Sentrilite — Real-Time Threat Detection & Response for Cloud Infrastructure

Sentrilite Runtime Security dashboard showing live process, network, and system call events with risk scoring

Attacks While They Are Happening

Sentrilite watches every process execution, network connection, memory operation, and privilege change on your servers — in real time. The moment something suspicious happens, Sentrilite alerts you or blocks it automatically, before damage is done.

Unlike traditional security tools that look for known malware signatures, Sentrilite detects behaviour — so it catches zero-day attacks, living-off-the-land techniques, and insider threats that signature-based tools miss entirely.

Run the full security check suite on demand to verify your runtime protections cover every attack surface.

▶  Get Started in Minutes

Sentrilite Detects in Real Time

Sentrilite monitors your servers at the operating system level — watching the same events that attackers must interact with to do anything on your system. There is no layer below this. Every attack technique, from initial compromise to data exfiltration, leaves traces that Sentrilite captures.

Process Execution & Shell Spawning

Attackers who gain access to your server almost always start by running commands — spawning a shell, downloading tools, or executing scripts. Sentrilite detects every one.

  • Interactive shell spawning from web servers or databases (post-exploit)
  • Network scanners executed on your servers (reconnaissance)
  • Data transfer tools run unexpectedly (curl, wget — possible exfiltration)
  • Destructive commands (shred, wipe, dd — ransomware precursors)
  • Scripting interpreters invoked with inline commands (fileless attacks)
  • Privilege escalation tools (sudo, pkexec) executed by non-admin users

Privilege Escalation Attempts

Attackers who gain initial access as a low-privilege user will immediately try to escalate to root. Sentrilite detects every privilege change, whether it succeeds or not.

  • User identity changes and escalation to root (setuid, setresuid)
  • Linux capability manipulation — targeted privilege acquisition
  • Process injection via ptrace — attackers reading or writing process memory
  • Kernel module loading attempts — the primary rootkit installation vector
  • Anti-forensics techniques (disabling core dumps, process renaming)
  • Seccomp filter installation — sandboxing security tools

Memory & Shellcode Activity

Advanced attacks run entirely in memory to evade file-based detection. Sentrilite detects memory manipulation patterns used in exploitation — even without any files touching disk.

  • Memory regions made simultaneously writable and executable (shellcode staging)
  • Executable memory allocations from anonymous pages
  • Return-oriented programming (ROP) preparation patterns
  • JIT spray indicators in non-JIT processes

Network & Command-and-Control

After gaining access, attackers establish a command-and-control channel to receive instructions and exfiltrate data. Sentrilite tracks connections and correlates them to detect C2 activity.

  • Inbound connections from unrecognised sources — intruder IP registration
  • Outbound callbacks to known-bad IPs (C2 beacon detection)
  • Raw socket creation — used for network scanning and packet injection
  • Large outbound data transfers — possible bulk exfiltration (>4KB, >1MB)
  • Unexpected new listening services opened on high ports
  • Port hijacking via SO_REUSEPORT (traffic interception)

Surveillance & Credential Theft

Attackers spend time inside your network watching and waiting. Sentrilite detects the surveillance and reconnaissance activity that precedes a major attack.

  • Filesystem watches on /etc/shadow, /etc/passwd, ~/.ssh (credential files)
  • Direct reads of credential files via sensitive path arguments
  • SSH key directory monitoring (key theft detection)
  • Process injection into credential-holding processes
  • Intruder IP tracking — all subsequent activity from a suspicious source is escalated

Container & Namespace Escapes

Containerised environments are not immune. Sentrilite watches for the specific system calls that attackers use to break out of containers and reach the host.

  • Namespace creation and joining (unshare, setns — container escape steps)
  • Root filesystem pivoting (pivot_root — escaping container rootfs)
  • Mounting /proc, /sys, /dev from within a container
  • Unexpected mount operations from non-system processes
  • Process lineage tracking — web server spawning unexpected child processes

Check Coverage — 47 Detection Scenarios

Sentrilite's built-in Security Check runs 47 detection scenarios that verify your runtime protection covers every major attack category. Each scenario triggers the actual system behaviour that attackers use — confirming that Sentrilite detects it correctly on your specific server.

