Security & Compliance
SentienGuard uses least-privilege access, outbound-only communication, and immutable audit logging. Here is exactly how we protect your infrastructure and generate compliance evidence. Complete architecture transparency for security teams who need to verify before trusting.
Zero Trust
Outbound-only agents
No inbound ports required
Immutable Logs
S3 Object Lock
6-year tamper-proof retention
99.5% Reduction
Audit prep time
200 hours → 1 hour (SOC 2)
Five layers of security from data collection to execution.
Agent (Your VPC) --TLS 1.3--> Control Plane
Firewall Policy:
- Outbound 443 only
- No inbound ports required{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ec2:DescribeInstances", "ec2:StartInstances", "ec2:StopInstances", "cloudwatch:GetMetricStatistics"],
"Resource": "*"
}]
}{
"incident_id": "inc_2026_02_10_1435",
"duration_seconds": 87,
"playbook": "disk_cleanup_prod_db",
"approved_by": "john.chen@company.com",
"verification": "PASS",
"signature": "SHA256:a3f2bc1d...",
"immutable": true
}Outbound-only architecture eliminates the inbound attack surface entirely. No listening ports, no firewall exceptions, no DDoS vectors.
Agent listens on ports 8125/UDP (StatsD), 9090/HTTP (config), 443/HTTPS (control). Control plane pushes config to agents.
–Inbound attack surface (ports exposed to network)
–Service IP allowlist maintenance (IPs change)
–If monitoring service compromised → can push malicious config
–Port scanning vulnerability (8125, 9090 discoverable)
–DDoS vector (flood StatsD port)
# Required firewall rules (traditional):
Allow INBOUND from monitoring-vendor-ip-range
Allow INBOUND port 8125/UDP (StatsD metrics)
Allow INBOUND port 9090/HTTP (config push)
Allow INBOUND port 443/HTTPS (control plane)Agent has NO listening ports. Initiates outbound HTTPS. Pulls config (agent asks). Pushes metrics (agent sends).
+Zero inbound attack surface (no ports listening)
+Simple firewall policy (one outbound destination)
+If control plane compromised → cannot push to agents
+No port scanning vulnerability (nothing to discover)
+Works with strictest firewall policies (egress-only)
# Required firewall rules (SentienGuard):
Allow OUTBOUND to ingest.sentienguard.com:443
# That's it. Zero inbound rules needed.1. Config pull (every 30s)
Agent → HTTPS GET → /api/v1/config
Control plane CANNOT initiate this connection. Agent decides when to pull.
2. Metric push (every 30s)
Agent → HTTPS POST → /api/v1/metrics
Control plane receives data passively. Agent decides what/when to send.
3. Playbook execution (on-demand)
Agent detects anomaly locally → requests playbook → verifies signature → executes locally
Control plane never executes on agent’s behalf. Agent validates signature before execution.
Threat modeling and mitigations for common attack vectors.
An attacker gets host-level access and attempts binary/config tampering.
Mitigations
Detection
An attacker tries to intercept or inject traffic between agent and control plane.
Mitigations
Detection
Cloud or SSH credentials are targeted for unauthorized API calls.
Mitigations
Detection
A privileged actor uploads unsafe playbook actions.
Mitigations
Detection
Authorized user attempts destructive approvals.
Mitigations
Detection
Compromised dependency or build output introduces malicious logic.
Mitigations
Detection
Worst-case scenario: sophisticated attacker gains full access to SentienGuard's control plane infrastructure.
–Infrastructure metadata (hostnames, IP addresses, metrics)
–Playbook library (YAML files, not secrets)
–User email addresses (account info)
–Incident history (which hosts had which incidents)
+Your cloud credentials (IAM roles, not stored by us)
+Your application data (not collected)
+Your database passwords (not in our system)
+Your SSH keys (agents use IAM, not keys)
+Your audit logs (stored in YOUR S3 bucket)
Confirmed losses
Prevented by architecture
Recovery time: <1 hour (rotate tokens, verify logs, resume). Conclusion: Outbound-only architecture reduces breach impact 90% vs traditional monitoring.
