Version 26.3.3 — A Project by Anant Suthar
- SOC Dashboard (Vercel): https://sentinel-admin-roan.vercel.app
- API Core: Private Service on Render
- Database: Supabase (AWS ap-southeast-1)
- Real-time Layer: Upstash (Serverless Redis)
- 🛡️ Production Hardening: Strict "Fail-Fast" validation for environment secrets, with an auto-migrator natively integrated for robust Render deployments.
- 🔐 Total Zero-Knowledge E2EE: Sensitive event payloads and organization detection structures are locally encrypted using AES-GCM with PBKDF2 derived keys. The backend only stores ciphertext.
- 📍 High-Fidelity Geo-Intelligence: Advanced multi-layer location resolution (GPS + Cloudflare Headers + Nominatim API) providing exact street-level accuracy and prioritizing real locations over fallback ISP hubs.
- 🧠 Impossible Travel Detection: A high-frequency behavioral module tracking concurrent logins across physically impossible distances utilizing the Haversine formula.
- 💓 High Availability & Uptime: Designed with a Fail-Closed Redis integration, database-degradation hooks into a 503 strategy, and a 10-minute automated Uptime Monitor that guarantees the Render backend stays warm and eliminates cold starts.
Sentinel is a professional-grade, multi-tenant cybersecurity telemetry and monitoring platform built from the ground up. It provides real-time visibility into an organization's security posture by tracking login failures, parsing API request streams, mapping geographic IP origins, and catching brute-force scanners before they breach the perimeter.
Built as a personal full-stack engineering project, Sentinel demonstrates:
- 🔴 Live WebSocket threat streaming — events appear on the SOC dashboard as they happen
- 🔐 Privileged Action Protection — critical settings require admin password re-verification
- 🏢 Single-Admin Lockdown — unique security policy to prevent credential sprawl
- 🧠 Intrinsic Risk Scoring — automated behavioral analysis of every incoming event
- ⚡ BullMQ async processing — high-throughput event ingestion without blocking the HTTP layer
- 🎯 Configurable heuristic engine — 9 pluggable detection rules, togglable and tunable per organization
- 📧 Automated Email Invitations — professional onboarding flow via Brevo Transactional API
- ☁️ Fully Cloud Operational — Live on Render (Backend), Vercel (Frontend), Supabase (DB), and Upstash (Redis).
Data Status: This project is fully connected to a live production database. Administrative activities are tracked in a dedicated audit trail, while security telemetry streams through a high-performance Redis pub/sub layer.
┌─────────────────────────────────────────────────────────────────────────┐
│ SENTINEL PLATFORM v26.3.3 │
│ │
│ ┌─────────────────┐ HTTPS / E2EE ┌────────────────────┐ │
│ │ Vercel │ ◀─── (JWT / API Key) ──▶│ Render / Docker │ │
│ │ (sentinel-v2) │ │ (Sentinel Core) │ │
│ │ Vite + React │ │ Fastify + TS │ │
│ └───────▲─────────┘ └─────────┬──────────┘ │
│ │ │ │
│ │ (Optional Real-time) │ (Critical Path)│
│ ┌───────┴─────────┐ ┌─────────▼───────────┐ │
│ │ Upstash │ ◀─────── /ws ───────────┤ Supabase │ │
│ │ (Redis) │ (Degraded Fallback) │ (PostgreSQL) │ │
│ └─────────────────┘ └─────────────────────┘ │
│ │
│ Mailing: Brevo API (Transactional) │
└─────────────────────────────────────────────────────────────────────────┘
In v26.3.3, Sentinel is engineered for High Availability even if infrastructure components fail.
- Fail-Soft Redis: If Upstash/Redis becomes unreachable, the platform automatically enters Degraded Mode.
- Persistence Priority: Security events are always persisted to Supabase first. Redis is only used for the "Live WebSocket Stream".
- Zero-Block Ingestion: API requests never wait for the broadcast layer, ensuring security ingestion is never delayed by live-monitoring latency.
- Ingest — An attacker hits your corporate portal. The Sentinel SDK/Middleware fires a POST to
/events/log. - Queue — Fastify accepts the payload and pushes it to a BullMQ worker queue.
- Analyse — A background worker runs the event through all 9 active detection rules, computing a
risk_score. - Persist — The scored event is written to Supabase (PostgreSQL).
- Broadcast — Upstash (Redis) publishes the new event and audit logs to open Pub/Sub channels.
- Visualise — The Vercel-hosted SOC Console receives a WebSocket push instantly.
- Live WebSocket Event Stream — Events appear on the SOC dashboard with sub-second latency
- Security Alert Engine — Automatically raises Critical/High/Warning alerts when risk thresholds are crossed
- Risk Score Timeline — Time-series chart of the organization's aggregate risk score
| Rule | What It Catches |
|---|---|
impossible_travel |
Physical login velocity exceeding commercial jet speeds (800km/h) across geographic zones. |
security_tool_detection |
Known scanner User-Agents (Nikto, SQLMap, Masscan, etc.) |
rapid_failed_logins |
Burst of failed auth attempts from a single IP or account |
directory_brute_force |
Rapid probing of enumerable paths (/admin, /.env, etc.) |
distributed_login |
Login failures from many distinct IPs targeting the same account |
password_spraying |
Low-and-slow logins across many accounts from one IP |
fingerprint_campaign |
Systematic path/header probing indicating reconnaissance |
new_device_logon |
Pristine identity authenticating from an un-fingerprinted or anomalous device |
risk_scoring |
Aggregate behavioral risk index across all signal types |
- Signature-Based (The "Bouncer"): Checks against known lists. If a request uses a known hacking tool's User-Agent or requests sensitive file paths, it's instantly flagged.
