SentinelOps

UI
UI-1
UI-2

Inspiration

What it does

How we built it

Challenges we ## Inspiration

We were inspired by a very practical security problem: most detection systems stop at the alert, but analysts still have to manually gather context before they can decide what to do. We wanted to build something that starts where detection stops.

The hackathon theme around context engineering and autonomous agents pushed us to think beyond a chatbot. Instead of building a simple alert viewer, we focused on infrastructure for an autonomous triage agent: a system that can receive an alert, invoke the right tools, update its risk state as new evidence arrives, and produce an action-ready outcome.

What we built

We built SentinelOps, an autonomous security triage demo that shows how a bounded agent runtime can investigate a security alert step by step.

In the demo, an alert triggers an Agent Orchestrator that initializes the workflow. The Tool Registry invokes investigation tools such as IP reputation lookup, privileged user lookup, and geo anomaly detection. After each result, the Risk State Manager updates the current threat level. Finally, the Action Engine produces a response recommendation with remediation steps.

The UI exposes the full Agent Execution Trace, the runtime state, and the final action output so the workflow is observable and explainable.

How we built it

Because of hackathon time constraints, we optimized for a reliable demo-first MVP.

Frontend: React + Vite + Tailwind CSS
Backend: Python + FastAPI
Architecture concept: bounded autonomous agent runtime with orchestrator, tool registry, shared risk state, execution trace, and action selector
Execution model: deterministic multi-step investigation flow for reliability during demo
Presentation layer: runtime state panel, agent infrastructure panel, and execution trace visualization

We also explored the sponsor tool ecosystem as part of the project direction:

Kiro was actively used for spec-driven development, scaffolding, iteration, and UI refinement.
TrueFoundry was explored as the planned AI gateway / deployment and observability layer for a productionized version of SentinelOps.
Overmind was explored as a future infrastructure-context data source for blast-radius and dependency-aware triage.

What we learned

A key lesson was that autonomous agents need more than just model calls. To feel real and useful, they need:

orchestration
tool invocation
shared state
execution trace
action routing
observability

We also learned that for a hackathon, a bounded and explainable autonomous workflow is often stronger than an over-ambitious open-ended agent. Making the runtime visible in the UI — with orchestration steps, tool invocations, risk updates, and final action output — made the system much easier to understand and demonstrate.

Challenges

The biggest challenge was balancing ambition with reliability. Our original direction involved a deeper backend architecture with LangGraph, persistence, and broader integrations, but under hackathon time constraints we pivoted toward a demo-first MVP that still preserved the core idea of agent infrastructure.

Another challenge was making the system clearly feel like an agent runtime rather than just a scripted dashboard. We addressed that by explicitly surfacing the Agent Orchestrator, Tool Registry, Risk State Manager, Action Engine, Runtime State, and Agent Execution Trace in the UI.

Why this matters

SentinelOps demonstrates a real-world direction for autonomous security operations: receiving alerts, gathering context, updating decisions as evidence arrives, and producing meaningful action recommendations without requiring a human to manually assemble the investigation from scratch.

This hackathon MVP focuses on the infrastructure pattern and interaction model, and it provides a strong base for a future production version with live data sources, richer tool integrations, and continuous improvement from analyst feedback.ran into