90% of Threats Don't Need AI: Why We Built a Rules-First Security Engine

The AI Hype in Cybersecurity

Every security vendor in 2026 claims to be "AI-powered." Marketing decks are full of neural networks, deep learning, and large language models. The implicit message is clear: without AI, you are defenseless.

We disagree. Not because AI is useless in security -- it is genuinely powerful for certain problems. But because the industry has inverted the priority. They lead with AI and bolt on rules as an afterthought. We do the opposite.

The 90/7/3 Reality

After analyzing security events across our detection infrastructure, we observe a consistent pattern. Roughly 90% of real-world threats match known attack signatures. They are port scans, brute force attempts, known exploit payloads, malware with documented signatures, and configuration weaknesses cataloged in public databases.

These threats do not need AI. They need fast, deterministic pattern matching. A rules engine handles them in under 50 milliseconds. No model inference, no GPU, no cloud API call. Just pattern match, confirm, respond.

Another 7% of threats are behavioral anomalies -- unusual process execution, abnormal network patterns, privilege escalation sequences that are technically valid but contextually suspicious. These benefit from lightweight machine learning models that run locally.

The remaining 3% are genuinely novel -- zero-day techniques, sophisticated multi-stage attacks, social engineering variants that defy pattern matching. This is where large language models add real value. They can reason about context, correlate across disparate signals, and identify threats that have never been seen before.

Why Rules First Matters

Leading with rules has three practical advantages.

Speed. A rules engine returns a verdict in under 50ms. An LLM call takes 500ms to 3 seconds. When an attacker is actively exploiting your server, those seconds matter. The rules engine blocks the threat while the AI is still thinking.

Reliability. Rules are deterministic. The same input always produces the same output. There are no hallucinations, no confidence scores to calibrate, no model drift to monitor. When Sigma rule S0001 matches, you know exactly what was detected and exactly why.

Cost. Running 3,155 Sigma rules and 5,895 YARA signatures requires minimal compute. Running an LLM for every security event would cost orders of magnitude more. On a $5 VPS, the rules engine adds less than 2% CPU overhead. An AI-only approach would be economically impossible at this price point.

Our Three-Layer Architecture

Panguard uses a tiered detection architecture that routes events through progressively more sophisticated analysis:

Layer 1: Rules Engine (90% of events)
  3,155 Sigma rules + 5,895 YARA signatures
  Verdict in <50ms | CPU cost: minimal

Layer 2: Local ML Models (7% of events)
  Behavioral anomaly detection
  Verdict in <200ms | Runs on-device

Layer 3: LLM Analysis (3% of events)
  Context-aware threat reasoning
  Verdict in 1-3s | Cloud API

This architecture means 90% of threats are handled instantly and locally. Only the genuinely ambiguous cases escalate to more expensive analysis. The result is a system that is fast, affordable, and accurate.

The Benchmark

In our internal testing across this three-layer approach, the rules engine alone handles the vast majority of confirmed threats. Adding the local ML layer significantly extends coverage to behavioral anomalies. The LLM layer closes the remaining gap for novel threats.

The target median response time is under 50ms. That is the time from event detection to automated response -- fast enough to block an attacker before they complete their first exploit.

The Right Tool for Each Job

AI is transformative technology. But not every problem needs a transformer. The best security systems use AI surgically -- applying it where pattern matching fails, not as a replacement for pattern matching. That is the engineering philosophy behind Panguard, and it is why we can deliver enterprise-grade detection at $9 per month.