Skip to main content

Real-Time Protection

Panguard Guard runs 24/7 on your system, monitoring processes, network connections, files, and logs. It uses a four-agent AI pipeline to detect, analyze, respond to, and report on security threats in real time.

Quick Start

1

Log In

Guard requires the Solo tier or above:
panguard login
2

Start Guard

panguard guard start
Guard enters learning mode for the first 7 days, observing your system’s normal behavior.
3

Check Status

panguard guard status

  -- Guard Status -----------------------

  Status:     Running
  Mode:       Learning (Day 3/7)
  PID:        12345
  Uptime:     3d 14h 22m
  Events:     12,847 observed
  Baseline:   42% complete
4

Wait for Protection Mode

After 7 days, Guard automatically transitions to protection mode and begins active threat detection and response.

Learning Mode (Days 1-7)

During the learning period, Guard silently observes and records:
  • Processes — Which programs normally run, startup times, resource usage
  • Network — Normal connection patterns, common ports, traffic characteristics
  • Files — Change patterns in critical directories
  • Users — Login times, source IPs, operational patterns
Guard does not generate alerts during learning mode. This prevents the flood of false positives that makes most security tools useless. You receive a daily learning progress summary via Chat.

Protection Mode (Day 8+)

Once the baseline is established, Guard activates full protection:
  • Events that deviate from the baseline trigger alerts
  • The three-layer AI funnel analyzes suspicious events
  • Automated or manual responses based on confidence level
  • Real-time notifications via your configured Chat channel

Confidence-Based Response

ConfidenceActionExample
> 90%Auto-execute, notify afterKnown malicious IP automatically blocked
70-90%Ask for confirmation via ChatSuspicious process — asks if you want to terminate
< 70%Notify onlyMinor anomaly — informs you for observation

The Four-Agent Pipeline

Every security event flows through four specialized agents: 
  Event -> [Detect] -> [Analyze] -> [Respond] -> [Report]
AgentRole
DetectAgentRule matching (Sigma + YARA), threat intelligence lookup, event correlation
AnalyzeAgentEvidence collection, weighted confidence scoring, AI reasoning via three-layer funnel
RespondAgentAction execution (block IP, kill process, isolate file), safety checks, escalation
ReportAgentEvent logging, baseline updates, anonymized data for Threat Cloud

Response Actions

Guard can execute the following response actions automatically:
ActionDescriptionPlatform Support
IP BlockBlock malicious IP addressesmacOS (pfctl), Linux (iptables), Windows (netsh)
File IsolationQuarantine suspicious files with SHA-256 recordAll platforms
Process TerminationKill malicious processes (SIGTERM, then SIGKILL after 5s)All platforms

Safety Protections

Guard includes built-in safety rules to prevent accidental damage:
  • Whitelisted IPs: 127.0.0.1, ::1, localhost, 0.0.0.0 (plus user-configured)
  • Protected processes: sshd, systemd, init, launchd, node, panguard-guard
  • Protected accounts: root, Administrator, SYSTEM
  • Network isolation requires confidence >= 95%
  • Self-process kill prevention

Integrated Threat Intelligence

Guard automatically queries 5 threat intelligence feeds:
  • ThreatFox — IoC database (IPs, domains, URLs, file hashes)
  • URLhaus — Malware distribution URLs
  • Feodo Tracker — C2 server tracking
  • GreyNoise — IP reputation (targeted vs. mass scanning)
  • AbuseIPDB — Community-reported malicious IPs
Feeds update every 6 hours with local caching to avoid redundant queries.

Rule Engine

Sigma Rules

Guard ships with 3000+ bundled Sigma rules. You can also add custom rules: 
# Custom rule: Detect mass SSH login failures
title: SSH Brute Force Attempt
logsource:
  category: authentication
  product: any
detection:
  selection:
    event_type: login_failed
    service: ssh
  condition: selection
level: high
Place .yml files in Guard’s rules directory. Guard automatically loads new rules with hot reload support.

YARA Rules

For file-level malware detection: 
rule WebShell {
  strings:
    $php = "<?php eval(" nocase
    $asp = "<%execute(" nocase
  condition:
    any of them
}

Managing Guard

# Start Guard
panguard guard start

# Check status
panguard guard status

# Stop Guard
panguard guard stop

# View current configuration
panguard guard config

# Install as system service (auto-start on boot)
panguard guard install
For production environments, install Guard as a system service so it starts automatically on boot and restarts on failure. See the System Service guide.

CLI Reference

panguard guard <command> [options]

Commands:
  start              Start the Guard engine
  stop               Stop the Guard engine
  status             Display status
  install            Install as system service
  uninstall          Remove system service
  config             Display current configuration

Options:
  --data-dir <path>  Data directory (default: ~/.panguard-guard)

Learning Mode

Deep dive into the 7-day learning period and baseline building.

Three-Layer AI Funnel

How rules, local AI, and cloud AI work together.

System Service

Install Guard as a systemd/launchd service.

Notification Setup

Configure how Guard notifies you about threats.