SSSentinelStack

How It's Built

Designed for Modern Infrastructure Stacks.

A deep dive into how SentinelStack is architected: layered, composable, and built from the ground up for runtime environments.

System Layers

Five-layer runtime security model.

Layer 1 / Ingestion

Application Layer

Your existing infrastructure with no workload modifications required.

ContainersKubernetes PodsVMsServerless FunctionsBare MetalService Mesh
Layer 2 / Observation

Runtime Telemetry Layer

eBPF probes capture kernel events with minimal CPU overhead and no kernel modules.

eBPF ProbesSyscall TracingNetwork FlowsFile I/O EventsProcess Trees
Layer 3 / Intelligence

Detection Engine

Behavioral analysis runs against a continuously updated baseline and detects anomalies in real time.

Behavioral MLAnomaly DetectionThreat Chain AssemblyMITRE MappingSignal Correlation
Layer 4 / Enforcement

Policy Engine

OPA-native policy evaluation with low latency and Git-backed policy synchronization.

OPA RuntimePolicy BundlesAuto-remediationAdmission ControlDrift Detection
Layer 5 / Persistence

Audit and Integration Layer

Tamper-evident audit logs stream to SIEM, ticketing, alerting, and archival systems.

Immutable Audit LogSIEM ExportSlack / PagerDutyS3 / GCS ArchivalCompliance Reports

Under the Hood

Built on battle-tested open technologies.

CORE TECH

eBPF Runtime Probes

Extended Berkeley Packet Filter lets SentinelStack instrument the kernel safely with no reboots or workload changes.

  • Overhead: <0.5% CPU
  • Events/sec: 500K+ per node
  • Kernel: Linux 5.4+
POLICY ENGINE

Open Policy Agent

OPA provides a declarative, general-purpose policy language that can be enforced across Kubernetes, APIs, and runtime events.

  • Eval latency: <2ms p99
  • Rules: Unlimited
  • Format: Rego / YAML
STREAM PROCESSING

Real-time Event Pipeline

The event pipeline processes telemetry at 500K events/sec per node using a custom streaming engine optimized for security signal correlation.

  • Throughput: 10B events/day
  • Latency: <10ms end-to-end
  • Storage: Columnar + TS

Performance

Numbers that matter.

<0.5%CPU overhead

eBPF probe impact per node at 500K events/sec

<2mspolicy eval latency

P99 policy evaluation at full load

500Kevents/sec/node

Sustained telemetry throughput per agent

99.99%uptime SLA

Control plane availability

Deployment Options

Deploy your way.

Kubernetes (Helm)

The fastest path to production. Deploy via Helm into any Kubernetes cluster.

bash
# Add the SentinelStack Helm repo
helm repo add sentinel https://charts.sentinelstack.io

helm install sentinel sentinel/runtime-agent --namespace sentinel-system

Docker / Compose

For teams not yet on Kubernetes. Run the agent as a privileged sidecar alongside your Docker workloads.

bash
# Pull and run the agent
docker pull sentinelstack/agent:latest

docker run --privileged -v /sys:/sys:ro sentinelstack/agent

Cloud-managed

Fully managed deployment with zero operational overhead. SentinelStack handles scaling, upgrades, and HA.

bash
# Terraform module
module "sentinel" {
  source = "sentinelstack/aws"
  region = var.aws_region
  cluster_id = var.cluster
}