MITRE ATT&CK framework.
RespondAgent
Executes response based on confidence threshold. Auto, ask, or notify.
ReportAgent
Generates human-readable incident report, sends via Telegram/Slack/Email.
InvestigationEngine
Deep-dives complex incidents with up to 8-step reasoning chains.
AUTOMATED RESPONSE
Eleven actions. Three confidence levels.
Panguard doesn't just detect. It acts -- with ATR-specific response actions for AI agent threats.
Block IP
Cross-platform firewall rule with auto-unblock timer
Kill Process
SIGTERM then SIGKILL with process tree cleanup
Isolate File
SHA-256 hash quarantine with restore capability
Block Tool
Prevent MCP tool invocation (rate limit: 10/min)
Kill Agent
Terminate rogue AI agent session (rate limit: 3/min)
Quarantine Session
Isolate compromised AI agent session from other resources
Revoke Skill
Remove skill from whitelist and block future invocations
Reduce Permissions
Downgrade agent access level to minimum privileges
7-DAY LEARNING
It watches before it acts.
No false positives from day one. Panguard learns your environment before making decisions.
Day 1-3
Observation
Process baseline, network patterns, file change patterns, user behavior.
Day 4-7
Statistical Modeling
Builds mean + standard deviation model. Identifies what's truly anomalous.
Day 8+
Protection Mode
Auto-transition to active protection. Continuous learning -- baseline evolves with your environment.
GRACEFUL DEGRADATION
Your protection never drops to zero.
Cloud down? Local AI takes over. Local AI down? Rules engine always runs.
Optimal
All layers active. Cloud AI + Local AI + Rules Engine.
Cloud Unavailable
Local AI handles complex analysis. Rules engine catches known threats.
LLM Offline
Rules engine + behavioral baseline. Still catches 90% of threats.
Emergency
Rules engine only. Core protection always running.
Ready to see it in action?
One command. Completely free. No account needed.
$ curl -fsSL https://get.panguard.ai | bash