Skip to main content

Threat Intelligence

Threat intelligence provides structured information about known attackers, malicious IPs, domains, URLs, and malware signatures. Panguard automatically queries these databases to determine whether activity on your system is linked to known threats.
You do not need to understand the technical details. Guard handles the queries automatically, and Chat explains the results in plain language.

5 Built-in Threat Intelligence Feeds

abuse.ch Suite

SourceIndicator TypesDescription
ThreatFoxIP, domain, URL, hashDatabase of indicators of compromise (IoCs) linked to malware campaigns
URLhausURLDatabase of malware distribution URLs
Feodo TrackerIPBotnet Command and Control (C2) server tracking

Additional Sources

SourceIndicator TypesDescription
GreyNoiseIPDistinguishes targeted attacks from mass internet scanning
AbuseIPDBIPCommunity-reported malicious IP database with confidence scoring

Feed Update Schedule

FeedUpdate FrequencyQuery Type
ThreatFoxEvery hourCached locally
URLhausEvery hourCached locally
Feodo TrackerEvery hourCached locally
GreyNoiseReal-time per queryAPI call
AbuseIPDBReal-time per queryAPI call
The 1-hour update interval is configurable. For bandwidth-constrained systems, increase it to 6 or 24 hours.

Local Caching

Query results are cached locally to avoid redundant lookups:
  • Cache duration: 1-24 hours depending on the source
  • Cache location: Guard data directory
  • Expired entries are cleaned up automatically

Indicators of Compromise (IoCs)

Threat intelligence tracks the following types of indicators:
TypeDescriptionExample
IP AddressKnown malicious IP203.0.113.50
DomainMalicious domain namemalware.example.com
URLMalicious URLhttp://evil.com/payload.exe
File HashMalware fingerprint (SHA-256)e3b0c44298fc1c149a...
EmailPhishing email addressphish@attacker.com

Automatic Querying

Guard automatically queries threat intelligence when it detects suspicious activity: 
Suspicious IP 203.0.113.50 connection detected
       |
       v
  Query ThreatFox  -> Known C2 server
  Query AbuseIPDB  -> Reported 1,247 times
  Query GreyNoise  -> Mass scanner
       |
       v
  Conclusion: High risk -- auto-block + notify

Threat Cloud — Collective Intelligence

Beyond public feeds, Panguard users contribute to and benefit from the Threat Cloud, a community-driven collective intelligence network focused on ATR (Agent Threat Rules) consensus.

The Crystallization Flywheel

Threat Cloud’s core value proposition is the crystallization flywheel — a self-reinforcing loop where individual scan findings are refined into community-confirmed detection rules: 
  Scan skill ──> Findings ──> TC proposal ──> Consensus (3+ confirmations) ──> Confirmed rule
       ^                                                                              |
       └──────────────── Distributed to all scanners ────────────────────────────────┘
Each cycle strengthens the network:
  1. Scan — Any Panguard scanner (CLI, Website, or Guard) scans an MCP skill
  2. Propose — High-severity findings generate an ATR proposal identified by a pattern hash
  3. Confirm — Other scanners encountering the same pattern hash confirm the proposal
  4. Promote — At 3+ independent confirmations, the proposal is auto-promoted to a confirmed rule
  5. Distribute — Confirmed rules are served via GET /api/atr-rules to all scanners
  6. Strengthen — Scanners load new rules, improving detection, generating more proposals
The pattern hash uses the format scan:{skillName}:{findingSummary}, SHA-256 truncated to 16 hex characters. Because all scanners use the same @panguard-ai/scan-core library, they produce identical hashes for the same threat pattern regardless of whether the scan originated from CLI, Website, or Guard.

LLM Reviewer

Threat Cloud includes an automated LLM reviewer (Claude Sonnet 4) that evaluates ATR proposals for false positive risk, coverage, detection specificity, and YAML validity. Proposals can be promoted through community consensus alone (3+ confirmations) or through LLM approval combined with community confirmation.

IoC Feeds

Threat Cloud also distributes traditional IoC feeds (IP blocklists, domain blocklists) and maintains a community skill blacklist. These complement the ATR rule pipeline for network-level threat indicators.

Privacy and Data Protection

Privacy guarantee: Only threat indicators (IPs, hashes, patterns) are uploaded. No system information, usernames, internal IPs, file contents, or personally identifiable information is ever shared.
Privacy MeasureDetails
IP anonymizationSource IPs are /16-anonymized before upload
GDPR complianceNo personal data is collected or stored
Zero raw dataNo log content, file content, or system details are transmitted
Zero telemetryNo usage analytics, crash reports, or behavioral tracking
Opt-out availableThreat Cloud can be fully disabled

Offline Mode

Panguard works fully offline. When threat intelligence feeds are unreachable:
  • Layer 1 rule engine continues operating with locally cached rules
  • Previously cached feed data remains available until expiration
  • New detections rely on ATR rules and behavioral baselines only
  • Score adjustments reflect reduced intelligence coverage
# Disable all external intelligence (rules-only mode)
panguard guard start --offline
Offline mode disables Threat Cloud participation and real-time feed queries. Cached data is still used until it expires.

Viewing Threat Intelligence

Guard Status

panguard guard status

  -- Threat Intelligence --------------------

  Feeds:        5 active, last update 2h ago
  IoC matched:  3 in last 24h
  Blocked IPs:  12 total

Chat Notifications

When threat intelligence matches activity on your system, Chat notifies you in a format tailored to your user role: 
[Panguard AI Security Alert]

Your server was communicating with a known malicious server.
That IP has been reported 1,247 times globally.
The connection has been automatically blocked. No action needed.

Risk level: High
Status: Automatically resolved

Threat Cloud Deployment

Deploy your own private Threat Cloud server.

Three-Layer AI Funnel

How threat intelligence integrates with the detection pipeline.