- Threshold-Based (The "Speed Camera"): Allows normal traffic but blocks IPs that act too fast, such as triggering a 60-request burst within 1 minute or failing 5 logins rapidly.
- Behavioral-Based (The "Detective"): Looks for suspicious patterns over time, such as Credential Stuffing (many IPs attacking one account) or Password Spraying (one IP attacking many accounts slowly).
- Active ITDR Enforcer (The "Gatekeeper"): Evaluates real-time intrinsic risk at the authentication perimeter. If an identity or IP crosses Critical Risk (80+), it strictly enforces a 403 Access Denied. If Elevated (40+), it mandates an MFA Challenge.
- Every API request is logically scoped to an
organization_id - Multiple organizations share one instance with zero data spillage
- Per-org API Key management with configurable rate limits (100–10,000 req/min)
| Role | Capabilities |
|---|---|
org_admin |
Full control — user management, API keys, detection settings, org deletion |
security_analyst |
Manage alerts, read events, view detection config |
viewer |
Read-only access to events and resolved alerts |
- Detection velocity charts
- Top threats summary cards
- Alert status breakdown (Active / Acknowledged / Resolved / Dismissed)
- Live heatmap of event origins
- Email Invitation System — Invite team members with professional HTML templates
- Toggle individual detection rules on/off per organization
- Configurable data retention policies
- Live Management Stream — Separate WebSocket channel for administrative actions
- Full organization-wide audit trail with CSV export
- Invite System — Professional onboarding with custom HTML templates.
- REST API Integration — Uses Brevo's V3 HTTP/REST API for high reliability.
- Asynchronous Delivery — Emails are triggered in the background to ensure no latency for the admin UI.
The legacy sentinel-admin frontend has been fully replaced by sentinel-v2, a modern, fully redesigned SOC dashboard.
| Area | Change |
|---|---|
| Framework | Migrated from CRA to Vite + React 18 + TypeScript |
| Design | Glassmorphism dark theme, Material Icons, custom CSS design system |
| Auth flow | Invite acceptance now auto-logins the new user using the returned JWT (no session bleed from admin cookies) |
| API Key Management | Moved to Organizations page — rate limit selector (100–10,000 req/min), Active/Revoked status indicators |
| Settings Page | Cleaned up: Profile, E2EE toggle, Export Audit CSV, Delete Org (admin-only) |
| Live Events | Fixed event_type display (backend alias type now normalized); server-side type filter; free-text search by identity/IP |
| Detection Logic | All 9 detection modules displayed (was showing only 6) |
| Identity Page | Soft-deleted users (is_active = false) now filtered from the list |
| Alerts | Resolution notes displayed after resolve; Dismiss button hidden for already-resolved alerts |
| RBAC | Danger Zone (Delete Org) restricted to org_admin only in UI |
| Single Admin Policy | org_admin role removed from invite and change-role dropdowns |
| Invite Link | Fixed invite email URL from [REDACTED] to [REDACTED] |
Sentinel exposes a REST API secured by dual-layer authentication.
curl -X POST https://your-sentinel-api.com/events/log \
-H "Content-Type: application/json" \
-H "Authorization: Bearer sk_sentinel_YOUR_KEY_HERE" \
-d '{
"event_type": "login_failure",
"payload": {
"ip_address": "203.0.113.42",
"user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
"email": "attacker@evil.com",
"risk_score": 65
}
}'Sentinel is designed to integrate invisibly into any existing application via a lightweight middleware SDK.
// Example: Integration via Middleware
const axios = require('axios');
function sentinelMiddleware(options) {
const { sentinelUrl, apiKey } = options;
return async function (req, res, next) {
next();
const payload = {
event_type: 'http_request',
payload: {
ip_address: req.ip || '0.0.0.0',
user_agent: req.headers['user-agent'] || 'unknown',
path: req.path,
method: req.method,
}
};
axios.post(`${sentinelUrl}/events/log`, payload, {
headers: {
'Authorization': `Bearer ${apiKey}`,
'Content-Type': 'application/json',
},
timeout: 3000,
}).catch(() => {});
};
}| Layer | Technology |
|---|---|
| Backend | Node.js, Fastify, TypeScript |
| Database | Supabase (PostgreSQL) |
| Cache / Broker | Upstash (Redis / BullMQ) |
| Frontend | React 18, Vite, TypeScript, Vanilla CSS |
| Real-Time | WebSockets (Native) |
| Mailing | Brevo Transactional API |
| Deployment | Render (API), Vercel (Web), Supabase (DB) |
MIT License — see LICENSE for details.