Panguard's detection engine uses ATR (Agent Threat Rules) -- the first open standard for AI agent threat detection -- across multiple detection stages with graceful degradation from cloud to fully offline operation.
Architecture
Security that thinks, not just scans.
A three-layer AI defense funnel, four autonomous agents, and a context memory that learns your environment. Built so the 90 % of events that are noise cost nothing, and the 3 % that matter get the deepest reasoning available.
Defense Funnel
Three layers. 90 % free.
Events flow downward through increasingly powerful -- and increasingly expensive -- analysis layers. The funnel ensures cost efficiency while guaranteeing that no genuine threat is missed.
Rule Engine
ATR Rules
Open-source ATR (Agent Threat Rules) form the bedrock. They process the vast majority of AI agent security events instantly, on-device, with zero cost per event. New community rules are pulled daily from Threat Cloud and automatically compiled into the local engine.
Fingerprint & Heuristic
Local behavioral analysis
Events that rules cannot confidently classify are escalated to local fingerprint matching and heuristic analysis. Zero-config, fully offline, keeps sensitive data on the device, and adds contextual reasoning without cloud dependency.
Cloud LLM-as-Judge
Claude Sonnet 4 on Threat Cloud
Only the most ambiguous or novel threats reach the Cloud LLM for deep reasoning. The payload is scrubbed of PII before transmission. Analysis runs server-side on Threat Cloud -- free for all users. Returns a structured verdict with confidence score and plain-language explanation.
Multi-Layer Defense Stack
Five layers of real-time defense.
Each layer instruments a different attack surface with battle-tested open-source engines. From kernel syscalls to log correlation, every layer feeds normalized events into the AI pipeline.
Skill Interception
ATR Rules
Intercepts every AI agent tool call, prompt flow, and skill installation. ATR rules detect prompt injection, tool poisoning, credential exfiltration, and context manipulation in real-time.
Detects
Prompt injection, tool poisoning, credential exfiltration, context manipulation
Implementation
ATR rule engine, sub-millisecond evaluation, 110 detection rules, 720 patterns
Skill Auditor
AST Analysis
Static analysis of AI skill source code before installation. Checks for hidden capabilities, excessive permissions, obfuscated payloads, and supply-chain attacks.
Detects
Hidden capabilities, excessive permissions, obfuscated payloads, supply-chain attacks
Implementation
8-layer audit checks, AST parsing, dependency analysis, permission mapping
Behavioral Monitoring
Runtime Guard
Monitors AI agent behavior at runtime. Detects anomalous tool usage patterns, unexpected file access, and unauthorized network connections by AI agents.
Detects
Anomalous tool usage, unauthorized file access, unexpected network calls, privilege escalation
Implementation
Behavioral baseline learning, 7-day calibration period, confidence-based alerting
Event Correlation
ATR Correlation
ATR detection rules correlate events across AI agent sessions, tool calls, and prompt flows. The rule engine supports temporal correlation, aggregation, and multi-source joins.
Detects
Brute force attacks, lateral movement chains, persistence mechanisms, policy violations
Implementation
110 ATR rules, hot-reload, MITRE ATT&CK TTP mapping, custom rule authoring
AI Correlation
LLM Reasoning
Events that pass through layers 1-4 are cross-correlated by AI. The model weighs behavioral baselines, threat intelligence feeds, and temporal patterns to produce a confidence-scored verdict with full attack narrative.
Detects
Zero-day attacks, APT campaigns, novel attack chains, false positive reduction
Implementation
Local Ollama + Cloud LLM fallback, RAG over baseline memory, threat intel enrichment, 0-100 scoring
Event Pipeline
From raw signal to actionable alert.
Every security event traverses a five-stage pipeline. Data is normalized, enriched, correlated, scored, and dispatched -- typically in under 200ms.
Ingest
Raw events from ATR rule engine, skill auditor, behavioral monitors, and process watchers are captured in real-time.
Normalize
Events are mapped to a unified schema with source, severity, category, and MITRE ATT&CK tags.
Correlate
ATR rules and AI cross-reference events against baseline behavior and threat intelligence feeds.
Score
Each correlated event receives a 0-100 confidence score determining automated response thresholds.
Alert
Verdicts trigger playbook execution and dispatch to Slack, Telegram, Email, and the dashboard.
Ingest
Raw events from ATR rule engine, skill auditor, behavioral monitors, and process watchers are captured in real-time.
Normalize
Events are mapped to a unified schema with source, severity, category, and MITRE ATT&CK tags.
Correlate
ATR rules and AI cross-reference events against baseline behavior and threat intelligence feeds.
Score
Each correlated event receives a 0-100 confidence score determining automated response thresholds.
