Built for kernel-speed
deterministic security.
Aeon8 Sentinel is a five-layer security platform — from eBPF/XDP packet capture at the kernel path to cryptographically signed audit trails — designed for connected and fully air-gapped production environments.
System Overview
Five-layer detection and response pipeline.
Every layer is independently deployable, auditable, and replaceable — designed around operator control with automation where it helps and human gates where it matters.
L1 · Ingestion Layer
Telemetry Ingestion & Normalization
L2 · Detection Layer
ML Anomaly Detection & Signature Engine
L3 · Correlation Layer
SIEM Correlation & Incident Enrichment
L4 · Response Layer
Autonomous Response & Swarm Propagation
L5 · Observability Layer
Telemetry Export & Audit Trail
Swarm Mesh
QUIC gossip · Sub-ms propagation
Policy sync · Signed evidence
Layer Reference
Architecture layers in depth.
Each layer exposes well-defined interfaces for integration, replacement, and independent scaling.
Ingestion Layer
Telemetry Ingestion & Normalization
All data sources — endpoints, network flows, threat feeds, and cloud telemetry — are normalized and ingested via a structured pipeline before processing.
XDP / eBPF Capture
Kernel-path packet inspection at line rate, zero copy
Endpoint Agent
Rust-native agent with minimal syscall footprint
Network Tap
Passive SPAN port and inline TAP modes
Threat Feed Ingestor
MISP, CSV IOC feeds — fully offline capable
Detection Layer
ML Anomaly Detection & Signature Engine
Dual-path detection: fast-path signature matching runs in sub-microsecond time while the ML pipeline performs deeper behavioral analysis.
ONNX Runtime Inference
Optimized ML models exported to ONNX for CPU-efficient inference
RandomForest Classifier
Behavior-drift scoring tuned on MAWI / CICIDS2017 datasets
JA3/TLS Fingerprinter
Encrypted session classification against C2 pattern library
Signature Engine
Rule-based fast path for known IOCs and YARA patterns
Correlation Layer
SIEM Correlation & Incident Enrichment
Raw detections are collapsed into incidents through MITRE ATT&CK–aligned correlation rules, enriched with GeoIP and threat intelligence context.
Event Correlation Engine
Temporal and causal correlation across signal sources
MITRE ATT&CK Mapper
Technique and tactic mapping for every incident
Offline GeoIP Enrichment
MaxMind-compatible dataset — no SaaS dependency
IOC Cross-Reference
Hash, IP, domain matching against loaded feeds
Response Layer
Autonomous Response & Swarm Propagation
Validated incidents trigger deterministic enforcement actions locally and propagate decisions to peer nodes via encrypted QUIC gossip.
eBPF Policy Enforcer
Inline drop, rate-limit, or redirect without iptables overhead
SOAR Playbook Engine
Declarative playbooks with operator-approval gates
Swarm QUIC Gossip
Sub-millisecond peer propagation across node mesh
Quarantine Orchestrator
Network segmentation and host isolation actions
Observability Layer
Telemetry Export & Audit Trail
Every detection, decision, and enforcement action is recorded with cryptographic signatures to a tamper-evident audit log and exported to your existing stack.
Signed Audit Log
Ed25519-signed action records — chain-of-custody ready
Prometheus / OpenTelemetry
Structured metrics and traces for all pipeline stages
Splunk / Zeek Export
Native adapters for common SOC telemetry pipelines
PostgreSQL Persistence
Structured incident storage with full query capability
Technology Stack
Chosen for performance, auditability, and longevity.
No bloated runtimes. Every dependency is justified by a production requirement.
Kernel Path
Detection Engine
Coordination
Storage
Observability
Delivery
Deployment
Three deployment patterns. One codebase.
Evaluated on a laptop. Deployed in air-gapped critical infrastructure. Same platform.
Docker Compose
Single-host deployment. Ideal for evaluation, staging, and small production environments.
docker pull try2hk/aeon8sentineldocker compose up -dAccess dashboard on :8080Kubernetes / Helm
Multi-node, highly available deployment with horizontal scaling and rolling updates.
helm repo add aeon8 https://charts.aeon8.inhelm install sentinel aeon8/aeon-sentinelkubectl get pods -n sentinelAir-Gapped / Sovereign
Fully disconnected deployment. No mandatory cloud egress. Offline intel feeds, offline GeoIP, and local OCI registry support.
Load OCI image to private registryConfigure offline intel feed pathsDeploy — zero external calls requiredSecurity Design
Security properties of the platform itself.
Designed to be trusted in adversarial environments — including when a node is compromised.
No LLVM Dependency
Rust aya-rs eBPF loader path eliminates the LLVM toolchain from production nodes — reducing attack surface.
Signed Telemetry
Every action record is signed with Ed25519. Chain-of-custody preserved for forensic and compliance workflows.
Zero External Egress
Runs fully disconnected. No mandatory cloud calls, no telemetry callbacks, no license server dependencies.
Least Privilege
Each component runs with minimal Linux capabilities. eBPF programs are verified before loading.
OWASP Top-10 Clean
All API paths are Bandit-audited. Input validation, parameterized queries, and rate limiting on every endpoint.
Operator-Gated Actions
High-impact actions (host isolation, network block) require explicit operator approval when configured.
Get the Platform
Ready to deploy Aeon8 Sentinel?
30-day free trial with architecture onboarding. No credit card required.