Sentinel

Sentinel is a human-in-the-loop cyber defense co-pilot built for critical infrastructure organizations that lack dedicated cybersecurity teams.

Comment

Inspiration- Records the decision and generates an audit report

That blind-spot visibility is the main product differentiator.

Sentinel also has a technically sophisticated expert-support layer behind the operator workflow:

  • a grounded ReAct-style agent loop that reasons step by step through explicit tool calls
  • incident-context tools for incidents, detector results, coverage state, and decision support
  • an MCP-backed cyber knowledge path that can retrieve MITRE ATT&CK tactics, techniques, and mitigations
  • auditable reasoning that experts can inspect instead of a black-box chatbot answer
  • A grounded ReAct-style agent loop that reasons step by step through explicit tool calls
  • Incident-context tools for incidents, detector results, coverage state, and decision support
  • An MCP-backed cyber knowledge path that can retrieve MITRE ATT&CK tactics, techniques, and mitigations
  • Auditable reasoning that experts can inspect instead of a black-box chatbot answer

What A Judge Should Understand Quickly

This is a decision-support product for security operations, not just a detection model and not just a chatbot.

The main workflow is:

  1. ingest cloud activity
  2. form an incident
  3. generate a recommended action and alternatives
  4. show checked vs not checked evidence
  5. let a human choose
  6. log the decision trace and generate a report
  7. Ingest cloud activity
  8. Form an incident
  9. Generate a recommended action and alternatives
  10. Show checked vs not checked evidence
  11. Let a human choose
  12. Log the decision trace and generate a report

The project is successful when a non-expert can answer four questions from the UI:

  1. What happened? @@ -53,138 +53,138 @@ The strongest demo path is an incomplete incident.

Example:

  1. the system sees suspicious login and follow-on activity
  2. it recommends resetting credentials
  3. it clearly shows that a key branch such as network evidence was not checked
  4. it warns that the recommendation may be incomplete
  5. the operator uses the double-check flow or chooses a safer alternative
  6. the system logs that decision and produces a report
  7. The system sees suspicious login and follow-on activity
  8. It recommends resetting credentials
  9. It clearly shows that a key branch such as network evidence was not checked
  10. It warns that the recommendation may be incomplete
  11. The operator uses the double-check flow or chooses a safer alternative
  12. The system logs that decision and produces a report

That is the value: not just a recommendation, but visible uncertainty and visible blind spots.

Demo Talking Points

Use this framing in a live demo:

  1. A threat hits and Sentinel alerts the operator.
  2. The operator is not expected to be a security expert.
  3. Sentinel explains the issue in plain language.
  4. Sentinel shows the recommended action and alternatives.
  5. Sentinel makes missing evidence impossible to miss.
  6. The operator chooses a response and Sentinel generates the report automatically.
  7. If the incident is severe, the expert view exposes the raw logs, model evidence, and full audit trail.

The message for a judge is simple: Sentinel is not just finding threats. It is helping the right person make the right decision quickly, even under incomplete information.

Architecture At A Glance

The repo has five major parts:

  • src: ingestion, normalization, feature derivation, incident building, training, demo generation, services, repositories, and agent logic
  • backend: FastAPI core API for incidents, decision support, coverage review, operator actions, and reports
  • frontend: Next.js operator interface with simple and expert views
  • agent_backend: separate agent service for grounded incident Q&A
  • decision_support: decision-engine package

Supporting folders:

  • configs: pipeline and policy configuration
  • scripts: local startup utilities
  • tests: unit and integration tests
  • data: raw, processed, and demo data

Short Architecture Diagram

flowchart LR
   A[CloudTrail logs and demo data] --> B[src pipeline]
   B --> C[Incidents and evidence]
   B --> D[Scored detector results]
   C --> E[Decision support and coverage review]
   D --> E
   E --> F[FastAPI backend]
   F --> G[Next.js operator UI]
   C --> H[Agent service]
   D --> H
   E --> H
   H --> G
   G --> I[Human decision, audit trail, and report]

Key Features

  • End-to-end CloudTrail pipeline from raw logs to incidents
  • Incident scoring with explainable model outputs
  • Coverage and blind-spot tracking by evidence category
  • Decision-support engine with recommendations and alternatives
  • Human decision audit trail and incident report generation
  • Grounded incident agent with a ReAct-style tool loop and MCP-based MITRE ATT&CK context retrieval
  • Operator UI with simple and expert workflows

Fastest Way To Run The Demo

Prerequisites

  • Python 3.10+
  • PostgreSQL
  • Node.js
  • optional OpenAI-compatible API key for live agent mode

Install

pip install -r requirements.txt

For the frontend:

cd frontend
npm install

Start The Local Stack

From the project root on Windows:

.\scripts\start_local.ps1

This starts the local backend services for the operator workflow.

If you need to stop them:

.\scripts\stop_local.ps1

Launch The Frontend

cd frontend
npm run dev

Open:

What it does

How we built it

Challenges we ran into

Accomplishments that we're proud of

What we learned

What's next for Sentinel

Built With

Share this project:

Updates