Panguard's detection engine uses ATR (Agent Threat Rules) -- the first open standard for AI agent threat detection -- across multiple deterministic detection stages that run entirely on-device, with no LLM in the detection path.
Architecture
Security that thinks, not just scans.
Deterministic detection stages, four autonomous agents, and a context memory that learns your environment. Every detection runs on-device with no LLM in the path -- so verdicts are reproducible and protection never depends on the network.
Detection Stages
Deterministic. On-device. Free.
Events flow through escalating detection stages -- regex rules, then behavioral analysis, then on-device correlation. Every stage is deterministic and runs locally, so the same input always produces the same verdict with no cloud dependency.
Rule Engine
ATR Rules (regex)
Open-source ATR (Agent Threat Rules) form the bedrock. 650+ deterministic regex rules process the vast majority of AI agent security events instantly, on-device, with zero cost per event. New community rules are pulled daily from Threat Cloud and automatically compiled into the local engine.
Fingerprint & Heuristic
Local behavioral analysis
Events that rules do not match are checked against behavioral baselines and fingerprints recorded during onboarding. Zero-config, fully offline, keeps sensitive data on the device, and flags drift from expected behavior without any cloud dependency.
Correlation & AST
On-device static + temporal analysis
Events that survive earlier stages are cross-correlated on-device: AST static analysis of skill code plus temporal correlation of behavioral signals. The engine weighs rule confidence, baseline deviation, and timing to produce a reproducible, confidence-scored verdict -- no LLM, no data leaving the machine.
Multi-Layer Defense Stack
Five layers of real-time defense.
Each layer instruments a different attack surface with battle-tested open-source engines. From kernel syscalls to log correlation, every layer feeds normalized events into the AI pipeline.
Skill Interception
ATR Rules
Intercepts every AI agent tool call, prompt flow, and skill installation. ATR rules detect prompt injection, tool poisoning, credential exfiltration, and context manipulation in real-time.
Detects
Prompt injection, tool poisoning, credential exfiltration, context manipulation
Implementation
ATR rule engine, sub-millisecond evaluation, 650+ detection rules, 920+ patterns
Skill Auditor
AST Analysis
Static analysis of AI skill source code before installation. Checks for hidden capabilities, excessive permissions, obfuscated payloads, and supply-chain attacks.
Detects
Hidden capabilities, excessive permissions, obfuscated payloads, supply-chain attacks
Implementation
8-layer audit checks, AST parsing, dependency analysis, permission mapping
Behavioral Monitoring
Runtime Guard
Monitors AI agent behavior at runtime. Detects anomalous tool usage patterns, unexpected file access, and unauthorized network connections by AI agents.
Detects
Anomalous tool usage, unauthorized file access, unexpected network calls, privilege escalation
Implementation
Behavioral baseline learning, 7-day calibration period, confidence-based alerting
Event Correlation
ATR Correlation
ATR detection rules correlate events across AI agent sessions, tool calls, and prompt flows. The rule engine supports temporal correlation, aggregation, and multi-source joins.
Detects
Brute force attacks, lateral movement chains, persistence mechanisms, policy violations
Implementation
650+ ATR rules, hot-reload, MITRE ATT&CK TTP mapping, custom rule authoring
Confidence Scoring
Deterministic Correlation
Events that pass through layers 1-4 are cross-correlated on-device with no LLM in the detection path. The engine weighs behavioral baselines, rule confidence, and temporal patterns to produce a reproducible confidence-scored verdict with a full attack narrative.
Detects
Multi-step attack chains, behavioral drift, policy violations, false positive reduction
Implementation
Deterministic heuristic + temporal correlation, baseline-deviation scoring, 0-100 confidence, fully reproducible
Event Pipeline
From raw signal to actionable alert.
Every security event traverses a five-stage pipeline. Data is normalized, enriched, correlated, scored, and dispatched -- typically in under 200ms.
Ingest
Raw events from ATR rule engine, skill auditor, behavioral monitors, and process watchers are captured in real-time.
Normalize
Events are mapped to a unified schema with source, severity, category, and MITRE ATT&CK tags.
Correlate
ATR rules and AI cross-reference events against baseline behavior and threat intelligence feeds.
Score
Each correlated event receives a 0-100 confidence score determining automated response thresholds.
Alert
Verdicts trigger playbook execution and dispatch to Slack, Telegram, Email, and the dashboard.
Ingest
Raw events from ATR rule engine, skill auditor, behavioral monitors, and process watchers are captured in real-time.
Normalize
Events are mapped to a unified schema with source, severity, category, and MITRE ATT&CK tags.
Correlate
ATR rules and AI cross-reference events against baseline behavior and threat intelligence feeds.
Score
Each correlated event receives a 0-100 confidence score determining automated response thresholds.
Alert
Verdicts trigger playbook execution and dispatch to Slack, Telegram, Email, and the dashboard.
