Panguard Chat adapts notification content to your role. The same security event produces three entirely different messages depending on whether the recipient is an executive, engineer, or IT administrator.
Role Configuration
# Set your role during setup
panguard chat setup --user-type boss
# Change role later
panguard chat prefs --user-type developer
Role Comparison
The following example shows the same event — a C2 server communication detected and blocked — formatted for each role.
boss — Impact Summary
Target audience: executives, non-technical managers, business owners.
Focus: business impact, risk level, whether action was taken.
[Panguard AI Security Notice]
Your server was detected communicating with a known
malicious server. That IP has been reported 1,247 times
globally.
The connection has been automatically blocked. No action
is required from you.
Risk Level: HIGH
Status: Automatically resolved
- No technical jargon (no IPs, PIDs, or rule names)
- Clear statement of impact
- Explicit “what do I need to do” guidance
- Business-friendly language
developer — Technical Details
Target audience: software engineers, DevOps, SRE.
Focus: raw data, IPs, process details, rule matches, timeline.
[Panguard AI Alert]
Threat Intel Match: 203.0.113.50
Source: AbuseIPDB (confidence: 98%)
Tag: C2-Server, ThreatFox IOC-12345
Process: curl (PID 5678) -> 203.0.113.50:443
Action: IP blocked via iptables
Rule: sigma/network/c2-communication.yml
Timeline:
14:23:01 - Outbound connection detected
14:23:02 - Threat intel match confirmed
14:23:02 - Auto-response: IP blocked
- Full IP addresses, PIDs, and port numbers
- Threat intelligence source and confidence score
- Exact rule that matched
- Precise timeline with second-level granularity
Target audience: IT administrators, system administrators, help desk.
Focus: what happened, what was done, and what to do next.
[Panguard AI - Remediation Guide]
Event: Communication with known C2 server detected
Severity: HIGH
Action taken: Automatically blocked IP 203.0.113.50
Recommended next steps:
1. Check if process curl (PID 5678) is a legitimate operation
2. If not, terminate the process: kill -9 5678
3. Check for other processes connecting to the same IP
4. Run a full system scan: panguard scan
5. If confirmed compromise, run a full investigation
- Numbered remediation steps
- Specific commands to execute
- Escalation guidance
- Reference to other Panguard tools
Notification Content by Role
| Content Element | boss | developer | it_admin |
|---|
| Severity level | Yes | Yes | Yes |
| Business impact | Yes | — | — |
| Source IP address | — | Yes | Yes |
| Process ID (PID) | — | Yes | Yes |
| Rule name | — | Yes | — |
| MITRE ATT&CK ID | — | Yes | — |
| Timeline | — | Yes | — |
| Remediation steps | — | — | Yes |
| ”What to do” guidance | Yes | — | Yes |
| Threat intel source | — | Yes | — |
| Confidence score | — | Yes | — |
Selecting the Right Role
| If you are… | Choose | Because |
|---|
| A founder or CEO getting security updates on your startup’s servers | boss | You need to know the impact, not the technical details |
| A developer managing your own VPS or side project | developer | You want raw data to debug and investigate yourself |
| An IT admin responsible for multiple systems | it_admin | You need clear steps to follow for each incident |
| An MSP managing client infrastructure | it_admin | Step-by-step guides help your team respond consistently |
You can run panguard chat setup again at any time to switch roles. The change takes effect immediately for all future notifications.
