Runtime v2.4 | Latest

Welcome to SentinelStack Docs

Everything you need to deploy, configure, and get the most out of SentinelStack. Start with the quick start guide or browse by topic in the sidebar.

Quick Start

Deploy the agent and detect your first threat in under 10 minutes.

~10 min

Write a Policy

Create your first runtime policy using OPA-friendly YAML.

~15 min

Connect Slack

Route threat alerts directly to your team's Slack channels.

~5 min

What is SentinelStack?

SentinelStack is a runtime security platform that uses eBPF technology to observe, detect, and enforce security policies across infrastructure without modifying workloads.

Unlike log-first security tools, SentinelStack operates at the kernel layer and gives teams real-time visibility into process, network, and file activity.

Prerequisites: Linux kernel 5.4+ is required for eBPF support. SentinelStack supports EKS, GKE, AKS, and self-managed Kubernetes 1.24+.

Installation

The fastest way to get started is via the Helm chart. This deploys the SentinelStack agent as a DaemonSet so every node in the cluster is instrumented.

1. Add the Helm Repository

bash

# Add SentinelStack Helm repository
helm repo add sentinel https://charts.sentinelstack.io
helm repo update

2. Create the Namespace

bash

kubectl create namespace sentinel-system

3. Install the Agent

bash

helm install sentinel sentinel/runtime-agent \
  --namespace sentinel-system \
  --set apiKey="YOUR_API_KEY" \
  --set cluster.name="production" \
  --set policy.gitopsEnabled=true

The agent self-configures and begins baselining the environment immediately. Expect the first behavioral baseline within 24 hours.

Writing Your First Policy

Policies in SentinelStack are written in YAML with OPA Rego support for complex logic. Policies are evaluated against every runtime event in the environment.

POLICY STRUCTURE

yaml

apiVersion: sentinel.io/v1
kind: RuntimePolicy
metadata:
  name: block-shell-spawn
  namespace: production
spec:
  description: "Block shell execution inside containers"
  action: BLOCK
  severity: HIGH
  match:
    event: PROCESS_EXEC
    process:
      name: ["sh", "bash", "zsh"]
    container:
      running: true

Always test policies in AUDIT mode before switching to BLOCK. Use sentinel policy test against recorded events before deploying.

API Reference

The SentinelStack REST API lets teams manage policies, retrieve events, and configure integrations programmatically.

AUTHENTICATION

bash

curl https://api.sentinelstack.io/v1/events \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json"

Method	Endpoint	Description
GET	/v1/events	List runtime events with filters
GET	/v1/threats	List detected threat chains
POST	/v1/policies	Create a new runtime policy
PUT	/v1/policies/:id	Update an existing policy
DELETE	/v1/policies/:id	Delete a policy by ID
GET	/v1/agents	List all connected agents

PreviousWhat is SentinelStack?

NextKubernetes Installation