Panguard Manager is a centralized orchestration server that coordinates multiple Guard agents across your infrastructure. It uses a hub-and-spoke architecture where each endpoint agent connects to a single Manager server for registration, heartbeat monitoring, threat reporting, cross-agent correlation, and policy distribution.
Quick Start
# Start the Manager server
panguard manager start --port 8443
# On each endpoint, connect Guard to the Manager
panguard guard start --manager http://manager-host:8443
# Check fleet status
panguard manager status
Panguard Manager requires the Business plan. It supports up to 25 machines per the Business tier. Contact sales for higher limits.
Hub-and-Spoke Architecture
Panguard Manager (Hub)
┌──────────────────────┐
| Agent Registry | Max 500 agents
| Threat Aggregator | Cross-agent correlation
| Policy Engine | Centralized rules
| Manager Server | REST API + SSE
| Manager DB | SQLite (optional)
└────────┬─────────────┘
┌───────────────┼───────────────┐
| | |
Agent (srv-01) Agent (srv-02) Agent (srv-03)
Guard Guard Guard
Scan Scan Scan
Chat Trap Chat
Core Components
| Component | Source | Responsibility |
|---|
| Manager | manager.ts | Central orchestrator composing all subsystems |
| AgentRegistry | agent-registry.ts | Agent CRUD, heartbeat tracking, stale detection (max 500 agents) |
| ThreatAggregator | threat-aggregator.ts | Threat ingestion, cross-agent correlation (5-min window), 24-hour retention |
| PolicyEngine | policy-engine.ts | Policy versioning, per-agent and global policies, broadcast queue |
| ManagerServer | server.ts | HTTP API (raw node:http), Bearer token auth (SHA-256 timing-safe), rate limiting (60 req/min), SSE streaming |
| ManagerDB | db.ts | Optional SQLite persistence for org-scoped queries |
Key Capabilities
| Capability | Details |
|---|
| Agent registry | Up to 500 registered agents |
| Heartbeat monitoring | 30-second interval, 90-second stale detection |
| Policy distribution | Global and per-agent policies with version control |
| Cross-agent correlation | Detect attacks spanning multiple machines by source IP, malware hash, and attack pattern |
| SSE streaming | Real-time event stream for admin dashboards |
| Authentication | Bearer token with SHA-256 timing-safe comparison |
| Rate limiting | 60 requests per minute per client |
| Persistence | Optional SQLite for org-scoped data retention |
Fleet Status
Fleet Status:
Total agents: 12
Online: 11
Stale: 1 (srv-07, last seen 3m ago)
Avg. score: 78/100
Active threats: 2 (across 2 agents)
Policies: v3 (deployed to 11/12 agents)
Cross-Agent Threat Correlation
The ThreatAggregator correlates threats across agents within a 5-minute sliding window:
| Pattern | Detection |
|---|
| Same source IP targeting multiple agents | Lateral movement or mass scanning |
| Same malware hash on multiple agents | Worm propagation |
| Same attack pattern across agents | Coordinated campaign |
API Endpoints
| Method | Path | Description |
|---|
POST | /api/agents/register | Register a new agent |
POST | /api/agents/:id/heartbeat | Send agent heartbeat |
POST | /api/agents/:id/events | Report threat events |
GET | /api/agents | List all agents |
DELETE | /api/agents/:id | Deregister an agent |
GET | /api/policy/agent/:id | Get policy for agent |
POST | /api/policy | Create/update a policy |
GET | /api/events/stream | SSE event stream |
CLI Options
panguard manager <command> [options]
Commands:
start Start the Manager server
stop Stop the Manager server
status Show fleet status
agents List registered agents
policies Manage policies
Options:
--port <number> Server port (default: 8443)
--host <string> Bind address (default: 0.0.0.0)
--data-dir <path> Data directory (default: ~/.panguard-manager)
