JD
Apr 21, 2026

Sentinel: Cyber Security Co-Pilot

A human-in-the-loop incident response system for cloud security that makes incomplete reasoning visible so non-expert operators can make safer decisions.

CybersecurityFastAPINext.jsPythonMachine LearningPostgreSQLMCPMITRE ATT&CKCloud Security
Visit projectView code
Sentinel: Cyber Security Co-Pilot cover image

Overview

Sentinel is a human-in-the-loop incident response system for cloud security.

Most security copilots focus on giving a better answer. Sentinel focuses on making incomplete reasoning visible. For each incident, the system summarizes what happened in plain language, recommends an action, shows alternatives with tradeoffs, and exposes blind spots — evidence that was not checked or could not be checked — so a non-expert operator can make a safer decision.

The product is successful when a non-expert can answer four questions from the UI:

  • What happened?
  • What should I do?
  • What else could I do?
  • Did we check everything?

Built in two days at the National Security Hackathon with a team of non-engineers.

What I worked on

  • Architected the full end-to-end system across five major components: ingestion pipeline, FastAPI backend, Next.js operator frontend, a separate agent service, and a decision-support engine.
  • Built an end-to-end CloudTrail pipeline from raw logs to scored, explainable incidents.
  • Designed a coverage and blind-spot tracking system that flags which evidence categories were checked and which were not, surfaced directly in the operator UI.
  • Implemented a decision-support engine that generates a recommended action, two to three alternatives with tradeoffs, and an incomplete-reasoning warning when key evidence is missing.
  • Built a grounded ReAct-style agent loop that requires the model to load incident context, pull additional evidence, and use structured tools before answering — preventing black-box responses.
  • Integrated an MCP-backed cyber knowledge path that retrieves MITRE ATT&CK tactics, techniques, and mitigations for expert-mode context.
  • Designed an operator UI with two views: a Simple view for non-expert operators and an Expert view exposing raw logs, model evidence, and the full agent reasoning trace.
  • Built a human decision audit trail and automated incident report generation, including PDF export.

Outcome

  • Delivered a working demo within two days at a national security hackathon alongside a team with no prior engineering background.
  • Demonstrated a complete operator workflow from incident ingestion to human decision to audit report.
  • The blind-spot visibility layer is the core differentiator: Sentinel does not just surface a recommendation, it tells the operator what the system does not know.
  • Expert workflow exposes the full ReAct reasoning trace and MCP-backed MITRE context, making the system auditable in a way that generic chatbot layers are not.