Panguard Guard
Real-Time Threat Response. One command to install.
Detects via ATR (Agent Threat Rules). Responds automatically based on confidence scoring. Blocks threats before they can act.
108
Detection Rules
3
Detection Layers
11
Response Actions
Recent Events
The Problem
A scan tells you what is wrong. It does not fix it.
Scanning once is better than nothing. But threats do not wait for your next scan. Attackers probe your systems 24/7. New vulnerabilities are published daily. Configuration drift happens with every deployment. You need continuous protection, not periodic checkups.
Panguard Guard is the permanent security agent that lives on your server, watches everything in real-time, and takes action before you even know there is a problem. It installs in one command, runs in the background, and tells you about threats in plain language.
Features
What Panguard Guard does.
Enterprise-grade AI agent security, designed for teams that do not have a dedicated security team.
5-Agent AI Pipeline
Events flow through 5 specialized AI agents: Detect (ATR rules + local LLM), Analyze (threat classification), Respond (auto-remediation), Report (compliance documentation), and Chat (Telegram, Slack, email notifications). 90% of events handled at zero cost by rules alone.
Confidence-Based Auto-Response
Every detection gets a confidence score. At 85% or above, Guard auto-responds: blocks the threat, kills the process, quarantines the session. Between 50-84%, Guard alerts with full evidence and suggests an action, waiting for human confirmation. Below 50%, the event is logged for investigation. No guesswork -- every response is proportional to certainty.
4 Notification Channels
Get alerts where you already are: Telegram, Slack, Email, and Webhook. Each channel supports rich formatting with threat details, severity badges, and one-click remediation links.
Investigation Engine
Built-in investigation engine with dynamic reasoning, event correlation across a sliding window (500 events, 10-minute window), and multi-tool analysis. Correlates events by IP, user, process, and category. Risk scoring with confidence-based escalation.
Graceful Degradation
Cloud AI down? Local fingerprint & heuristic analysis takes over. Heuristics offline? The ATR rule engine with 110 detection rules handles it. Guard never stops protecting, regardless of network conditions.
Integration Adapters
Pre-built adapters for Windows Defender, Syslog, and Wazuh. 7-day learning period builds a behavioral baseline for your system. Supports Linux, macOS, Windows, Docker, and Kubernetes.
11 Response Actions
Guard executes 11 distinct response actions: log_only (audit trail), notify (alert with evidence), block_ip (firewall rules), kill_process (process tree cleanup), disable_account (suspend user account), isolate_file (SHA-256 quarantine), block_tool (prevent MCP tool invocation), kill_agent (terminate rogue AI agent), quarantine_session (isolate compromised session), revoke_skill (remove from whitelist), and reduce_permissions (downgrade access). Every action is logged and reversible.
Rate Limiting and Safety Rails
Guard enforces rate limits on response actions to prevent cascade failures: kill_agent capped at 3/min, block_tool at 10/min. Safety rails prevent runaway automation. Every response action includes an auto-unblock timer and rollback capability, so aggressive protection never permanently locks out legitimate operations.
ATR Detection Pipeline
ATR rules cover all AI agent threats in a single pipeline: prompt injection, tool poisoning, skill supply-chain attacks, credential exfiltration, and context manipulation. 110 detection rules. Sub-millisecond evaluation per event. One pipeline, comprehensive AI agent protection.
Investigation Engine
Dynamic reasoning with 8 investigation tools: IP history, user privilege, time anomaly, geolocation, related events, process tree, file reputation, and network pattern. AI-generated investigation plans with evidence collection.
Installation
One command. Done.
# Install Panguard Guard
curl -fsSL https://get.panguard.ai | bash
# That's it. Guard is now running.
[OK] Panguard Guard v1.4.16 installed
[OK] Rule engine loaded (108 ATR rules)
[OK] Local LLM ready (Ollama)
[OK] Monitoring started. Learning period: 7 days.
Smart Learning Period
After installation, Guard spends 7 days learning your system's normal behavior -- which processes run, what traffic is normal, when files change. During the learning period, all detections are logged but nothing is blocked. After 7 days, Guard automatically switches to protection mode and begins actively responding to threats.
Days 1-7
Learning mode (detect + log)
Day 7
Auto-switch
Day 8+
Protection mode (detect + block)
AUTOMATED SECURITY FLYWHEEL
Detect. Propose. Protect Everyone.
Guard doesn't just block threats locally -- it feeds them back into the community defense network. When Guard detects a malicious skill, it automatically generates an ATR rule proposal, uploads it to Threat Cloud, and after LLM review, the new rule protects every Panguard user. The entire loop runs without human intervention.
Skill Watcher detects new skill installation
Guard monitors MCP config changes every 10 seconds. When a new skill is added (Claude Code, Cursor, OpenClaw, etc.), it triggers an immediate audit.
Auto-audit with ATR + Skill Auditor
The skill is scanned against 110 ATR detection rules. Prompt injection, tool poisoning, hidden payloads, and excessive permissions are checked in under 1 second.
Anonymized threat submitted to Threat Cloud
If the risk score exceeds the threshold, an anonymized report (skill hash, risk score, finding summaries) is submitted to Threat Cloud. No raw data or PII leaves your machine.
LLM reviews and generates ATR rule
Threat Cloud's LLM reviewer (Claude Sonnet) analyzes the threat pattern, generates a new ATR detection rule in YAML, and validates it for false positive risk, coverage, and specificity.
New rule distributed to all users
Approved rules are promoted every 2 minutes. Guard syncs new rules every hour. The same attack that hit you will be blocked instantly for every other Panguard user.
Pipeline results: 53,577 skills scanned, 2322 malicious found, 108 ATR rules auto-generated and distributed to the community.
Use Cases
Who uses Panguard Guard.
Production Server
You are running a SaaS product on a $20/month VPS. You cannot afford a SOC team, but you also cannot afford a breach. Panguard Guard gives you enterprise-grade monitoring for a fraction of the cost of a single security analyst.
Development Team
Your team of 10 developers pushes code daily. Panguard Guard monitors your staging and production environments, catches misconfigurations before they become vulnerabilities, and reports everything in Slack.
Multi-Server Fleet
You manage 50 servers across multiple cloud providers. Install Panguard Guard once per server and get a unified security view. Collective intelligence means a threat seen on one server protects all of them.
Your server deserves a security guard.
Install Panguard Guard now and deploy AI-powered protection on your infrastructure.