Skip to main content
The threat command runs a local instance of the Panguard Threat Cloud — a threat intelligence server that aggregates indicators of compromise (IoCs), campaign data, and attacker profiles from your Guard agents and Trap honeypots. It provides a REST API and real-time dashboard for threat analysis.

Usage

panguard threat <subcommand> [options]

Subcommands

SubcommandDescription
startStart the Threat Cloud server
statsShow threat intelligence statistics without starting the server

Options

--port
number
default:"9500"
Port for the Threat Cloud API and dashboard.
--host
string
default:"127.0.0.1"
Host address to bind the server to. Use 0.0.0.0 to listen on all interfaces.
--db
string
Path to the SQLite database for storing threat intelligence data. Defaults to ~/.panguard/threat/threat.db.

Examples

panguard threat start

Intelligence Sources

The Threat Cloud aggregates data from:
SourceData Type
Guard agentsProcess anomalies, network indicators, file hashes
Trap honeypotsAttacker IPs, credentials used, exploit payloads
Community feedsPublic IoC feeds, STIX/TAXII sources
Manual uploadCustom IoC lists via API
When binding to 0.0.0.0, the Threat Cloud API is exposed to the network. Ensure you configure authentication and place the server behind a firewall or reverse proxy.

Plan Requirements

Threat Cloud requires the Business ($79/mo) plan. It is designed for organizations managing multiple endpoints that need centralized intelligence.

Threat Cloud Overview

Architecture and design of the Threat Cloud system.

Threat Cloud Deployment

Production deployment guide for Threat Cloud.

Privacy

Data handling and privacy policies for threat data.

panguard trap

Honeypots feed intelligence into Threat Cloud.