Skip to content

NodeNestor/Sentinel

BranchesTags

Repository files navigation

Sentinel

Autonomous AI Security Team — drop-in security monitoring for any environment.

Sentinel is an AI-powered security monitoring system that acts as a full security team. Deploy it on your network, server, or Kubernetes cluster and it continuously scans, analyzes, correlates, and responds to security threats — 24/7, no security hire needed.

Sentinel Dashboard

Download

Standalone binaries — no Node.js, no Docker, no dependencies. Download and run.

Platform Architecture Download
Windows x64 sentinel-win-x64.exe
Linux x64 sentinel-linux-x64
Linux ARM64 sentinel-linux-arm64
macOS x64 (Intel) sentinel-macos-x64
macOS ARM64 (Apple Silicon) sentinel-macos-arm64 
# Linux/macOS
chmod +x sentinel-linux-x64
./sentinel-linux-x64

# Windows
sentinel-win-x64.exe

# Run database migration
./sentinel-linux-x64 migrate

# CLI commands work too
./sentinel-linux-x64 status
./sentinel-linux-x64 ask "any threats today?"

Note: Sentinel still requires PostgreSQL and Redis as external services (for the security knowledge graph and event bus). The standalone binary eliminates the need for Node.js — not the database.

What It Does

  • Discovers your entire attack surface — hosts, ports, services, containers
  • Scans for known CVEs across every package, image, and binary
  • Audits configurations against CIS benchmarks
  • Watches logs in real-time for intrusion patterns
  • Detects drift — something changed that shouldn't have
  • Correlates across all data to build attack narratives using MITRE ATT&CK
  • Remediates automatically (block IP, kill container, quarantine pod) or alerts you
  • Reports compliance status and generates PDF reports
  • Chats with you — ask questions, give commands, get explanations

Quick Start

Docker Compose (recommended):

curl -fsSL https://raw.githubusercontent.com/NodeNestor/Sentinel/main/scripts/install.sh | bash

Kubernetes / Helm:

helm repo add sentinel https://nodenester.github.io/Sentinel
helm install sentinel sentinel/sentinel -n sentinel --create-namespace

Manual:

git clone https://github.com/NodeNestor/Sentinel.git
cd Sentinel
cp .env.example .env   # edit with your AI provider + API key
docker compose up -d
open http://localhost:3000

Installation

Docker Compose (Recommended)

One-line install -- detects your OS, prompts for AI provider, generates secure passwords, starts everything:

curl -fsSL https://raw.githubusercontent.com/NodeNestor/Sentinel/main/scripts/install.sh | bash

Non-interactive (for CI/automation):

export AI_PROVIDER=anthropic
export ANTHROPIC_API_KEY=sk-ant-...
curl -fsSL https://raw.githubusercontent.com/NodeNestor/Sentinel/main/scripts/install.sh | bash -s -- --non-interactive

Kubernetes / Helm

helm repo add sentinel https://nodenester.github.io/Sentinel
helm install sentinel sentinel/sentinel -n sentinel --create-namespace

Or from source:

git clone https://github.com/NodeNestor/Sentinel.git
cd Sentinel
helm dependency build charts/sentinel
helm install sentinel ./charts/sentinel -n sentinel --create-namespace \
  --set ai.provider=anthropic \
  --set ai.anthropicApiKey=sk-ant-...

Interactive Kubernetes installer:

./scripts/install-k8s.sh

Manual / Development

git clone https://github.com/NodeNestor/Sentinel.git
cd Sentinel
cp .env.example .env  # edit with your settings
docker compose up -d

Deployment Matrix

Environment Method Network Scanning K8s Scanning Auto-Remediation
Home Network Docker Compose Full N/A IP blocking
Single Server Docker Compose Full N/A IP blocking, service restart
Kubernetes Helm Chart Limited* Full Pod quarantine, secret rotation
Cloud VM Docker Compose Full N/A IP blocking

*Network scanning in K8s requires hostNetwork: true

Updating

# Docker Compose
./scripts/install.sh --update

# Kubernetes
helm upgrade sentinel sentinel/sentinel -n sentinel

Architecture

┌──────────────────────────────────────────────────────┐
│              Dashboard (Chat + Visualizations)        │
└────────────────────────┬─────────────────────────────┘
                         │ REST + WebSocket
┌────────────────────────┴─────────────────────────────┐
│              AI Correlation Engine                     │
│  MITRE ATT&CK │ Risk Scoring │ Auto-Remediation       │
└────────────────────────┬─────────────────────────────┘
                         │ Redis Streams
     ┌─────────┬─────────┼─────────┬──────────┐
 NetScout  VulnHunter  Config   LogWatcher  Drift
 (nmap)    (trivy)     Auditor  (real-time)  Detector
                       (CIS)

Scanner Agents

Agent What It Does Interval
NetScout Network scanning — host discovery, port/service detection, rogue devices 5 min
VulnHunter CVE scanning — container images, packages, EPSS + CISA KEV enrichment 1 hour
ConfigAuditor Misconfiguration audit — SSH, permissions, Docker, K8s, default creds, TLS 24 hours
LogWatcher Log monitoring — brute force, privilege escalation, suspicious commands Real-time
DriftDetector Change detection — new containers, users, cron jobs, binaries, config changes 15 min

AI Integration

Sentinel connects to any AI backend. Pick one:

Option 1: Claude API (Anthropic)

AI_PROVIDER=anthropic
ANTHROPIC_API_KEY=sk-ant-...

