SentinelPrime

An AI-driven Security Control Plane unifying Zero Trust Access (ZTNA), Endpoint Detection (EDR), and Network Detection (NDR) into a single automated enforcement loop.

🎯 What is SentinelPrime?

This is not another XDR platform. SentinelPrime answers a harder question that traditional security tools avoid:

"Why does this access, host, or network flow exist — and what is safe to block right now without breaking production?"

Most security platforms excel at detection but fail at decisive, contextual enforcement. SentinelPrime introduces a control-plane-first architecture where:

• ZTNA is the primary enforcement surface
• EDR and NDR provide deep runtime context
• An AI correlation engine reconstructs intent and attack chains
• Decisions are enforced automatically across identity, endpoint, and network layers

This creates a closed-loop security system instead of alert sprawl.

🏗️ Architecture

        ┌──────────────┐
        │   Identity   │  (Keycloak)
        └──────┬───────┘
               │
        ┌──────▼───────┐
        │     ZTNA     │  (OpenZiti / Pomerium)
        │ Enforcement  │
        └──────┬───────┘
               │
 ┌─────────────▼──────────────┐
 │     AI Control Plane       │
 │  (Correlation + Decisions) │
 └──────┬───────────┬─────────┘
        │           │
 ┌──────▼──────┐ ┌──▼─────────┐
 │     EDR     │ │    NDR     │
 │ (Wazuh /    │ │ (Zeek /    │
 │  osquery)   │ │ Suricata)  │
 └─────────────┘ └────────────┘

🔐 Design Principles

1. Control Plane > Tool Sprawl – Centralized decisions, distributed enforcement
2. Intent-Aware Security – Evaluate resources based on why they exist, not just activity
3. Pre-Access + Post-Access – Combine Zero Trust access control with continuous runtime evaluation
4. Vendor-Agnostic – Every component is replaceable
5. Research-First – A reference architecture, not a commercial product

🛠️ Technology Stack

Layer	Component	Technology
Identity & ZTNA	Identity Provider	Keycloak (OIDC, SAML)
	ZTNA Enforcement	OpenZiti or Pomerium
Endpoint Detection	EDR Framework	Wazuh + osquery
Network Detection	NDR Framework	Zeek + Suricata
AI Control Plane	API Framework	FastAPI (Python)
	Event Streaming	Kafka / Redpanda
	Graph Database	Neo4j
	ML Models	scikit-learn, PyTorch
Observability	Logs & Metrics	Elasticsearch, Prometheus, Grafana

🔁 Closed-Loop Enforcement Flow

1. Access Request: User/service requests access via ZTNA
2. Telemetry Collection: Runtime data streams from EDR and NDR
3. Context Correlation: AI engine correlates identity + host + network context
4. Risk Assessment: Risk score and intent computed in real-time
5. Automated Enforcement: Decision enforced automatically:
   • Revoke access via ZTNA API
   • Isolate host via EDR API
   • Block network flow via NDR/firewall
6. Dynamic Policy Update: Policies adapt based on threat intelligence

📊 Key Metrics

• Detection → Enforcement Latency: Time from threat detection to automated response
• Blast Radius: Number of systems affected before containment
• Alert Accuracy: Real incidents vs. false positives
• Policy Effectiveness: Successful access revocations without business impact

🚀 Quick Start

Prerequisites

• Docker & Docker Compose v2.0+
• Python 3.11+ (for local development)
• 8GB+ RAM recommended
• macOS/Linux (Windows WSL2 supported)

Deploy (5 Minutes)

# Clone the repository
git clone https://github.com/Manoj-engineer/SentinelPrime.git
cd SentinelPrime

# Make scripts executable
chmod +x scripts/*.sh deploy.sh

# Deploy all core services
./deploy.sh

# Check service health
./scripts/status.sh

# Send test events
./scripts/quick-test.sh

Access Dashboards

Service	URL	Credentials
Control Plane API	http://localhost:8000/docs	No auth (dev mode)
Grafana	http://localhost:3001	admin / sentinelprime
Neo4j Browser	http://localhost:7474	neo4j / sentinelprime
Prometheus	http://localhost:9090	No auth
Kibana	http://localhost:5601	No auth

✅ Implementation Status

🟢 Completed (Core Infrastructure)