Agent Architecture
Four agents. One mission.
Each agent is a specialist. Together they form an autonomous security operations pipeline that detects, analyzes, responds, and reports -- keeping you informed in real time.
Detect Agent
First Responder
Continuously monitors AI agent tool calls, prompt flows, and skill behavior. Applies ATR rules in real-time, flagging anomalies the moment they appear. It produces raw event signals enriched with MITRE ATT&CK TTP tags.
Analyze Agent
Correlation Engine
Receives flagged events from the Detect Agent and correlates them deterministically. It links events across time, queries the Context Memory for baseline deviations, and assigns a reproducible confidence score from 0 to 100 -- no LLM involved.
Respond Agent
Automated Defender
Executes response playbooks based on confidence thresholds. High-confidence threats trigger automatic isolation, firewall rule injection, or process termination. Medium-confidence events queue human-review tasks with full context.
Report Agent
Compliance Writer
Transforms raw incident data into structured reports mapped to EU AI Act, NIST AI RMF, ISO/IEC 42001, and other frameworks. Generates executive summaries, timeline visualizations, and audit-ready evidence packages automatically.
Context Memory
Seven days to learn you. Then it never forgets.
During the first seven days after installation, Panguard silently observes your system: normal network patterns, typical process trees, expected cron schedules, and standard user behaviour. This builds a per-device baseline stored in an encrypted local database.
After the learning window, any deviation from baseline is scored and flagged. The model continually refines itself -- a new legitimate service gets adopted into the baseline within hours, while a novel attack pattern triggers escalation immediately.
Observation
Collecting process trees, network connections, file-system baselines
Pattern extraction
Building statistical models of normal behavior per service
Threshold tuning
Calibrating alert thresholds to minimize false positives
Active protection
Full detection + auto-response with continuous refinement
Confidence Scoring
Every event gets a score.
A 0-100 confidence score determines what happens next. High scores trigger automatic response. Medium scores notify humans. Low scores feed the learning system.
High-confidence threats are neutralized automatically. The Respond Agent executes the matching playbook within seconds, then logs every action for audit.
Medium-confidence events trigger a notification to the designated human reviewer via Chat Agent. Full context and AI reasoning are attached so the reviewer can approve or dismiss in one click.
Low-confidence signals are logged with full metadata and fed into the Context Memory system. Over time, the baseline model refines itself and these signals either graduate to higher bands or are suppressed as noise.
Anonymous sharing
Threat indicators are stripped of all identifying data before contribution.
Distributed cache
New threat signatures propagate to the entire fleet within minutes.
Automatic rule push
Community-validated signatures are compiled into ATR rules and pushed to every agent.
Privacy-first
No IP addresses, hostnames, or user data leave the device. Only hashes and behavioral patterns.
Collective Intelligence
One device detects it. Every device blocks it.
When a Panguard agent identifies a previously unknown threat, an anonymous indicator of compromise (IOC) is contributed to the collective intelligence network. Within minutes, every other Panguard agent receives the new signature.
This creates a feedback loop: the more devices in the network, the faster new threats are caught, and the stronger every individual agent becomes. A small business with one server benefits from threat data generated across the entire Panguard fleet.
Resilience
Security never stops.
Network down? Threat Cloud unreachable? Panguard's detection runs entirely on-device, so protection is identical online or fully air-gapped. Cloud connectivity only affects rule updates, never detection.
Online
All detection stages active and Threat Cloud reachable -- new community rules pull automatically every hour.
Cloud Unreachable
Detection is unaffected -- the full on-device engine keeps running on the rules already compiled locally. New rule updates resume once Threat Cloud is reachable again.
Fully Air-Gapped
No network at all. The deterministic engine -- 650+ ATR rules, behavioral baselines, and on-device correlation -- provides full protection with nothing leaving the machine.
Emergency Mode
Core watchdog process monitors critical signals. If Panguard itself is targeted, the watchdog alerts the owner and preserves forensic logs.
Stack
Built on proven foundations.
Every component is chosen for reliability, performance, and developer ergonomics. No proprietary lock-in.
TypeScript
End-to-end type safety
ATR Rules
AI agent threat detection
Threat Cloud
Community defense network
Regex Engine
Deterministic ATR rule evaluation
Behavioral Baseline
On-device fingerprint & drift detection
Node.js
Agent runtime
SQLite + Redis
Event store & cache
Docker
Single-command deployment
REST / WebSocket
Real-time telemetry
Prometheus
Metrics & alerting
MCP Protocol
Model Context Protocol for AI assistant integration
Semgrep
Static analysis for SAST code scanning
SOAR Engine
Security orchestration with YAML playbooks
Welford's Algorithm
Online statistical anomaly detection
Ready to see it in action?
Run a free security scan in 60 seconds, or talk to our team about deploying Panguard in your infrastructure.