Sentinel square - Autonomous Breach Response Agent

AI agent that autonomously detects breaches, researches attack vectors, locks compromised accounts via Auth0, calls affected users via Bland AI, and generates compliance reports in under 2 minutes

Comment

## Inspiration

The average enterprise takes 241–258 days to identify and contain a data breach (IBM Cost of a Data Breach Report,
2024–2025). Credential-driven incidents take nearly 10 months. Meanwhile, GDPR mandates notification within 72
hours, and PCI-DSS within 24 hours.

We asked: What if an AI agent could handle the entire breach response lifecycle — detection, research, remediation, and compliance — autonomously, in under 2 minutes?

## What it does

Sentinel is a fully autonomous breach response agent. When a data breach is detected, it:

  1. Ingests breach data (CSV of leaked credentials) into Ghost DB
  2. Matches compromised emails against the user database, classifying severity (CRITICAL vs WARNING)
  3. Researches the attack vector using Claude (via Truefoundry AI Gateway), searching for relevant CVEs,
    querying the Senso.ai knowledge base for security advisories, and classifying the incident type
  4. Analyzes compliance requirements across GDPR, CCPA, HIPAA, FERPA, and PCI-DSS — generating notification
    deadlines, checklists, and risk assessments
  5. Locks compromised accounts via Auth0 Management API (blocking users + revoking sessions) — all concurrently
  6. Calls critical users via Bland AI phone calls with an AI agent that can answer questions about the incident
  7. Logs every decision to Ghost DB and traces the full agent decision chain with Overmind

All of this happens autonomously — no human intervention required. The entire pipeline streams real-time events via SSE to a live dashboard.

## How we built it

Backend: Python 3.12 + FastAPI with full async/await architecture. The pipeline orchestrator uses asyncio.gather() to run account locks and phone calls concurrently. SSE streaming via asyncio.Queue delivers zero-latency real-time updates.

Frontend: Vanilla TypeScript + Bun server. RivalMap-inspired pipeline visualization showing each sponsor tool in
action with branded badges and real-time progress.

LLM Routing: Truefoundry AI Gateway routes Claude API calls. If the gateway is unavailable, the system automatically falls back to direct Anthropic API — ensuring the demo always works.

Database: Ghost DB (PostgreSQL-as-a-service) stores users, breach events, response logs, and research cache. Breach CSV ingestion uses batch INSERT for 500 rows in a single round-trip.

Key Architecture Decisions:

  • Queue-based SSE streaming (not polling) for instant event delivery
  • Concurrent Auth0 + Bland AI calls via asyncio.gather()
  • Heuristic incident classification with LLM override
  • Compliance analysis engine covering 5 regulatory frameworks
  • Graceful degradation: hardcoded fallbacks ensure demo resilience

## Sponsor Tool Integration

| Sponsor Tool | How Sentinel Uses It |
|---|---|
| Ghost DB | Core PostgreSQL database — users, breach_events, response_log, research_cache. All incident state
persists here. |
| Auth0 | Blocks compromised accounts via Management API, revokes active sessions. Real OAuth client credentials flow. |
| Bland AI | Makes outbound AI phone calls to critical users. The AI agent answers questions about the breach and guides users through password reset + MFA setup. |
| Truefoundry | Routes all Claude LLM calls through the AI Gateway. Powers breach analysis, CVE research, and
incident classification. |
| Overmind | Traces every agent decision for full audit trail. 2-line integration that auto-instruments all LLM
calls. |
| Senso.ai | Security knowledge base queried during research phase for CVE data, advisories, and breach mitigation playbooks. |
| Aerospike | Configured for fast email lookup and vector search (falls back to Ghost DB queries). |
| Airbyte | Designed for formal CSV ingestion pipeline (falls back to direct batch insert). |

## Challenges we faced

  • Time pressure: Building 8+ integrations in a single day required ruthless prioritization and parallel development
  • Bland AI billing: Hit account credit limits during testing — required graceful error handling
  • Auth0 user seeding: Only 15 of 100+ DB users could be seeded in Auth0's free tier, requiring graceful handling of missing accounts
  • LLM reliability: Truefoundry gateway occasionally returned errors, so we built automatic Anthropic API fallback
  • SSE streaming: Initial polling-based approach had 100ms latency; rebuilt with Queue-based streaming for instant
    delivery

## Accomplishments we're proud of

  • Real API calls, not mocks. Sentinel actually locks Auth0 accounts, makes Bland AI phone calls, and writes to Ghost DB.
  • Sub-2-minute response time vs. the industry average of 241+ days
  • Compliance report generation completely automatic (CCPA)
  • Concurrent operations — all account locks and phone calls run in parallel
  • Full decision tracing via Overmind for SOC audit integration

## What we learned

  • Autonomous agents need graceful degradation — every external API can fail
  • Queue-based streaming is dramatically better than polling for real-time UX
  • Compliance analysis is surprisingly formulaic and well-suited for automation
  • Phone calls are the highest-impact demo moment — invest in getting them right

## What's next for Sentinel

  • Aerospike vector search for semantic breach pattern matching
  • Airbyte connectors for automated breach feed ingestion from dark web monitoring services
  • Multi-tenant support with per-organization policies
  • SOC integration via webhooks and SIEM connectors
  • Historical analysis comparing current incidents to past breaches for faster classification

Built With

Share this project:

Updates