Common questions about SentinelAI, agents, the dashboard, and security monitoring.
SentinelAI is an autonomous AI-powered threat detection and prevention system. It provides real-time endpoint protection through native agents on Windows, Linux, and macOS, all managed from a central Docker-based dashboard. It uses machine learning, heuristic analysis, and optional Bygheart AI integration to detect and respond to threats.
The dashboard runs in Docker (any OS). Native agents are available for Windows (25+ monitors), Linux (16 monitors), and macOS (10 monitors). Each agent is purpose-built for its platform with OS-specific monitoring capabilities.
Yes. The Free tier includes 1 agent, 1,000 events per day, full AI-powered analysis, all 25+ security monitors, the real-time dashboard, and auto-response capabilities. Pro and Enterprise tiers are available for teams managing multiple endpoints.
No. The local ML engine (Stage 1) runs entirely offline and handles the vast majority of detections at 96.5% accuracy. Bygheart AI analysis (Stage 3) is optional and only used for uncertain cases. You can run with --no-ai to disable the Bygheart AI escalation entirely.
No. All data stays between your agents and your self-hosted dashboard. The only external calls are optional integrations you explicitly enable (VirusTotal lookups, Bygheart AI analysis, threat feed checks). You control every integration.
No. Each user account is isolated. When you log in, you only see agents registered with your API key. Other users with their own accounts and API keys see only their own agents and threat data. There is no cross-account visibility.
After starting the Docker stack with docker-compose up -d, open your browser to the dashboard URL (default: http://localhost:8015/dashboard/). Log in with your credentials to view agents, threats, and settings.
Admin users can create new accounts from the Admin Panel in the dashboard. Each user gets their own login, role (Admin, User), and can generate their own API keys for agent registration.
Admin has full access including user management, settings, and all agent data. User can view their own agents, threats, and manage their API keys. Role-based access control ensures proper separation of privileges.
API keys authenticate agents to the dashboard. Go to Settings → API Keys → Create to generate a key. Copy it immediately as it won't be shown again. Set it as the SENTINEL_API_KEY environment variable on the machine running the agent.
The Windows agent runs 25+ concurrent monitors including: process monitoring (mimikatz, encoded PowerShell, reverse shells), network monitoring (port scans, brute force, DDoS), Windows Event Logs, registry persistence, scheduled tasks, USB devices, hosts file, browser extensions, clipboard, DNS queries, PowerShell logging, WMI, DLL injection, named pipes, services, drivers, firewall rules, certificates, Windows Defender, AMSI, ETW, Sysmon, ransomware canary files, and data exfiltration detection.
For full capabilities (firewall control, event log access, service monitoring), yes. The agent works without admin rights but some monitors will have limited functionality. We recommend running as Administrator for complete protection.
The agent is designed to be lightweight. Typical usage is under 2% CPU and 50-100MB RAM. The ML model runs locally and is optimized for minimal resource consumption. Monitoring intervals are configurable if you need to reduce overhead further.
Yes. Each machine runs its own agent instance with the same or different API keys. All agents report to the central dashboard where you can view them in the fleet overview. The Free tier supports 1 agent; Pro supports 5; Enterprise supports 100.
Agents continue monitoring and protecting the endpoint locally. Events are queued and sent to the dashboard when connectivity is restored. The local ML engine and heuristic detection work independently of the dashboard.
Download the latest agent files and replace the existing ones. The agent's learned ML data (ml/models/) persists between updates. Configuration and training data are preserved automatically.
Stage 1 (ML): The local ensemble model (LightGBM + XGBoost + Random Forest) extracts 150+ features and classifies the event. This handles ~95% of detections. Stage 2 (Heuristics): Fallback pattern matching against known malware signatures and suspicious command patterns. Stage 3 (Bygheart AI): For uncertain cases (40-70% confidence), the event is escalated to Bygheart AI for deep analysis and remediation recommendations.
The ML model achieves a 0.2% false positive rate in benchmarks. The autonomous learning system further reduces false positives over time by learning from high-confidence predictions and user feedback.
When enabled, SentinelAI automatically takes action on high-severity threats: blocking malicious IPs via the OS firewall, killing dangerous processes, and quarantining suspicious files. You can configure the severity threshold, enable cooldowns, and maintain an IP whitelist to prevent blocking trusted addresses.
The agent deploys hidden honeypot files across the filesystem. If ransomware attempts to encrypt these files, the agent detects it instantly and triggers an immediate alert. This provides early warning before critical files are affected.
Every detection is mapped to one or more of 45+ MITRE ATT&CK techniques with confidence scores. This helps security teams understand the full attack chain — from initial access and persistence to lateral movement and exfiltration — using industry-standard terminology.
Yes. From the dashboard, you can queue commands for any connected agent: block_ip, kill_process, quarantine_file, unblock_ip, scan_path, get_system_info, list_connections, and list_processes. Agents poll for commands every 30 seconds.
SentinelAI integrates with VirusTotal (hash, URL, IP, domain lookups), AlienVault OTX, and Abuse.ch feeds (URLhaus, FeodoTracker, ThreatFox, MalwareBazaar). AbuseIPDB is available for IP reputation checking. All integrations are optional and configured via API keys in the dashboard settings.
In the dashboard Settings, enter your Discord webhook URL. SentinelAI sends rich embed messages with threat details, severity, and recommended actions. You can configure the minimum severity level for notifications.
Yes. SentinelAI provides a full REST API. Any application can send threat data to the /api/v1/threats/analyze endpoint. Docker containers can connect via host.docker.internal. Generic webhooks with HMAC signatures are available for outbound notifications.
Yes. The Docker stack includes a Snort connector that ingests Snort IDS alerts and feeds them into the SentinelAI threat analysis pipeline. Snort alerts appear in the dashboard alongside agent-detected threats.
Dashboard: Docker Desktop, 2GB RAM minimum, 1GB disk space. Agents: Python 3.10+, 100MB RAM, administrator/root access recommended. The dashboard runs FastAPI + PostgreSQL + Redis in Docker containers.
The dashboard is designed for Docker deployment for simplicity and isolation. You would need to manually set up FastAPI, PostgreSQL, and Redis if running without Docker. We recommend Docker for the easiest setup experience.
By default, the dashboard listens on the configured port (default 8015). For remote access, you can expose it through a reverse proxy (like ProxyStack) with TLS termination. We strongly recommend HTTPS for any remote access.
The PostgreSQL database stores all threat data, user accounts, and agent registrations. Back up the database using standard PostgreSQL tools (pg_dump). Agent ML models are stored locally in ml/models/ on each endpoint.