Skip to main content
Panguard Guard is the core runtime protection engine. It monitors your system 24/7 using 10 monitor types, processes every security event through a 4-agent DARE pipeline (Detect, Analyze, Respond, Report), and takes automated action against threats based on confidence scoring.

Quick Start

# Start Guard (requires Solo plan or above)
panguard guard start

# Check status (free)
panguard guard status

# Stop Guard
panguard guard stop

Operating Modes

Guard operates in two modes and transitions automatically:

Learning Mode (Day 1—7)

During the first 7 days, Guard observes your system to build a behavioral baseline: 
Mode:       Learning (Day 3/7)
Monitoring: processes, network, files
Baseline:   42% complete
  • No alerts are generated (prevents false positives)
  • Records normal process patterns, network connections, file activity
  • Sends daily learning progress summaries via Chat

Protection Mode (Day 8+)

After the baseline is established, Guard switches to active protection: 
Mode:       Protection
Score:      85/100 (Grade: A)
Threats:    0 active
Blocked:    12 IPs today
  • Deviations from baseline trigger alerts
  • Automated response based on confidence thresholds
  • Real-time notifications via Chat

The DARE Pipeline

Every security event flows through 4 agents in sequence: 
Event ──> Detect ──> Analyze ──> Respond ──> Report
AgentResponsibility
DetectRule matching (Sigma + YARA), threat intel lookup, deduplication, event correlation
AnalyzeEvidence collection, weighted confidence scoring, AI reasoning, baseline deviation checks
RespondAction execution (block IP, kill process, quarantine file), safety checks, escalation
ReportJSONL logging with rotation, baseline updates, anonymized data for Threat Cloud

Agent Pipeline Deep Dive

Detailed breakdown of each agent’s inputs, outputs, and decision logic.

Detection Layers

Guard uses a 3-layer AI detection funnel to minimize latency and cost:
LayerEngineCostLatencyTraffic
Layer 1Sigma rules, YARA, built-in patterns, threat intel$0< 1 ms~90% of events
Layer 2Ollama (local AI)$0~100 ms~7% of events
Layer 3Claude / OpenAI (cloud AI)~$0.01/event~1 s~3% of events
Only events that cannot be resolved at a lower layer are escalated to the next.

Key Capabilities

CapabilityDetails
Monitor types10 (4 built-in + 6 advanced)
Sigma rules20 built-in + custom + community
YARA rules900+ file pattern matching rules
Threat intel feeds5 sources (ThreatFox, URLhaus, Feodo, GreyNoise, AbuseIPDB)
Correlation patterns7 attack patterns with MITRE ATT&CK mapping
Response actionsIP block, process kill, file quarantine, notify, log
Cross-platformmacOS (pfctl), Linux (iptables), Windows (netsh)
Log retention50 MB per file, 10 rotated files, 90-day retention

Status Dashboard

panguard guard status

Status:     Running
Mode:       Protection
PID:        12345
Uptime:     14d 6h 33m
Score:      85/100 (Grade: A)
Threats:    0 active
Events:     134,567 processed
Rules:      42 Sigma + 15 YARA
Feeds:      5 active

CLI Options

panguard guard <command> [options]

Commands:
  start              Start Guard engine
  stop               Stop Guard engine
  status             Show current status
  install            Install as system service
  uninstall          Remove system service
  config             Show current configuration

Options:
  --data-dir <path>  Data directory (default: ~/.panguard-guard)

Monitors

All 10 monitor types: built-in and advanced.

Event Correlation

7 correlation patterns for multi-step attack detection.

Auto-Response

Response actions, safety rules, and escalation ladder.

Agent Pipeline

Deep dive into the 4-agent DARE pipeline.