• ✅ Control Plane API - FastAPI service with health checks, metrics endpoints
• ✅ Event Ingestion - REST API endpoints for EDR/NDR/ZTNA telemetry
• ✅ Event Streaming - Kafka/Redpanda for real-time event processing
• ✅ Graph Database - Neo4j for attack chain visualization and queries
• ✅ ML Anomaly Detection - Isolation Forest with 10-feature behavioral analysis
• ✅ Risk Scoring Engine - Multi-factor risk calculation (0-1 scale)
• ✅ Correlation Engine - 3 pre-configured rules
• ✅ Metrics Collection - Prometheus with Grafana dashboards
• ✅ Event Storage - Elasticsearch for historical analysis
• ✅ Docker Deployment - Needs to be tested

🟡 Framework Ready (Not Deployed)

EDR Layer

• ✅ Wazuh adapter code complete
• ✅ osquery adapter code complete
• ✅ Installation guides
• ❌ No actual agents deployed

NDR Layer

• ✅ Zeek scripts complete
• ✅ Suricata rules complete
• ✅ Adapter code for event normalization
• ❌ No actual sensors deployed

ZTNA Layer

• ✅ OpenZiti adapter complete
• ✅ Pomerium adapter complete
• ✅ Policy templates
• ❌ No ZTNA service running

🔴 Pending Work

• Deploy EDR Agents
• Deploy NDR Sensors
• Deploy ZTNA Service
• ML Model Training
• Enforcement Integration

📁 Repository Structure

SentinelPrime/
├── control-plane/          # AI correlation & decision engine
├── edr/                    # Endpoint Detection & Response
├── ndr/                    # Network Detection & Response
├── ztna/                   # Zero Trust Network Access
├── orchestration/          # Enforcement engine and playbooks
├── experiments/            # Attack simulations
├── scripts/                # Deployment and testing utilities
├── monitoring/             # Prometheus and Grafana configs
├── docs/                   # Architecture and research notes
├── docker-compose.yml      # Full stack deployment
└── deploy.sh               # One-command deployment

🧪 Testing

Run Integration Tests

# Test all layers (EDR, NDR, ZTNA event ingestion)
./scripts/test-all-layers.sh

# Send sample events and verify processing
./scripts/quick-test.sh

# Check Neo4j graph data
docker exec -it sentinel-neo4j cypher-shell -u neo4j -p sentinelprime
> MATCH (n)-[r]->(m) RETURN n, r, m LIMIT 25;

Example Attack Simulation

# Run lateral movement simulation
cd experiments
python lateral_movement.py

# View detected attack chain in Neo4j Browser
# http://localhost:7474

🔬 Research Scope

This project is an academic/research proof-of-concept that:

✅ Demonstrates

• Feasibility of AI-driven security control planes
• Cross-domain correlation (identity + endpoint + network)
• Automated enforcement without human approval
• Vendor-agnostic architecture patterns
• Reproducible experiments and datasets

❌ Does NOT

• Replace enterprise XDR/SIEM products
• Provide production-ready security agents
• Include proprietary threat intelligence
• Offer commercial support or SLAs
• Guarantee security effectiveness

Use for research, experimentation, and learning only.

📖 Documentation

• QUICKSTART.md - Fast deployment guide
• SETUP_GUIDE.md - Detailed installation instructions
• CREDENTIALS.md - Default passwords and access info
• PROJECT_OVERVIEW.md - Technical deep dive
• ARCHITECTURE.md - System design details

🤝 Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

Areas of Interest:

• New correlation rules and ML models
• Additional EDR/NDR/ZTNA integrations
• Attack simulations and test datasets
• Performance optimizations
• Documentation improvements

📜 License

Apache License 2.0 - See LICENSE for details.

🙏 Acknowledgments

SentinelPrime builds upon excellent open-source projects:

• Wazuh - HIDS/SIEM platform
• osquery - SQL-based endpoint visibility
• Zeek - Network security monitoring
• Suricata - IDS/IPS engine
• OpenZiti - Zero Trust networking
• Neo4j - Graph database
• FastAPI - Modern Python web framework

📧 Contact

For questions, feedback, or collaboration:

• GitHub Issues: Report bugs or request features
• Discussions: Join the conversation

---

SentinelPrime: An experiment in what security looks like when decisions matter more than dashboards.