The Linux agent that turns every host into an early-warning trap
Sentinel plants tripwires on every Linux host — canary files, fake credentials, and protocol facades on unused ports. When something touches a tripwire, Sentinel reasons over context and responds with bounded, reversible actions. Every verdict ships with a signed proof pack.
Other tools match signatures after compromise. Sentinel creates deliberate attacker contact points, reasons over the signal, and responds with governed actions you can reverse. The only open-source agent with built-in deception and signed proof packs.
What Sentinel Does
Sentinel keeps the deterministic filter thin, then sends the ambiguous cases into a governed reasoning path with audit-ready evidence.
Host Canaries & Facades
Fake credentials, SSH keys, and lightweight services on unused ports. Any contact is a confirmed hostile indicator — high-signal deception events with near-zero noise.
Governed Reasoning
Suspicious events go to a frontier AI model that reasons about context, process lineage, and network behavior — not just pattern matching. Actions are bounded by policy.
Multi-Model Council
Destructive actions escalate to a consensus council of independent frontier AI models. No single model decides alone on critical actions. Council votes and rationale are recorded in every proof pack.
Proof Packs + Reversible Actions
Every verdict is Ed25519 signed with a hash-chained audit journal. Destructive actions can be reversed with one click. Compliance-ready evidence for every decision.
How It Works
Install the agent once, then let Sentinel handle certain cases instantly and reason about everything that needs judgment.
Install in one command
Run a single curl command as root. The agent enrolls with the BlackDome control plane and starts collecting events.
Events flow through a thin filter
Known malware hashes are killed instantly. Known-good processes are logged. Everything else goes to the LLM for reasoning.
The LLM reasons with memory
A frontier AI model analyzes micro-batched incident packets with context from past incidents stored in vector memory. High-severity or ambiguous findings escalate to a 5-model AI council for consensus-driven verdicts.
Actions are governed and signed
Every remediation action (kill, quarantine, block) is signed with Ed25519 and recorded in a tamper-evident journal.
Built For
Teams that need host protection, explainable decisions, and a clear audit trail.
Simple, Transparent Pricing
Start with the open-source agent, then move into managed detection, deception, and enterprise governance when you need it.
Community
Open-source agent with deterministic detection. Self-hosted, no managed control plane.
- Open-source agent
- Three-rule detection filter
- Host canaries & facades
- Event-driven architecture
- Community support
Team
Full governed detection with managed control plane, proof packs, and vector memory. ~$29/host/mo~ $24/host/mo annual. Launch discount from $29.
- Everything in Community
- Governed reasoning with multi-model council escalation
- Vector memory (learns over time)
- Full proof packs & governance
- API access & webhooks
- Email + SMS alerts
- 90-day incident history
- Priority support
Shield
Everything in Pro plus a dedicated network honeypot per subnet with real-time threat correlation. Launch discount — normally $1,250/subnet/mo.
- Everything in Pro
- Network honeypot (13 protocol facades)
- Real-time honeypot -> Sentinel correlation
- Insider threat detection
- Unknown threat behavioral analysis
- 15-second attacker-to-protection
- 180-day incident history
Enterprise
Unlimited hosts, local LLM option, multi-subnet, compliance reporting, and dedicated support.
- Everything in Shield
- Local LLM option (air-gapped)
- Custom security policies
- Voice escalation
- Compliance audit packs
- Dedicated support
- 365-day retention
Protect your servers in under two minutes
Start with the free open-source agent or upgrade to Team for governed reasoning with managed intelligence. One command to install, nothing to configure.