From 250 hours of manual evidence gathering to 25 minutes of automated exports. Real numbers from production deployments.
Week 1 (20 hrs): Export CloudTrail logs (847 GB), SSH logs from 500 servers, DB audit logs, K8s audit logs. Total: 1.2 TB raw logs.
Week 2 (20 hrs): Parse logs (grep, awk, scripts). Correlate across systems. Create spreadsheet: 12,847 access events. Format PDF (247 pages).
Remediation (10 hrs): 147 SSH sessions missing approval. 23 DB changes undocumented. 8 servers with no audit logs (logging failed).
Cost: 50 hours \u00D7 $80/hr = $4,000
Assessor finding: "Logging gaps on 8 servers" (minor finding)
Step 1\u20134: Dashboard \u2192 Reports \u2192 Compliance \u2192 SOC 2. Select date range. Select criteria: CC6.1. Click "Generate Evidence Package."
Output (2 min processing): soc2_cc6_1_evidence.pdf (1,247 pages), CSV (12,847 rows), executive summary (4 pages).
Evidence includes: All infrastructure access, complete audit trail, RBAC approvals with timestamps, verification results, 100% coverage.
Cost: 5 min \u00F7 60 \u00D7 $80 = $6.67
Assessor finding: None (zero gaps, 100% logging coverage)
| Task | Manual (Before) | Automated (After) | Savings |
|---|---|---|---|
| Evidence gathering | 40 hours | 5 minutes | 99.8% |
| Remediation | 10 hours | 0 hours | 100% |
| Total time | 50 hours | 5 minutes | 99.8% |
| Cost | $4,000 | $6.67 | 99.8% |
| Audit findings | 1 (logging gaps) | 0 | 100% |
| Assessor review time | 8–12 hours | 2–4 hours | 67% |
| Framework | Before | After | Savings |
|---|---|---|---|
| SOC 2 Type II | $20,000 | $20 | $19,980 |
| HIPAA | $24,000 | $80 | $23,920 |
| PCI-DSS | $16,000 | $40 | $15,960 |
| Total | $60,000 | $140 | $59,860 |
750 hours/year freed (18.75 work weeks of strategic work instead of evidence gathering)
Complete secure installation process with GPG verification, least-privilege execution, systemd hardening, and SELinux confinement.
# Download agent binary and signature
curl -O https://releases.sentienguard.com/agent/v1.4.2/sentienguard-agent-linux-amd64
curl -O https://releases.sentienguard.com/agent/v1.4.2/sentienguard-agent-linux-amd64.sig
curl -O https://releases.sentienguard.com/agent/v1.4.2/SHA256SUMS
# Import GPG public key
curl https://releases.sentienguard.com/gpg-key.asc | gpg --import
# Output: key 1E2F3A4B5C6D7E8F: "SentienGuard Release Signing Key" imported
# Verify key fingerprint (CRITICAL)
gpg --fingerprint releases@sentienguard.com
# Expected: 4F3E 2A8B 9C1D 5E6F 7A8B 9C0D 1E2F 3A4B 5C6D 7E8F
# If fingerprint DOES NOT match → DO NOT PROCEED (MITM attack)/proc/* (system metrics)
/sys/* (hardware info)
/var/log/* (log files)
/etc/sentienguard/* (own config)
/etc/* (ProtectSystem=strict)
/usr/* (system binaries)
/home/* (ProtectHome=true)
/root/* (root home)
Detailed answers to the questions CISOs, security architects, and compliance officers ask during evaluation.
No, by design. Agents execute playbooks (YAML files) that define allowed commands. Playbooks are cryptographically signed (GPG) and validated before execution. Agents reject unsigned playbooks. RBAC controls which playbooks can run in which environments.
# Allowed (in playbook):
- action: sql_query
query: "SELECT pg_terminate_backend(pid) FROM pg_stat_activity..."
# Blocked (not in playbook):
$ sentienguard-agent execute "rm -rf /"
ERROR: Command not in approved playbook. Execution blocked.
Logged: Unauthorized execution attempt by user:admin@company.comCredentials are short-lived (15-minute expiry). Stolen credentials expire before attacker can use them. IP-based anomaly detection flags unusual locations. MFA required for sensitive actions. Admin can revoke all sessions immediately.
