Architecture
Security that thinks, not just scans.
A three-layer AI defense funnel, five autonomous agents, and a context memory that learns your environment. Built so the 90 % of events that are noise cost nothing, and the 3 % that matter get the deepest reasoning available.
Defense Funnel
Three layers. 90 % free.
Events flow downward through increasingly powerful -- and increasingly expensive -- analysis layers. The funnel ensures cost efficiency while guaranteeing that no genuine threat is missed.
Rule Engine
Sigma + YARA
Open-source Sigma and YARA rules form the bedrock. They process the vast majority of security events instantly, on-device, with zero cost per event. New community rules are pulled daily from curated feeds and automatically compiled into the local engine.
Edge AI
Local LLM via Ollama
Events that rules cannot confidently classify are escalated to a local large-language model running on Ollama. This keeps sensitive data on the device, avoids network latency, and adds contextual reasoning without cloud dependency.
Cloud AI
Claude / GPT
Only the most ambiguous or novel threats reach cloud AI for deep reasoning. The payload is scrubbed of PII before transmission. Cloud AI returns a structured verdict with a confidence score and a plain-language explanation.
Agent Architecture
Five agents. One mission.
Each agent is a specialist. Together they form an autonomous security operations pipeline that detects, analyzes, responds, reports, and communicates -- without human intervention.
Detect Agent
First Responder
Continuously monitors system logs, network traffic, and file-system changes. Applies Sigma and YARA rules in real-time, flagging anomalies the moment they appear. It produces raw event signals enriched with MITRE ATT&CK TTP tags.
Analyze Agent
AI Investigator
Receives flagged events from the Detect Agent and performs multi-step reasoning. It correlates events across time, queries the Context Memory for baseline deviations, and assigns a confidence score from 0 to 100.
Respond Agent
Automated Defender
Executes response playbooks based on confidence thresholds. High-confidence threats trigger automatic isolation, firewall rule injection, or process termination. Medium-confidence events queue human-review tasks with full context.
Report Agent
Compliance Writer
Transforms raw incident data into structured reports mapped to ISO 27001, SOC 2, and other frameworks. Generates executive summaries, timeline visualizations, and audit-ready evidence packages automatically.
Chat Agent
Security Copilot
The human interface. Users ask questions in plain language and receive answers backed by real telemetry. Integrated with LINE, Slack, and Telegram. Sends proactive weekly summaries and real-time breach notifications.
Context Memory
Seven days to learn you. Then it never forgets.
During the first seven days after installation, Panguard silently observes your system: normal network patterns, typical process trees, expected cron schedules, and standard user behaviour. This builds a per-device baseline stored in an encrypted local database.
After the learning window, any deviation from baseline is scored and flagged. The model continually refines itself -- a new legitimate service gets adopted into the baseline within hours, while a novel attack pattern triggers escalation immediately.
Observation
Collecting process trees, network connections, file-system baselines
Pattern extraction
Building statistical models of normal behavior per service
Threshold tuning
Calibrating alert thresholds to minimize false positives
Active protection
Full detection + auto-response with continuous refinement
Confidence Scoring
Every event gets a score.
A 0-100 confidence score determines what happens next. High scores trigger automatic response. Medium scores notify humans. Low scores feed the learning system.
High-confidence threats are neutralized automatically. The Respond Agent executes the matching playbook within seconds, then logs every action for audit.
Medium-confidence events trigger a notification to the designated human reviewer via Chat Agent. Full context and AI reasoning are attached so the reviewer can approve or dismiss in one click.
Low-confidence signals are logged with full metadata and fed into the Context Memory system. Over time, the baseline model refines itself and these signals either graduate to higher bands or are suppressed as noise.
Anonymous sharing
Threat indicators are stripped of all identifying data before contribution.
Distributed cache
New threat signatures propagate to the entire fleet within minutes.
Automatic rule push
Community-validated signatures are compiled into Sigma/YARA rules and pushed to every agent.
Privacy-first
No IP addresses, hostnames, or user data leave the device. Only hashes and behavioral patterns.
Collective Intelligence
One device detects it. Every device blocks it.
When a Panguard agent identifies a previously unknown threat, an anonymous indicator of compromise (IOC) is contributed to the collective intelligence network. Within minutes, every other Panguard agent receives the new signature.
This creates a feedback loop: the more devices in the network, the faster new threats are caught, and the stronger every individual agent becomes. A small business with one server benefits from threat data generated across the entire Panguard fleet.
Resilience
Security never stops.
Network down? API tokens depleted? Cloud provider outage? Panguard degrades gracefully through its three layers. Protection is always on.
Optimal
Cloud AI + Local LLM + Rule Engine -- full three-layer analysis on every event.
Cloud Unavailable
Local LLM + Rule Engine. Complex events queue for cloud retry. No gaps in protection.
LLM Offline
Rule Engine only. Sigma + YARA still catch 90 % of known threats. Events are logged for later AI analysis.
Emergency Mode
Core watchdog process monitors critical signals. If Panguard itself is targeted, the watchdog alerts the owner and preserves forensic logs.
Stack
Built on proven foundations.
Every component is chosen for reliability, performance, and developer ergonomics. No proprietary lock-in.
TypeScript
End-to-end type safety
Sigma Rules
Industry-standard detection
YARA Rules
Malware pattern matching
Ollama
Local LLM inference
Claude / GPT
Cloud AI reasoning
Node.js
Agent runtime
SQLite + Redis
Event store & cache
Docker
Single-command deployment
REST / WebSocket
Real-time telemetry
Prometheus
Metrics & alerting
Ready to see it in action?
Run a free security scan in 60 seconds, or talk to our team about deploying Panguard in your infrastructure.