Detect
Behavioral anomaly detection — deterministic heuristic correlation
On-device behavioral correlation · P50 under 50ms per decision · 7-day learning-mode baseline · No LLM in the detection path — verdicts are deterministic and reproducible · Fully offline.
WHAT THIS LAYER DOES
L4 Detect catches what single-rule matching cannot: behavioral drift, coordinated multi-step attacks, and individually-benign tool calls that combine into a malicious sequence. It runs entirely on-device with no LLM in the detection path: a behavioral baseline plus heuristic and temporal correlation across events. Single-rule matching handles known attacks; L4 correlates the residue.
WHY YOU NEED IT
Single-rule matching catches attacks you have seen before. Multi-step and drifting attacks slip between individual rules. Behavioral correlation closes that gap deterministically — reproducible verdicts, no cloud call, no LLM latency tax. P50 stays under 50ms, correlation passes complete in milliseconds, fully offline.
HOW IT WORKS
SmartRouter in packages/panguard-guard/src/engines/smart-router.ts dispatches events by confidence to deterministic handlers. EnvironmentBaseline learns normal processes / connections / logins during the 7-day learning window, then flips to protection mode and flags deviations. The investigation engine correlates across events using heuristic and temporal rules — no model inference at detection time.
TRY IT NOW
Behavioral detection is on by default once the baseline is learned:
pga upATTACKS THIS LAYER CATCHES
Concrete threats, concrete controls
Multi-skill chain attack
HIGHIndividually benign tool calls that combine into a malicious sequence — rules miss, behavioral detection catches.
Behavioral drift from baseline
MEDIUMA skill that starts deviating from its learned baseline — new processes, unexpected connections, off-pattern timing — is flagged by deterministic baseline comparison.