Autonomous cloud security posture remediation with reinforcement learning.
PPO-trained agent learns optimal remediation strategies.
GNN blast radius prediction prevents cascading failures.
Features · Architecture · Quick Start · Tech Stack · Contributing
SENTINEL — Real-time security posture monitoring and autonomous remediation dashboard
---- Overview
- Features
- Architecture
- RL Pipeline
- Quick Start
- Project Structure
- Tech Stack
- Contributing
- License
SENTINEL is a next-generation cloud security posture management (CSPM) system that uses reinforcement learning to autonomously detect, prioritize, and remediate cloud misconfigurations -- while predicting blast radius with graph neural networks to prevent cascading failures.
- 50+ CIS Benchmark Rules -- S3, IAM, EC2, RDS, CloudTrail, VPC, Lambda, KMS
- PPO Reinforcement Learning -- learns optimal remediation strategies via Stable Baselines3
- GNN Blast Radius Prediction -- Graph Attention Networks predict cascading failure risk
- LocalStack Digital Twin -- safely simulate remediations before production changes
- Real-time Compliance Scoring -- CIS, SOC 2, HIPAA framework tracking
- CloudTrail Temporal Analysis -- detect configuration drift and anomalous changes
- React Security Dashboard -- live compliance gauges, RL training curves, D3 dependency graphs
SENTINEL — System Architecture
============================================================================
+------------------+ +---------------------+ +-------------------+
| AWS Account | | CIS Benchmark | | CloudTrail |
| (Production) |---->| Scanner Engine |---->| Temporal |
| | | (50+ Rules) | | Analysis |
+--------+---------+ +---------+-----------+ +---------+---------+
| | |
v v v
+--------+---------+ +---------+-----------+ +---------+---------+
| LocalStack | | Finding Aggregator | | Drift Detection |
| Digital Twin |<----| & Severity Scorer |---->| & Trend Engine |
| (Mirror Env) | +----------+----------+ +-------------------+
+--------+---------+ |
| v
| +----------+----------+
| | Gymnasium RL Env |
| | |
| | State: resource cfg |
| | + dependencies |
| | Action: remediation |
| | Reward: fix/break |
+-------------->| penalties |
| +----------+----------+
| |
| v
| +----------+----------+
| | PPO Agent (SB3) | +-------------------+
| | | | GNN Blast Radius |
| | Policy Network |<--->| Predictor |
| | Value Network | | (PyG / GAT) |
| +----------+----------+ +--------+----------+
| | |
v v v
+--------+---------+ +----------+----------+ +---------+---------+
| Health Check | | Safe Remediation | | Dependency Graph |
| Validation |<----| Executor |---->| Builder |
+------------------+ +----------+----------+ +-------------------+
|
v
+----------+----------+
| Compliance |
| Scoreboard |
| (CIS / SOC2 / HIPAA)|
+----------+----------+
|
v
+-----------------+------------------+
| FastAPI Server |
| /scan /train /remediate /score |
+----------------+-------------------+
|
v
+----------------+-------------------+
| React Dashboard (Vite) |
| |
| [Compliance Gauges] [RL Curves] |
| [Blast Radius D3] [Timeline] |
+------------------------------------+
Reinforcement Learning Loop
============================================================================
+------------+ +-----------+ +-------------+ +----------+
| Observe | | Select | | Execute in | | Compute |
| Cloud |------>| Action |------>| Digital |------>| Reward |
| State | | (PPO) | | Twin | | Signal |
+-----+------+ +-----------+ +------+------+ +-----+----+
^ | |
| v |
| +------+------+ |
| | Health | |
| | Check | |
| +------+------+ |
| | |
+-------------------<---------------------+----------<----------+
Update Policy
Rewards:
+1 per finding fixed
-10 per healthcheck failure (service degradation)
-100 per outage (critical service down)
+0.5 compliance score improvement bonus
-0.1 per step (encourage efficiency)
# Install
pip install -e ".[dev]"
# Start LocalStack digital twin
make twin-up
# Run CIS benchmark scan
sentinel scan --profile default --output json
# Train the PPO agent
sentinel train --episodes 1000 --env cloud-security-v1
# Start the API server
sentinel serve --host 0.0.0.0 --port 8000
# Launch the dashboard
make dashboardsentinel/
src/sentinel/
scanner/ # CIS benchmark scanning engine
agent/ # RL agent (Gymnasium env, PPO, rewards)
twin/ # LocalStack digital twin
blast/ # GNN blast radius prediction
compliance/ # Framework-specific scoring
api/ # FastAPI server
dashboard/ # React + Vite frontend
ml/ # Training scripts
deploy/ # Docker, CI/CD
tests/ # Test suite
| Layer | Technology |
|---|---|
| RL Agent | Stable Baselines3, Gymnasium, PyTorch |
| GNN | PyTorch Geometric (GAT) |
| Cloud | boto3, LocalStack |
| API | FastAPI, Uvicorn |
| Dashboard | React, Vite, Recharts, D3.js |
| Compliance | CIS AWS Benchmark v3.0, SOC 2, HIPAA |
Contributions are welcome! Please read the Contributing Guide for details on our development workflow, coding standards, and how to submit pull requests.
Please review our Code of Conduct before participating.
This project is licensed under the MIT License -- see the LICENSE file for details.