SentinelPrime is a research-focused Security Control Plane that unifies Zero Trust Network Access (ZTNA), Endpoint Detection and Response (EDR), and Network Detection and Response (NDR) into a single AI-driven enforcement loop.
The central intelligence layer that:
- Ingests telemetry from all security layers
- Correlates events to identify attack chains
- Calculates risk scores using ML models
- Makes enforcement decisions
- Orchestrates responses across all layers
Technologies:
- FastAPI (Python) - API framework
- Kafka/Redpanda - Event streaming
- Neo4j - Graph database for attack chains
- Redis - Caching and state management
Provides intelligent analysis through:
Anomaly Detection:
- Isolation Forest algorithm for outlier detection
- Feature extraction from security events
- Real-time scoring of suspicious behavior
Behavior Analysis:
- Baseline profiling per entity (user, host, IP)
- Pattern recognition for deviations
- Temporal analysis within time windows
Graph Analysis:
- Neo4j-based attack chain reconstruction
- Lateral movement detection
- Entity relationship mapping
- Risk propagation through graphs
Normalizes and processes events from:
EDR Sources:
- Wazuh host-based events
- osquery endpoint telemetry
- Process creation, file access, registry changes
NDR Sources:
- Zeek network flow analysis
- Suricata IDS alerts
- DNS queries, HTTP requests, SSL/TLS connections
ZTNA Sources:
- Authentication events
- Access requests and decisions
- Session management
Executes coordinated responses:
ZTNA Enforcement:
- Revoke access credentials
- Terminate active sessions
- Update access policies
- Require additional authentication
EDR Enforcement:
- Isolate compromised endpoints
- Terminate malicious processes
- Quarantine files
- Deploy security patches
NDR Enforcement:
- Block IP addresses
- Drop network flows
- Rate limit connections
- Capture traffic for forensics
┌─────────────────────────────────────────┐
│ Security Layers │
├──────────┬──────────┬──────────────────┤
│ EDR │ NDR │ ZTNA │
│ (Wazuh) │ (Zeek) │ (OpenZiti) │
└────┬─────┴─────┬────┴──────────┬───────┘
│ │ │
└───────────┼───────────────┘
│ Events
▼
┌───────────────┐
│ Kafka │
│ (Ingestion) │
└───────┬───────┘
│
▼
┌────────────────────────┐
│ Control Plane API │
│ - Event Processing │
│ - Normalization │
└────────────┬───────────┘
│
┌────────┼────────┐
│ │ │
▼ ▼ ▼
┌────┐ ┌──────┐ ┌───────┐
│ ML │ │Graph │ │ Risk │
│ │ │ DB │ │Scorer │
└──┬─┘ └──┬───┘ └───┬───┘
│ │ │
└───────┼──────────┘
│ Decision
▼
┌───────────────┐
│ Enforcement │
│ Engine │
└───────┬───────┘
│
┌──────┼──────┐
│ │ │
▼ ▼ ▼
┌────┐ ┌────┐ ┌────┐
│ZTNA│ │EDR │ │NDR │
│Act │ │Act │ │Act │
└────┘ └────┘ └────┘
Traditional XDR focuses on detection and alerting. SentinelPrime prioritizes decision-making and enforcement.
Rather than just detecting anomalies, SentinelPrime reconstructs why events occur and what they indicate about attacker intent.
Attack chains are modeled as graphs in Neo4j, enabling:
- Multi-hop relationship queries
- Pattern matching across time
- Risk score propagation
- Blast radius calculation
Detection → Analysis → Decision → Enforcement → Feedback This creates a true control loop rather than alert sprawl.
Every component is swappable:
- EDR: Wazuh, osquery, Velociraptor, etc.
- NDR: Zeek, Suricata, Moloch, etc.
- ZTNA: OpenZiti, Pomerium, Teleport, etc.
POST /api/v1/telemetry/ingest
POST /api/v1/telemetry/edr
POST /api/v1/telemetry/ndr
POST /api/v1/telemetry/ztna
GET /api/v1/telemetry/events
GET /api/v1/telemetry/stats
POST /api/v1/decisions/assess
POST /api/v1/decisions/enforce
GET /api/v1/decisions
GET /api/v1/decisions/{decision_id}
POST /api/v1/policies
GET /api/v1/policies
GET /api/v1/policies/{policy_id}
PUT /api/v1/policies/{policy_id}
DELETE /api/v1/policies/{policy_id}
SentinelPrime measures what matters:
- Detection → Enforcement Latency: Time from first signal to action
- Blast Radius: How far an attack spreads before containment
- Alert Fatigue: Ratio of alerts to actual incidents
- False Positive Rate: Legitimate activity incorrectly flagged
- Enforcement Accuracy: Correct actions taken vs. incorrect
- Fail-Safe Defaults: Dry-run mode enabled by default
- Audit Logging: All enforcement actions are logged
- Rollback Capability: Actions can be reversed if incorrect
- Manual Override: Human operators can override decisions
- Graduated Response: Actions escalate based on confidence
SentinelPrime aims to answer:
- Can AI reliably determine intent from security telemetry?
- What is the optimal detection-to-enforcement latency?
- How much can blast radius be reduced with automated response?
- What false positive rate is acceptable for auto-enforcement?
- How do we measure the true cost of security tools?
- Federated Learning: Share threat intelligence without sharing data
- Explainable AI: Provide reasoning for enforcement decisions
- Continuous Learning: Adapt to new attack patterns automatically
- Multi-Tenant: Support for multiple organizations
- Threat Hunting: Proactive search through historical data
- Zero Trust Architecture (NIST SP 800-207)
- MITRE ATT&CK Framework
- Kill Chain Methodology
- Graph-Based Security Analytics