Sentinel Shield

• 

• 

  home page- upload (json, screenshot, jpeg, audio)

• 

  report (pdf)

• 

• 

• 

• 

  Analysis Report of the uploaded material

## Inspiration

A SOC analyst investigating a cloud incident today opens 5+ consoles — CloudTrail, IAM, S3, GuardDuty, VPC flow logs — spending 45 minutes piecing together what happened. By the time they find the root cause, the attacker has already exfiltrated data. I built Sentinel Shield to do the entire investigation autonomously in 60 seconds.

## What it does

Sentinel Shield is an autonomous cloud incident investigator. It ingests CloudTrail events, analyst voice memos, and console screenshots, then runs a 5-agent pipeline:

1. Intake Agent — parses events, extracts all entities (identities, IPs, resources, accounts)
2. Threat Intel — sub-millisecond Aerospike lookups against known-bad indicators
3. Timeline Agent — builds a color-coded attack path and ranks 6 hypothesis types by confidence
4. Root Cause Agent — identifies the specific misconfiguration that enabled the attack
5. Response Agent — generates a containment plan with executable AWS CLI commands

The output includes: attack path visualization, blast radius graph, impacted assets, root cause with evidence citations, containment actions with approve/execute workflow (runs real AWS CLI), analyst and executive summaries, downloadable PDF report, and a one-click voice call to the SOC lead via Bland AI.

## How I built it

• Frontend: Next.js 16, React 19, Tailwind CSS 4
• AI: Gemini 2.5 Flash via Vercel AI SDK (reasoning, vision, transcription)
• Auth: Auth0 Next.js SDK v4
• Threat Intel: Aerospike real-time cache (sub-ms key-value lookups)
• Data Pipeline: Airbyte pattern — CloudTrail logs auto-ingested from real S3 bucket
• Observability: TrueFoundry agent tracing (latency, tokens, cost per agent)
• Voice: Bland AI auto-call with dynamic incident briefing
• Containment: Real AWS CLI execution with human approval gate

## Challenges I ran into

• Gemini 2.5 Flash response times for structured output — solved with retry and timeout wrappers with exponential backoff
• Aerospike native bindings with Next.js server bundling — solved with dynamic imports and serverExternalPackages
• SSE streaming reliability during long agent runs — solved with watchdog timers and graceful degradation

## Accomplishments I'm proud of

• Full investigation in ~90 seconds with real AI reasoning across 5 agents
• Live AWS containment execution — not just suggestions, actual CLI commands running against a real account
• Voice call that actually rings during the demo
• 3 threat intel matches from Aerospike on the sample incident
• Cross-incident memory — the system learns from past investigations
• PDF export of the full incident report

## What I learned

• Structured output with Zod schemas makes AI agents reliable and type-safe
• Sub-millisecond caching (Aerospike) transforms threat intel from "nice to have" into real-time enrichment
• The gap between "AI that suggests" and "AI that acts" is where the real value is

## What's next for Sentinel Shield

• Live SIEM connectors (Splunk, Sentinel, Datadog)
• Cross-incident learning — agents improve from resolved cases
• Response playbooks per incident type
• Multi-cloud support (Azure, GCP)

Built With

• aerospike
• airbyte
• amazon-web-services
• auth0
• bland-ai
• docker
• gemini
• jspdf
• nextjs
• react
• tailwindcss
• truefoundry
• typescript
• vercel-ai-sdk