Alert
Verdicts trigger playbook execution and dispatch to Slack, Telegram, Email, and the dashboard.
Agent Architecture
Four agents. One mission.
Each agent is a specialist. Together they form an autonomous security operations pipeline that detects, analyzes, responds, and reports -- keeping you informed in real time.
Detect Agent
First Responder
Continuously monitors AI agent tool calls, prompt flows, and skill behavior. Applies ATR rules in real-time, flagging anomalies the moment they appear. It produces raw event signals enriched with MITRE ATT&CK TTP tags.
Analyze Agent
AI Investigator
Receives flagged events from the Detect Agent and performs multi-step reasoning. It correlates events across time, queries the Context Memory for baseline deviations, and assigns a confidence score from 0 to 100.
Respond Agent
Automated Defender
Executes response playbooks based on confidence thresholds. High-confidence threats trigger automatic isolation, firewall rule injection, or process termination. Medium-confidence events queue human-review tasks with full context.
Report Agent
Compliance Writer
Transforms raw incident data into structured reports mapped to ISO 27001, SOC 2, and other frameworks. Generates executive summaries, timeline visualizations, and audit-ready evidence packages automatically.
Context Memory
Seven days to learn you. Then it never forgets.
During the first seven days after installation, Panguard silently observes your system: normal network patterns, typical process trees, expected cron schedules, and standard user behaviour. This builds a per-device baseline stored in an encrypted local database.
After the learning window, any deviation from baseline is scored and flagged. The model continually refines itself -- a new legitimate service gets adopted into the baseline within hours, while a novel attack pattern triggers escalation immediately.
Observation
Collecting process trees, network connections, file-system baselines
Pattern extraction
Building statistical models of normal behavior per service
Threshold tuning
Calibrating alert thresholds to minimize false positives
Active protection
Full detection + auto-response with continuous refinement
Confidence Scoring
Every event gets a score.
A 0-100 confidence score determines what happens next. High scores trigger automatic response. Medium scores notify humans. Low scores feed the learning system.
High-confidence threats are neutralized automatically. The Respond Agent executes the matching playbook within seconds, then logs every action for audit.
Medium-confidence events trigger a notification to the designated human reviewer via Chat Agent. Full context and AI reasoning are attached so the reviewer can approve or dismiss in one click.
Low-confidence signals are logged with full metadata and fed into the Context Memory system. Over time, the baseline model refines itself and these signals either graduate to higher bands or are suppressed as noise.
Anonymous sharing
Threat indicators are stripped of all identifying data before contribution.
Distributed cache
New threat signatures propagate to the entire fleet within minutes.
Automatic rule push
Community-validated signatures are compiled into ATR rules and pushed to every agent.
Privacy-first
No IP addresses, hostnames, or user data leave the device. Only hashes and behavioral patterns.
Collective Intelligence
One device detects it. Every device blocks it.
When a Panguard agent identifies a previously unknown threat, an anonymous indicator of compromise (IOC) is contributed to the collective intelligence network. Within minutes, every other Panguard agent receives the new signature.
This creates a feedback loop: the more devices in the network, the faster new threats are caught, and the stronger every individual agent becomes. A small business with one server benefits from threat data generated across the entire Panguard fleet.
Resilience
Security never stops.
Network down? API tokens depleted? Cloud provider outage? Panguard degrades gracefully through its three layers. Protection is always on.
Optimal
Cloud AI + Local LLM + Rule Engine -- full three-layer analysis on every event.
Cloud Unavailable
Local LLM + Rule Engine. Complex events queue for cloud retry. No gaps in protection.
LLM Offline
Rule Engine only. ATR rules still catch 90 % of known threats. Events are logged for later AI analysis.
Emergency Mode
Core watchdog process monitors critical signals. If Panguard itself is targeted, the watchdog alerts the owner and preserves forensic logs.
Stack
Built on proven foundations.
Every component is chosen for reliability, performance, and developer ergonomics. No proprietary lock-in.
TypeScript
End-to-end type safety
ATR Rules
AI agent threat detection
Threat Cloud
Community defense network
Ollama
Local LLM inference
Claude / GPT
Cloud AI reasoning
Node.js
Agent runtime
SQLite + Redis
Event store & cache
Docker
Single-command deployment
REST / WebSocket
Real-time telemetry
Prometheus
Metrics & alerting
MCP Protocol
Model Context Protocol for AI assistant integration
Semgrep
Static analysis for SAST code scanning
SOAR Engine
Security orchestration with YAML playbooks
Welford's Algorithm
Online statistical anomaly detection
Ready to see it in action?
Run a free security scan in 60 seconds, or talk to our team about deploying Panguard in your infrastructure.