Skip to main content
Privacy is a core design principle of Panguard Threat Cloud. All threat data is anonymized before leaving your machine, zero telemetry is collected, and the entire system can operate fully offline with a single configuration flag.

Anonymization

IP Address Masking

All IP addresses are /16-anonymized before submission. The last two octets are zeroed:
Original IPAnonymized IP
192.168.1.50192.168.0.0
10.0.42.10010.0.0.0
203.0.113.50203.0.0.0
This preserves network-level information needed for threat intelligence while making it impossible to identify specific hosts.

What Is Shared

DataSharedAnonymization
Attacker source IPYes/16 masked (last two octets zeroed)
Attack type and techniqueYesAlready generic, no anonymization needed
MITRE ATT&CK IDsYesPublic taxonomy, no anonymization needed
Confidence scoreYesNo anonymization needed
File hashes (malware)YesHash only, no file content
TimestampsYesRounded to nearest hour
Tags and classificationYesAlready generic

What Is Never Shared

DataStatus
Your machine’s IP addressNever transmitted
Hostnames or machine IDsNever transmitted
Internal IP addressesNever transmitted
File contentsNever transmitted
Log entries or raw eventsNever transmitted
User credentialsNever transmitted
Configuration detailsNever transmitted
Scan resultsNever transmitted
Usernames or account namesNever transmitted

Zero Telemetry

Panguard collects zero telemetry about your usage:
  • No usage analytics
  • No crash reports sent externally
  • No feature tracking
  • No license phone-home beyond initial activation
  • No third-party analytics SDKs
  • No browser fingerprinting
  • No session recording

Data Retention

SettingDefaultDescription
IoC retention90 daysIndicators older than 90 days are automatically purged
Submission logsLocal onlyKept on your machine, never uploaded
Feed cacheRefreshed every 6 hoursLocal cache of external feed data

Opt-Out (Offline Mode)

Threat Cloud sharing can be disabled entirely for air-gapped or privacy-sensitive environments: 
# Disable Threat Cloud in Guard
panguard guard config --threat-cloud disabled

# Or set via environment variable
export PANGUARD_THREAT_CLOUD=disabled

# Or disable per-session when starting Trap
panguard trap start --services ssh,http --no-cloud
When disabled:
  • No data is submitted to any Threat Cloud instance (public or private)
  • Guard continues to function with local detection only (Sigma rules, YARA, baseline)
  • Threat intelligence lookups use only the last-synced local feed cache
  • No network connections are made to Threat Cloud endpoints
  • All other features remain fully operational
Offline mode reduces detection capability since you lose access to collective threat intelligence. Consider running a private Threat Cloud instance within your network as a middle ground between full sharing and complete isolation.

Audit Logging

All data submissions to Threat Cloud are logged locally for audit purposes: 
# View submission log
cat ~/.panguard/threat-cloud/submissions.log
Each log entry records:
FieldDescription
timestampWhen the submission was made
dataThe exact anonymized data that was sent
endpointThreat Cloud URL that received the data
statusHTTP response status
This allows you to verify exactly what data left your machine at any point in time.

Self-Hosted Private Instance

For maximum privacy, run your own Threat Cloud instance: 
# Start your private instance
panguard threat start --port 8080 --api-key your-key

# Point agents to your private instance
panguard guard start --threat-cloud http://your-private-server:8080
With a self-hosted instance:
  • All threat data stays within your network
  • You control retention, access, and deletion policies
  • You still benefit from external feed synchronization (ThreatFox, URLhaus, etc.)
  • Cross-agent correlation works across your fleet
  • No data leaves your network perimeter

GDPR Compliance

Panguard Threat Cloud is designed with GDPR principles:
PrincipleImplementation
Data minimizationOnly the minimum data needed for threat correlation is collected
Purpose limitationData is used exclusively for threat intelligence
Storage limitationConfigurable retention periods (default: 90 days) with automatic purge
Right to erasureSelf-hosted instances have full control over data deletion
Data protection by designAnonymization is applied at the source, before any data leaves the agent
For organizations with strict data sovereignty requirements, combine a self-hosted Threat Cloud with disabled public sharing. This gives you collective intelligence within your organization without any data leaving your network.