Network Attacks

  • Raw socket / packet crafting (IP_HDRINCL)
  • Port hijacking via SO_REUSEPORT
  • Inbound connection from unknown source
  • Outbound C2 callback to attacker IP
  • Large data transfer (>4KB and >1MB)
  • Unexpected listening service

Process & Execution

  • Interactive shell spawning
  • Network scanner execution (nmap, masscan)
  • Data exfiltration tool execution (curl, wget)
  • Scripting interpreter one-liner (Python -c)
  • Sensitive credential file access (cat /etc/shadow)
  • Destructive command execution (shred)
  • Privilege escalation tool (sudo)

Privilege Escalation

  • ptrace process injection
  • setuid / setgid / setresuid / setresgid
  • Linux capability set manipulation (capset)
  • prctl anti-forensics (core dump disable)
  • prctl process masquerading (rename to [kworker])
  • prctl seccomp filter installation
  • Capability bounding set modification

Memory

  • PROT_WRITE + PROT_EXEC page (shellcode staging)
  • PROT_EXEC anonymous memory (code injection)

Kernel

  • init_module (rootkit load attempt)
  • finit_module (rootkit via file descriptor)
  • delete_module (security module removal)
  • inotify watch on /etc/passwd
  • inotify watch on /etc/shadow
  • inotify watch on ~/.ssh

Container Escape

  • unshare — new UTS/user namespace
  • setns — joining existing namespace
  • pivot_root — root filesystem escape
  • tmpfs mount from container
  • procfs mount (/proc inside container)

Attack Chain Simulation

  • Full intruder lifecycle: accept → C2 callback → shell spawn
  • Correlated multi-event attack session detection
  • Process lineage tracking (parent–child propagation)

Custom Rules — Your Last Line of Defense Against Unpatched CVEs

Not every vulnerability can be patched the same day it is disclosed. Sentrilite's custom rules let you define precise detection and blocking behaviour for specific attack patterns — providing protection even before a patch is available.

Rules are plain JSON, take effect in seconds, and require no server restart or redeployment. Examples of what you can do right now:

  • BLOCK All kernel module load attempts — prevents rootkit installation on any server, regardless of CVE
  • BLOCK Memory pages marked write+execute — stops shellcode injection from any memory corruption exploit
  • BLOCK Namespace operations — container escape prevention independent of Kubernetes version
  • ALERT Shell spawning from web server processes — immediate notification of web application exploitation
  • ALERT Outbound connections to known-bad IPs — C2 detection for malware that has already bypassed perimeter defences
  • ALERT Destructive command execution — ransomware precursor detection
  • ALERT Credential file access — early warning of attacker reconnaissance activity

The Security Check report includes a Suggested Rules section that generates ready-to-use rules based on what was detected in your environment — so you get personalised protection recommendations, not generic advice.

It Works

Sentrilite sits at the operating system level, watching system events as they happen. There is no agent running inside your applications, no network tap, and nothing to configure per-service.

System-Level Monitoring

Sentrilite intercepts process executions, network connections, file accesses, memory changes, and privilege operations at the OS level — giving it visibility that application-level tools cannot match.

Behavioural Risk Scoring

Every event is automatically scored by risk level based on what it does, who is doing it, and in what context. High-risk events trigger immediate alerts. Correlated events build an attack picture in real time.

Automated Response

For confirmed high-risk activity — kernel module loads, shellcode injection, container escapes — Sentrilite can block the action immediately, before it completes. No human-in-the-loop required.

Live Dashboard & Alerts

Every event streams to a live dashboard with full context — process name, PID, user, IP, command arguments, and tags. Filter by severity, type, or any field. One-click PDF reports for compliance and incident review.

Security Check Report

Run the full 47-scenario Security Check on demand to get a comprehensive PDF showing every detection category covered, which fired, and suggested rules to strengthen your posture — all with a Detection Glossary explaining each threat.

Deploy in Minutes

One Docker command on any Linux server and Sentrilite is running. No kernel patches, no reboots, no per-service configuration. Kubernetes DaemonSet deployment available for cluster-wide coverage.