Sentinel Mesh

See and stop attacks against AI agents wired into your Splunk data.

Comment

Sentinel Mesh

See and stop attacks against the AI agents now wired into your Splunk data.

In February 2026 Splunk shipped its MCP Server to GA, and every org rushing to connect AI agents to Splunk through it quietly opened a brand-new attack surface. Each agent action - an SPL search, a knowledge-object read, a tool call - is now a path that classic SIEM rules never watched. Sentinel Mesh is the detection and triage layer that watches that surface. It scores every MCP interaction in real time, flags prompt injection, tool poisoning, anomalous tool sequences, and data exfiltration, then hands analysts an explainable verdict grounded in the actual event.

Inspiration

We kept seeing teams race to plug AI agents into Splunk the moment the MCP Server hit GA, and nobody was watching what those agents actually did. The MCP layer is a semantic attack surface that network monitoring and WAFs simply do not see, and Splunk's own Threat Research Team said securing it is still wide open. That gap was too good to ignore, so we built the detection and triage app we wished existed.

What it does

Sentinel Mesh ingests the MCP JSON-RPC interaction stream, scores every agent action in real time, and flags prompt injection, tool poisoning, anomalous tool sequences, and data exfiltration. Analysts get a live feed with a risk score on each event, and clicking a flagged interaction returns an explainable verdict: what happened, why it is risky, the MITRE ATT&CK mapping, grounding evidence, and a one-click containment action. SOC analysts and the platform teams governing agent access get coverage for a surface they currently cannot see.

How we built it

We built it as a Next.js 14 app with TypeScript and Tailwind plus a shadcn-style component layer. The detection engine is a readable signature library that sums weighted hits into a 0-100 risk score and tags a primary category, so every verdict cites the exact substring that fired. Triage runs through a Node route handler that calls the Splunk hosted Foundation-Sec model when a key is set and falls back to a deterministic, fully grounded local verdict otherwise, which keeps the whole app working with zero configuration.

Challenges we ran into

The hardest part was making verdicts trustworthy rather than free-form LLM text. We grounded every statement in the actual event and forced a strict JSON schema so the hosted model fills fields instead of narrating. The second challenge was making the demo bulletproof: hosted models can be slow or gated, so we built the simulator and a grounded local engine first and treated the hosted model as an enhancement, not a dependency.

Accomplishments that we're proud of

We are proud that an attack goes from fired to fully explained in under ten seconds, that the app is useful with no API key at all, and that the detection pack ships real SPL mapped to MITRE that a team could paste into Splunk today.

What we learned

We learned how much signal lives in MCP tool descriptions and arguments, and that the tool-poisoning and prompt-injection patterns are detectable with disciplined, explainable rules. We also reaffirmed that grounding plus citations beats clever prompting when analysts need to trust a verdict.

What's next for Sentinel Mesh

  • Wire the ingestion directly to the Splunk STRT MCP Technology Add-on so the feed reads real index=mcp events
  • Ship behavioral baselines and drift alerts using the Cisco Deep Time Series model for interaction-volume forecasting
  • Add RBAC-governed detection agents through the Splunk AI Toolkit Agent Builder
  • Expand the rule pack with confidence-weighted ensembles and analyst feedback loops
  • Turn approved containment into real actions via SOAR playbooks

Tech stack

  • Next.js 14 (App Router) and React 18
  • TypeScript end to end
  • Tailwind CSS with a shadcn-style component layer
  • lucide-react for icons
  • A Node route handler (/api/triage) that integrates the Foundation-Sec hosted model with graceful local fallback

Built With

Share this project:

Updates