Skip to main content

Learning Mode

Guard spends 7 days observing your system before it starts protecting it. This is not laziness — it is how Panguard avoids the flood of false positives that makes most security tools useless.

Why a Learning Period?

Traditional security tools start alerting the moment they are installed. The result:
  • Legitimate cron jobs flagged as suspicious processes
  • Internal services treated as anomalous connections
  • Hundreds of alerts per day, nearly all false positives
  • Users disable notifications, defeating the purpose of the tool
Panguard Guard spends 7 days observing what normal looks like on your system, then determines what is abnormal.

What Happens During Learning

1

Days 1-3: Collect Baseline

Guard silently observes and records:
  • Process baseline — Which programs normally run, their startup times, and resource usage
  • Network baseline — Normal connection patterns, common ports, traffic characteristics
  • File baseline — Change patterns in critical directories
  • User baseline — Login times, source IPs, operational patterns
2

Days 4-7: Build Model

Guard analyzes the collected data:
  • Calculates normal behavior ranges (mean + standard deviation)
  • Identifies periodic patterns (daily backups, scheduled updates)
  • Marks known safe behaviors to prevent future false positives
3

Day 8+: Enter Protection Mode

Guard automatically transitions:
  • Switches to active protection mode
  • Behaviors deviating from the baseline trigger alerts
  • Continuous learning ensures the baseline evolves with your environment

Learning Mode vs. Protection Mode

PropertyLearning ModeProtection Mode
ActivationAutomatic after installationAutomatic after 7 days
AlertsNone generatedGenerated when baseline deviates
Auto-responseNot executedExecuted based on confidence level
NotificationsDaily learning progress summaryReal-time threat notifications
AI analysisObservation onlyFull three-layer funnel

Checking Learning Progress

panguard guard status
Example output during the learning period: 
  -- Guard Status -----------------------

  Mode:       Learning (Day 3/7)
  Uptime:     3d 14h 22m
  Events:     12,847 observed
  Baseline:   42% complete
  Processes:  187 baselined
  Networks:   34 patterns learned

Confidence-Based Response in Protection Mode

Once Guard enters protection mode, it uses confidence levels to decide how to respond:
ConfidenceActionExample
> 90%Auto-execute responseKnown malicious IP — automatically blocked
70-90%Ask for confirmation via ChatSuspicious process — asks if you want to terminate it
< 70%Notify only, no action takenMinor anomaly — informs you for observation
This tiered approach ensures high-certainty threats are handled immediately, while uncertain situations are escalated to your judgment.

Mode Transition Criteria

The transition from learning to protection mode is not purely time-based. Guard also evaluates:
  • Baseline confidence — Must reach a threshold (>= 0.7) indicating sufficient data
  • Minimum event count — Enough events must be observed to form a representative baseline
  • Pattern coverage — Process, network, login, and port patterns must all have data
If your system has very low activity, the learning period may extend beyond 7 days until the baseline confidence threshold is met.

Continuous Baseline Updates

Protection mode does not freeze the baseline. Guard continuously adapts:
  • 24-hour pruning cycle — Stale patterns older than 30 days are removed
  • New patterns integrated — Legitimate new services or processes are gradually incorporated
  • Time-of-day awareness — Events during 0:00-5:59 receive a confidence boost (unusual activity window)

Resetting the Learning Period

If your system undergoes major changes (server migration, large-scale service deployment), you can reset the learning period: 
panguard guard stop
# Clear baseline files in the data directory
panguard guard start
Guard will re-enter the 7-day learning mode and build a fresh baseline.
Resetting clears all learned patterns. Guard will not generate alerts or auto-respond until the new learning period completes.

Three-Layer AI Funnel

How the rule engine, local AI, and cloud AI work together.

Security Score

The 0-100 scoring system that summarizes your security posture.