Event-driven Linux host security with governed AI reasoning
Sentinel watches process launches, sensitive file changes, network context, and scheduled safety-net audits. Deterministic cases are handled instantly. Everything else becomes a packet for LLM reasoning, fixed verdicts, and signed response actions.
Install Command
Run the installer as root on a Linux host after generating an API key from the customer portal.
curl -sSL -H "Authorization: Bearer YOUR_API_KEY" https://blackdome.ai/api/blackdome/install/sentinel | bashRequirements: Linux host, root access, outbound HTTPS, and a BlackDome API key.
After install, open /dashboard/sentinel to review agents, incidents, and approval requests.
Thin deterministic filter, then bounded reasoning
Sentinel is event-driven first. It uses a very small hard-rule layer for certainty, then promotes the uncertain cases into the reasoning path.
Immediate event capture
Sentinel watches new processes, sensitive file paths, and audit events instead of waiting for timer-based scans.
Three-rule promotion filter
Known-good hashes are logged, malware hashes are killed, hostile IPs are blocked. Everything else is promoted.
Micro-batched incidents
Related events are grouped into one packet so the model sees a coherent attack story rather than isolated fragments.
Safety-net cadences
Reconciliation and deep audit cycles feed the same incident pipeline for drift, persistence, and package-integrity findings.
Five fixed verdicts
The hot path, cold path, and enterprise submission path all normalize into the same verdict taxonomy so response behavior stays predictable.
| Verdict | Meaning | Typical behavior |
|---|---|---|
| ALLOW | Activity looks benign. | Logged with no actuator action. |
| ALLOW_AND_BASELINE | Legitimate activity that should become future context. | No destructive action, baseline is enriched. |
| HOLD_FOR_ANALYSIS | Sentinel needs more context before it acts. | Continue monitoring and evidence collection. |
| DENY_AND_QUARANTINE | High-confidence malicious behavior. | Bounded response actions such as kill, quarantine, or block. |
| ESCALATE | A human decision is preferred over autonomous action. | Approval or review workflow in the portal. |
Proof packs, approvals, and portal workflow
Sentinel is designed to be aggressive on known-bad cases while staying auditable whenever a destructive action needs traceability or customer approval.
What you see in the portal
1. Enrolled agents with status, health, and recent scan activity.
2. Incident summaries with severity, classification, title, status, and MITRE tags.
3. Pending approvals for actions that need explicit customer confirmation.
What gets signed
1. Verdict submissions can carry proof-pack identifiers into governance records.
2. Executable response envelopes can be signed before the host applies them.
3. The agent journals intent and completion so every action has an audit trail.
Start with the open-source agent, then add managed intelligence
Install Sentinel on a host in minutes, review detections in the customer portal, and upgrade when you want vector memory, proof packs, and managed control-plane reasoning.