Key components
- Extension runtime: Executes fast checks and shows user prompts.
- Security gateway: Normalizes requests and applies rate limits.
- Threat intelligence: Aggregates signals from multiple sources.
- Model service: Provides classification and explanations when the risk is uncertain.
Core layers
- Browser extension for local scanning and user prompts
- Security gateway for enrichment and risk evaluation
- Threat intelligence layer for shared signals and updates
- Model service for classification and explanation
Data flow
- A page or transaction event is captured by the extension.
- Local rules and checks run first for speed.
- When risk is uncertain, the request is enriched by the gateway.
- A final decision is returned and shown with clear context.
Design goals
- Fast response for safety-critical events
- Minimal data collection
- Clear, human-readable explanations
Trust boundaries
You can assume the extension is the first line of defense and the final UI authority. The backend only receives the minimum metadata needed to confirm a decision. Sensitive data like private keys never leaves the wallet or browser.Failure modes
If the gateway is unavailable, ChainGuard falls back to local checks and shows a reduced-confidence warning. You still get protection, but deep analysis and enrichment may be delayed.Next steps
- See how models are governed in AI engine.
- Learn how external signals are sourced in Data providers.