Skip to main content

Real-Time Protection

Panguard Guard runs 24/7 on your system, monitoring processes, network connections, files, and logs. It uses a four-agent AI pipeline to detect, analyze, respond to, and report on security threats in real time.
For pre-install security, see Skill Auditor — the recommended first step before running any AI agent skill.

Quick Start

1

Start Guard

panguard guard start
Guard enters learning mode for the first 7 days, observing your system’s normal behavior.
2

Check Status

panguard guard status

  -- Guard Status -----------------------

  Status:     Running
  Mode:       Learning (Day 3/7)
  PID:        12345
  Uptime:     3d 14h 22m
  Events:     12,847 observed
  Baseline:   42% complete
3

Wait for Protection Mode

After 7 days, Guard automatically transitions to protection mode and begins active threat detection and response.

Learning Mode (Days 1-7)

During the learning period, Guard silently observes and records:
  • Processes — Which programs normally run, startup times, resource usage
  • Network — Normal connection patterns, common ports, traffic characteristics
  • Files — Change patterns in critical directories
  • Users — Login times, source IPs, operational patterns
Guard does not generate alerts during learning mode. This prevents the flood of false positives that makes most security tools useless. You receive a daily learning progress summary via Chat.

Protection Mode (Day 8+)

Once the baseline is established, Guard activates full protection:
  • Events that deviate from the baseline trigger alerts
  • The three-layer AI funnel analyzes suspicious events
  • Automated or manual responses based on confidence level
  • Real-time notifications via your configured Chat channel

Confidence-Based Response

ConfidenceActionExample
> 90%Auto-execute, notify afterKnown malicious IP automatically blocked
70-90%Ask for confirmation via ChatSuspicious process — asks if you want to terminate
< 70%Notify onlyMinor anomaly — informs you for observation

The Four-Agent Pipeline

Every security event flows through four specialized agents: 
  Event -> [Detect] -> [Analyze] -> [Respond] -> [Report]
AgentRole
DetectAgentRule matching (ATR), threat intelligence lookup, event correlation
AnalyzeAgentEvidence collection, weighted confidence scoring, AI reasoning via three-layer funnel
RespondAgentAction execution (block IP, kill process, isolate file), safety checks, escalation
ReportAgentEvent logging, baseline updates, anonymized data for Threat Cloud

Response Actions

Guard can execute the following response actions automatically:
ActionDescriptionPlatform Support
IP BlockBlock malicious IP addressesmacOS (pfctl), Linux (iptables), Windows (netsh)
File IsolationQuarantine suspicious files with SHA-256 recordAll platforms
Process TerminationKill malicious processes (SIGTERM, then SIGKILL after 5s)All platforms

Safety Protections

Guard includes built-in safety rules to prevent accidental damage:
  • Whitelisted IPs: 127.0.0.1, ::1, localhost, 0.0.0.0 (plus user-configured)
  • Protected processes: sshd, systemd, init, launchd, node, panguard-guard
  • Protected accounts: root, Administrator, SYSTEM
  • Network isolation requires confidence >= 95%
  • Self-process kill prevention

Integrated Threat Intelligence

Guard automatically queries 5 threat intelligence feeds:
  • ThreatFox — IoC database (IPs, domains, URLs, file hashes)
  • URLhaus — Malware distribution URLs
  • Feodo Tracker — C2 server tracking
  • GreyNoise — IP reputation (targeted vs. mass scanning)
  • AbuseIPDB — Community-reported malicious IPs
Feeds update every hour with local caching to avoid redundant queries.

Rule Engine

ATR Rules

Guard ships with 61 bundled ATR rules. You can also add custom rules: 
# Custom rule: Detect prompt injection in tool response
id: ATR-CUSTOM-001
name: SSH Brute Force via Agent
severity: high
detection:
  patterns:
    - event_type: login_failed
      service: ssh
  context: system_event
action: alert
Place .yml files in Guard’s rules directory. Guard automatically loads new rules with hot reload support.

Managing Guard

# Start Guard
panguard guard start

# Check status
panguard guard status

# Stop Guard
panguard guard stop

# View current configuration
panguard guard config

# Install as system service (auto-start on boot)
panguard guard install
For production environments, install Guard as a system service so it starts automatically on boot and restarts on failure. See the System Service guide.

CLI Reference

panguard guard <command> [options]

Commands:
  start              Start the Guard engine
  stop               Stop the Guard engine
  status             Display status
  install            Install as system service
  uninstall          Remove system service
  config             Display current configuration

Options:
  --data-dir <path>  Data directory (default: ~/.panguard-guard)

Learning Mode

Deep dive into the 7-day learning period and baseline building.

Three-Layer AI Funnel

How rules, local AI, and cloud AI work together.

System Service

Install Guard as a systemd/launchd service.

Notification Setup

Configure how Guard notifies you about threats.