Sentinel
Sentinel.real-world attacker behavior
A production‑grade system for capturing, structuring, and exploring live security telemetry from real attacker activity.
Technical Thesis.
Sentinel treats security telemetry as structured data rather than raw logs, with architecture intentionally designed to capture real attacker behavior, transform it into meaningful signals, and support scalable analysis over time.
Visual_Manifest // Technical_Snapshots
Capturing real attacker behavior in production
Sentinel is powered by a live SSH honeypot deployed in production, capturing real attacker traffic instead of simulated events. This grounding in real behavior shaped both the data model and the UI, ensuring the system reflects how attacks actually unfold.
Modeling security data for analysis, not raw logs
Attacker activity is modeled as structured sessions, events, and commands rather than flat log lines. This enables the frontend to present timelines, summaries, and comparisons without reprocessing raw data on every interaction.
Turning telemetry into readable frontend signals
Backend aggregation transforms noisy telemetry into clear signals such as session duration, command frequency, and geographic distribution. These signals drive calm, readable UI views instead of overwhelming dashboards.
Built for exploration and evolution over time
Sentinel was designed to evolve as data volume and analysis needs grow. Normalized storage, incremental ingestion, and clear system boundaries allow new views and analytics to be added without breaking existing behavior.
Functional Proof.
Detailed logic applied to real-world production needs.
through live network deception
Capturing real-world attacker behavior
Most security tools rely on abstract threat feeds or synthetic data, which makes it hard to reason about real attacker behavior. Sentinel deploys a live SSH honeypot to capture authentic attacker interactions, grounding the system in real-world activity rather than simulations.
Technical_Focus
- Live SSH honeypot deployment
- Session-oriented event capture
- Long-running collection of real attacker traffic
Outcome
Built a realistic dataset of attacker behavior that could be explored visually and analyzed over time instead of relying on theoretical threat models.
with a real-time ingestion pipeline
Transforming raw events into security signals
Raw honeypot logs are noisy and difficult to interpret directly. Sentinel introduces a real-time ingestion and aggregation layer that transforms low-level events into structured sessions and metrics that frontend views can rely on without reprocessing raw logs.
Technical_Focus
- Event normalization and aggregation
- Session correlation across events
- Derived metrics for frontend consumption
Outcome
Enabled timelines, summaries, and comparisons in the UI without overwhelming users with raw log data.
for rapid threat understanding
Visualizing attack patterns spatially and temporally
Understanding attack behavior requires both spatial and temporal context. Sentinel surfaces this information through interactive visualizations that help users quickly see where attacks originate and how sessions evolve over time.
Technical_Focus
- Geospatial visualization with Mapbox
- Session-based timelines
- High-risk source highlighting
Outcome
Made complex attack patterns readable at a glance, allowing users to spot trends and anomalies without manual log inspection.
beyond ad-hoc log inspection
Designing for long-term analysis and scale
Sentinel was designed as a foundation for ongoing analysis rather than a one-off experiment. The system emphasizes durable storage, clear data boundaries, and extensibility so new views and analytics can be added as data volume grows.
Technical_Focus
- Normalized PostgreSQL-backed SIEM schema
- Clear separation between ingestion and presentation
- Forward-compatible data modeling
Outcome
Created a stable base for long-term security analysis while keeping frontend behavior predictable as the system evolves.
Stack_Manifest
Access_Protocols
Explicit tradeoff
"Rather than optimizing for real-time alerting or SOC-style dashboards, Sentinel prioritizes accurate session modeling and signal correctness so attacker behavior can be analyzed reliably over time instead of reacting to noisy, short-lived events."