We do not currently operate a bug bounty program. To report vulnerabilities, email security@sentienguard.com. We acknowledge reports within 48 hours, provide status updates every 7 days, and target coordinated disclosure 90 days after fix. We credit researchers in security advisories if desired.
No security breaches to date (as of February 2026). Quarterly transparency reports published. Q2 2025: 1 vulnerability disclosed (XSS in dashboard, patched in 8 days). All other quarters: 0 incidents. If breach occurs: public disclosure within 72 hours, customer notification within 24 hours.
Network monitoring + payload inspection. Capture all agent traffic with tcpdump, analyze in Wireshark. We provide automated analysis tool (verify_agent_traffic.py). Contract includes data minimization clause—collecting data outside documented scope is breach of contract.
# Capture all SentienGuard traffic
sudo tcpdump -i any -w sg-traffic.pcap host ingest.sentienguard.com
# Automated analysis
python verify_agent_traffic.py sg-traffic.pcap
# Output:
[PASS] Direction: 100% outbound-initiated
[PASS] Encryption: TLS 1.3 (A+ rating)
[PASS] Destinations: ingest.sentienguard.com only
[PASS] Payload pattern: Metrics (30s interval, ~4KB)
[PASS] VERDICT: Compliant (no data exfiltration)Yes, Enterprise plan includes on-premise control plane. Options: AWS (CloudFormation in air-gapped VPC, ~$2K/mo), on-premise (Kubernetes Helm chart, 16 CPU/64GB RAM), or AWS GovCloud (FedRAMP Moderate, Q4 2026).
No, but it complements. SIEM handles security event correlation and threat hunting. SentienGuard handles infrastructure incident response and compliance logging. Integration: SentienGuard exports audit logs to your S3, SIEM ingests for unified view.
Yes, with read-only access. Create auditor user with "Auditor" role (read-only, no execution). Grant 30-day access (expires automatically). Auditors can review audit logs, compliance reports, RBAC policies, and playbook library.
Customer-configurable: 2–7 years (default 6 years for HIPAA). Stored in YOUR S3 bucket with Object Lock (COMPLIANCE mode). Cost: ~$0.023/GB/mo standard, ~$0.004/GB/mo after 2 years (Glacier Deep Archive).
Generate evidence auditors need. We do not certify you, we help make compliance easier.
What SentienGuard Provides
What You Still Need
What SentienGuard Provides
What You Still Need
What SentienGuard Provides
What SentienGuard Provides
What SentienGuard Provides
What SentienGuard Provides
Incident response phases and communication commitments.
Phase 1
Phase 2
Phase 3
Phase 4
Hypothetical dependency CVE case: detected at 08:15 UTC, patched by 10:00 UTC, affected customers notified and agent updates verified by 11:00 UTC.
Email: security@sentienguard.com
We appreciate responsible disclosure and commit to:
We do not currently operate a bug bounty program.
Coordinated disclosure target: 90 days after fix.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
Documented controls, recurring review cadence, and measurable outputs for audit readiness.
What We Collect
Why: Detect anomalies and target remediation correctly.
Retention: Metrics 90 days, logs 2 years default.
Access: Your team; limited support access by approval.
What We Collect
Why: Provide immutable accountability and access-control evidence.
Retention: 2 years default, extendable.
Access: Your admins and audit exports.
What We Collect
Why: Data minimization lowers privacy and breach risk.
Retention: Not collected.
Access: Not applicable.
Zero-trust architecture with outbound-only agents, immutable audit logs, and defense-in-depth security controls. Download our security whitepaper for complete threat modeling, or schedule a call with our security team.
Outbound-only (zero inbound attack surface)
Non-root execution (SELinux, Seccomp)
Immutable logs (S3 Object Lock, 6-year)
Compliance automation (99.5% reduction)
No security breaches to date (Feb 2026). Quarterly transparency reports published. Responsible disclosure: security@sentienguard.com.
Last updated: February 12, 2026 • Questions: security@sentienguard.com