Option 2: Any OpenAI-compatible endpoint

Works with vLLM, LM Studio, llama.cpp, LocalAI, text-generation-webui, or any server that implements the OpenAI chat completions API.

AI_PROVIDER=openai-compatible
OPENAI_BASE_URL=http://localhost:8080/v1
OPENAI_API_KEY=not-needed
OPENAI_MODEL=your-model-name

Option 3: Ollama (local)

AI_PROVIDER=ollama
OLLAMA_URL=http://localhost:11434
OLLAMA_MODEL=llama3.1

The AI layer handles:

  • Triage — prioritizes findings, explains in plain English
  • Correlation — connects events into attack narratives
  • Chat — answer questions, take commands, explain CVEs
  • Proactive alerts — decides what's worth telling you about
  • Reports — generates executive summaries, compliance reports

Dashboard

Dark-themed security dashboard at http://localhost:3000 with 8 pages:
Overview Findings
Overview — posture score, findings, incidents, agent status Findings — filterable table, MITRE ATT&CK tags, bulk actions
Network Compliance
Network — force-directed topology, suspicious flows Compliance — CIS benchmarks, PDF export
Assets Incidents
Assets — host inventory, risk scores, ports, vulns Incidents — correlated attack narratives, kill chains
Chat Settings
Chat — talk to Sentinel, ask questions, give commands Settings — scan intervals, alerts, notifications, dry-run

Chat Examples

You: What's the riskiest thing on my network right now?
Sentinel: Host 192.168.1.50 has 3 critical CVEs including CVE-2024-3094
         (xz backdoor, CISA KEV listed). Port 22 is exposed with password
         auth enabled. Risk score: 92/100. Want me to block external SSH access?

You: Run a full scan
Sentinel: Triggered all 5 agents. NetScout found 2 new devices, VulnHunter
         found 7 new CVEs (1 critical). Full results on the dashboard.

You: Explain CVE-2024-3094
Sentinel: This is the xz utils backdoor...

Threat Intelligence

Enriches findings with data from free threat feeds:

Feed What It Provides
CISA KEV CVEs confirmed actively exploited in the wild
EPSS Probability a CVE will be exploited (0-100%)
abuse.ch Malicious URLs, C2 server IPs, malware hashes
GreyNoise Filters out benign scanners (Shodan, Censys)
AbuseIPDB Community-reported malicious IP reputation

Auto-Remediation

Sentinel can automatically respond to threats (disabled by default):

Action When Reversible
Block IP Known malicious IP hitting your network Yes (auto-expires)
Kill container Container running crypto miner or reverse shell Yes (K8s restarts)
Quarantine pod Compromised pod isolated via NetworkPolicy Yes
Rotate secret Exposed credential detected N/A

Enable with DRY_RUN=false. Kill switch available in dashboard settings.

Compliance

Automated compliance checks with PDF report generation:

  • CIS Docker Benchmark — 14 checks
  • CIS Linux Benchmark — 17 checks
  • NIST CSF 2.0 — mapped from findings
  • PCI DSS — relevant controls

CLI

# Check security posture
sentinel status

# List recent findings
sentinel findings --severity critical

# Ask a question
sentinel ask "any suspicious activity today?"

# Interactive chat
sentinel ask

# Trigger scan
sentinel scan

# Generate report
sentinel report executive

Configuration

All settings configurable via environment variables or config/default.json. Key settings:

# Scanning
SCAN_SUBNET=auto          # auto-detect or 192.168.1.0/24
SCAN_INTERVAL=300         # NetScout interval (seconds)

# Alerting
ALERT_LEVEL=medium        # minimum severity to notify
DRY_RUN=true             # disable auto-remediation

# Notifications
SLACK_WEBHOOK_URL=...
DISCORD_WEBHOOK_URL=...

# Threat Intel (optional, free tiers)
GREYNOISE_API_KEY=...
ABUSEIPDB_API_KEY=...

Development

# Start dependencies
docker compose up -d postgres redis

# Install
npm install

# Run in dev mode (auto-restart on changes)
npm run dev

# Run database migrations
npm run migrate

Tech Stack

  • Runtime: Node.js 20+
  • Database: PostgreSQL 16 (knowledge graph + findings)
  • Event Bus: Redis Streams
  • AI: Claude API / OpenAI-compatible / Ollama
  • Dashboard: Express + vanilla HTML/JS + WebSocket
  • Scanning: nmap, trivy, arp-scan, masscan
  • Deployment: Docker Compose / Helm / bare metal

License

MIT

About

Autonomous AI Security Team — drop-in security monitoring for any environment

Topics

security devops ai intrusion-detection compliance siem cve network-security devsecops threat-intelligence vulnerability-scanner docker-security cis-benchmark mitre-attack security-monitoring kubernetes-security

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

Sentinel v1.1.0 — Standalone Mode + Exe Builds Latest
Mar 13, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages