Product · Aethon Sentinel
Security you can explain. Evidence you can verify.
Aethon Sentinel correlates activity across your device fleet, reconstructs incidents, verifies security coverage, and produces tamper-evident evidence for operators, auditors, and insurers.
42
3
1
44
Incident #2291
CROSS-HOSTCredential spray reconstructed across 3 machines
Ed25519
Signed evidence, verifiable offline
25–200
Windows endpoints per deployment
Pull-only
Signed command channel · no RCE
Cross-host
Incident reconstruction
The problem
Alerts are not enough.
Most security tools produce more alerts than answers. Aethon Sentinel is built to answer the questions that actually matter after something happens — and to leave you with proof.
See how Sentinel answers themWhat actually happened?
Which machines were involved?
Was this one incident or unrelated noise?
Did the attack move across the fleet?
Are our controls detecting known attack patterns?
Can we prove the result after the event?
One security picture
One security picture for the whole fleet.
Sentinel combines endpoint collection, cross-host correlation, fleet health, signed commands, incident records, and verification reports in one operational workflow.
Cross-host incident reconstruction
Connects related authentication events across machines into one explainable incident.
Fleet visibility
Shows which machines are reporting, silent, revoked, protected, or missing verification.
Tamper-evident evidence
Exports signed incident records, reports, and evidence packs that can be verified offline.
Resilient collection
Buffers events locally during outages and catches up later without creating duplicate events.
Controlled fleet management
Uses a pull-only command channel with signed, limited actions and no arbitrary code execution.
Security verification
Runs drills, tracers, and health checks to prove that the monitoring pipeline is functioning.
Shared attack intelligence
Replays anonymized confirmed attack patterns against a tenant's own environment to identify coverage gaps.
Verification ledger
Keeps a running record of drills and checks so you can show coverage was tested — not assumed.
Architecture
A security operations system built around proof.
A desktop-first platform with three deployment roles. Leaves collect and buffer, the guardian correlates and serves the console, and the operator works across tenants.
Client machines
Leaf · collect · buffer · heartbeat
Per-tenant
Guardian
Dedup · correlate · manage enrollment · serve console
Multi-tenant
Operator
Investigate · shared anonymized attack intelligence
Leaf
Runs on client machines. Collects events, buffers data, sends heartbeats, and verifies signed commands.
Guardian
Receives data for one tenant, manages enrolled machines, reconstructs incidents, and serves the operator console.
Operator
Manages multiple tenants and controls shared anonymized attack-pattern intelligence.
How it works
From install to signed evidence
Install Sentinel on the guardian and client machines.
Enroll each machine using a one-time code.
Each leaf collects approved security events locally.
Events are buffered and sent to the guardian.
Sentinel deduplicates and correlates activity.
Operators investigate incidents and fleet health.
Reports and evidence are exported with Ed25519 signatures.
Telemetry
What Sentinel currently collects
Windows authentication events
Windows failed logons
Invalid-account activity
Windows process-creation events
Linux SSH authentication logs
Fleet heartbeat and delivery health
Tracer events proving the collection pipeline
Process telemetry is currently preserved as evidence and intentionally does not drive incident correlation until it has been validated in real customer environments.
Alerts vs. evidence
The difference is proof.
Sentinel is not another alert stream. It reconstructs, verifies, and preserves — so you can explain what happened and prove it later.
| Capability | Alert-only tooling | Aethon Sentinel |
|---|---|---|
| Cross-host correlation | Per-machine alerts, no linkage | Related events reconstructed into one incident |
| After-the-fact proof | Screenshots and copied log files | Signed evidence packs, verifiable offline |
| Coverage confidence | Assumed to be working | Verified with drills, tracers, health checks |
| Outage handling | Gaps left in the timeline | Local buffering + content-based dedup catch-up |
| Fleet control | Broad remote access to endpoints | Pull-only, signed, predefined verbs · no RCE |
| Pilot footprint | Agent + cloud SIEM contract | Windows-first, Tailscale, local SQLite |
Security architecture
Designed to reduce blind spots.
Sentinel uses several security boundaries so that evidence stays trustworthy and the fleet stays under control.
Leaves initiate communication; they do not accept inbound connections.
Each machine has its own enrollment identity and bearer token.
Tokens are stored hashed on the guardian.
Guardian identity is pinned during enrollment.
Commands are signed with Ed25519.
Commands are limited to predefined operations.
Unknown, expired, replayed, or altered commands are rejected.
Reports and evidence packs include their public key and fingerprint.
Evidence can be verified without contacting Aethon Core.
Event delivery uses buffering and content-based deduplication.
Guardian traffic is currently designed for Tailscale-first deployment.
Honesty statement
Sentinel does not claim to provide absolute security. It provides detection, correlation, verification, and evidence that help organizations reduce risk and respond with greater confidence.
Deployment
Deploy for a pilot. Grow into an operational system.
Sentinel currently supports
- Desktop operator console
- Packaged Windows leaf runner
- Packaged headless guardian
- Local SQLite operational storage
- Tailscale-first fleet communication
- Offline-signed reports and incident records
- Windows Security event collection
Recommended initial pilot
- One guardian machine
- Five to ten client machines
- One controlled attack simulation
- One outage and recovery test
- One revocation and re-enrollment test
- One signed evidence export
- Weekly operator review
Current product boundary
The current release is best described as a strong pilot and controlled-fleet security platform, moving toward production readiness. It is not yet equivalent to Microsoft Defender, CrowdStrike, or a fully managed enterprise SIEM.
Who it's for
Built for organizations where security must be defensible.
Sentinel is designed for teams that need more than a stream of alerts.
For security teams
Understand how activity moves across machines and which incidents deserve attention.
For executives
See whether the organization's security pipeline is operating and where blind spots remain.
For auditors and insurers
Export signed records that can be verified independently after the event.
For regulated businesses
Keep monitoring, evidence, and operational history in a controlled environment.
Trust & roadmap
Honest boundaries increase buyer trust.
What ships today, and what is being hardened for production.
Available now
- Cross-host authentication correlation
- Windows and Linux event normalization
- Fleet enrollment and revocation
- Signed command channel
- Outage buffering and deduplication
- Ed25519 evidence signing
- Guardian runtime
- Headless guardian package
- Verification ledger
- Incident and evidence exports
Production hardening in progress
- Public TLS and mTLS
- Windows Service installation and recovery
- Enterprise RBAC
- SSO and MFA
- High availability
- Remote backup and disaster recovery
- 200-device scale validation
- Broader endpoint and cloud telemetry
- Automated incident response
- Enterprise update management
Common questions
What buyers ask before a pilot
Is Sentinel an EDR replacement?
Not currently. Sentinel is an explainable security correlation, verification, and evidence platform. It can complement Microsoft Defender, CrowdStrike, or other endpoint controls.
Does Sentinel use AI?
The current shipped product primarily uses deterministic, explainable correlation and verification logic. Experimental statistical detectors exist separately and are not the core packaged product.
Can Sentinel guarantee absolute security?
No security product can guarantee absolute security. Sentinel helps reduce blind spots, improve detection confidence, and preserve verifiable evidence.
Where is data stored?
The current architecture stores operational data on the guardian using SQLite and local event files. Fleet communication is designed around a controlled Tailscale network.
Can the system work during an outage?
Yes. Leaves buffer events locally and retry delivery. The guardian deduplicates catch-up traffic.
Can a compromised guardian execute commands on leaves?
The command system is pull-only and limited to predefined signed verbs. It does not provide arbitrary code execution.
How are reports verified?
Reports and evidence packs contain an Ed25519 signature, public key, fingerprint, and digest. They can be checked offline.
Start with a controlled pilot.
Deploy Sentinel to a small group of machines, validate the event pipeline, simulate an attack chain, and measure whether your organization can detect and explain it.