Product · Aethon Sentinel

Security you can explain. Evidence you can verify.

Aethon Sentinel correlates activity across your device fleet, reconstructs incidents, verifies security coverage, and produces tamper-evident evidence for operators, auditors, and insurers.

Windows-first·Desktop console·Headless guardian·Pilot release

Ed25519

Signed evidence, verifiable offline

25–200

Windows endpoints per deployment

Pull-only

Signed command channel · no RCE

Cross-host

Incident reconstruction

The problem

Alerts are not enough.

Most security tools produce more alerts than answers. Aethon Sentinel is built to answer the questions that actually matter after something happens — and to leave you with proof.

See how Sentinel answers them

What actually happened?

Which machines were involved?

Was this one incident or unrelated noise?

Did the attack move across the fleet?

Are our controls detecting known attack patterns?

Can we prove the result after the event?

One security picture

One security picture for the whole fleet.

Sentinel combines endpoint collection, cross-host correlation, fleet health, signed commands, incident records, and verification reports in one operational workflow.

Cross-host incident reconstruction

Connects related authentication events across machines into one explainable incident.

Fleet visibility

Shows which machines are reporting, silent, revoked, protected, or missing verification.

Tamper-evident evidence

Exports signed incident records, reports, and evidence packs that can be verified offline.

Resilient collection

Buffers events locally during outages and catches up later without creating duplicate events.

Controlled fleet management

Uses a pull-only command channel with signed, limited actions and no arbitrary code execution.

Security verification

Runs drills, tracers, and health checks to prove that the monitoring pipeline is functioning.

Shared attack intelligence

Replays anonymized confirmed attack patterns against a tenant's own environment to identify coverage gaps.

Verification ledger

Keeps a running record of drills and checks so you can show coverage was tested — not assumed.

Architecture

A security operations system built around proof.

A desktop-first platform with three deployment roles. Leaves collect and buffer, the guardian correlates and serves the console, and the operator works across tenants.

Client machines

WIN-FIN-04
WIN-FIN-07
WIN-DC-01

Leaf · collect · buffer · heartbeat

buffered events →
← pull-only signed cmds

Per-tenant

Guardian

Dedup · correlate · manage enrollment · serve console

incidents · evidence →

Multi-tenant

Operator

Investigate · shared anonymized attack intelligence

Client machines

Leaf

Runs on client machines. Collects events, buffers data, sends heartbeats, and verifies signed commands.

Per tenant

Guardian

Receives data for one tenant, manages enrolled machines, reconstructs incidents, and serves the operator console.

Multi-tenant

Operator

Manages multiple tenants and controls shared anonymized attack-pattern intelligence.

How it works

From install to signed evidence

1

Install Sentinel on the guardian and client machines.

2

Enroll each machine using a one-time code.

3

Each leaf collects approved security events locally.

4

Events are buffered and sent to the guardian.

5

Sentinel deduplicates and correlates activity.

6

Operators investigate incidents and fleet health.

7

Reports and evidence are exported with Ed25519 signatures.

Telemetry

What Sentinel currently collects

Windows authentication events

Windows failed logons

Invalid-account activity

Windows process-creation events

Linux SSH authentication logs

Fleet heartbeat and delivery health

Tracer events proving the collection pipeline

Process telemetry is currently preserved as evidence and intentionally does not drive incident correlation until it has been validated in real customer environments.

Alerts vs. evidence

The difference is proof.

Sentinel is not another alert stream. It reconstructs, verifies, and preserves — so you can explain what happened and prove it later.

CapabilityAlert-only toolingAethon Sentinel
Cross-host correlationPer-machine alerts, no linkageRelated events reconstructed into one incident
After-the-fact proofScreenshots and copied log filesSigned evidence packs, verifiable offline
Coverage confidenceAssumed to be workingVerified with drills, tracers, health checks
Outage handlingGaps left in the timelineLocal buffering + content-based dedup catch-up
Fleet controlBroad remote access to endpointsPull-only, signed, predefined verbs · no RCE
Pilot footprintAgent + cloud SIEM contractWindows-first, Tailscale, local SQLite

Security architecture

Designed to reduce blind spots.

Sentinel uses several security boundaries so that evidence stays trustworthy and the fleet stays under control.

Leaves initiate communication; they do not accept inbound connections.

Each machine has its own enrollment identity and bearer token.

Tokens are stored hashed on the guardian.

Guardian identity is pinned during enrollment.

Commands are signed with Ed25519.

Commands are limited to predefined operations.

Unknown, expired, replayed, or altered commands are rejected.

Reports and evidence packs include their public key and fingerprint.

Evidence can be verified without contacting Aethon Core.

Event delivery uses buffering and content-based deduplication.

Guardian traffic is currently designed for Tailscale-first deployment.

Honesty statement

Sentinel does not claim to provide absolute security. It provides detection, correlation, verification, and evidence that help organizations reduce risk and respond with greater confidence.

Deployment

Deploy for a pilot. Grow into an operational system.

Sentinel currently supports

  • Desktop operator console
  • Packaged Windows leaf runner
  • Packaged headless guardian
  • Local SQLite operational storage
  • Tailscale-first fleet communication
  • Offline-signed reports and incident records
  • Windows Security event collection

Recommended initial pilot

  • One guardian machine
  • Five to ten client machines
  • One controlled attack simulation
  • One outage and recovery test
  • One revocation and re-enrollment test
  • One signed evidence export
  • Weekly operator review

Current product boundary

The current release is best described as a strong pilot and controlled-fleet security platform, moving toward production readiness. It is not yet equivalent to Microsoft Defender, CrowdStrike, or a fully managed enterprise SIEM.

Who it's for

Built for organizations where security must be defensible.

Sentinel is designed for teams that need more than a stream of alerts.

For security teams

Understand how activity moves across machines and which incidents deserve attention.

For executives

See whether the organization's security pipeline is operating and where blind spots remain.

For auditors and insurers

Export signed records that can be verified independently after the event.

For regulated businesses

Keep monitoring, evidence, and operational history in a controlled environment.

Trust & roadmap

Honest boundaries increase buyer trust.

What ships today, and what is being hardened for production.

Available now

  • Cross-host authentication correlation
  • Windows and Linux event normalization
  • Fleet enrollment and revocation
  • Signed command channel
  • Outage buffering and deduplication
  • Ed25519 evidence signing
  • Guardian runtime
  • Headless guardian package
  • Verification ledger
  • Incident and evidence exports

Production hardening in progress

  • Public TLS and mTLS
  • Windows Service installation and recovery
  • Enterprise RBAC
  • SSO and MFA
  • High availability
  • Remote backup and disaster recovery
  • 200-device scale validation
  • Broader endpoint and cloud telemetry
  • Automated incident response
  • Enterprise update management

Common questions

What buyers ask before a pilot

Is Sentinel an EDR replacement?

Not currently. Sentinel is an explainable security correlation, verification, and evidence platform. It can complement Microsoft Defender, CrowdStrike, or other endpoint controls.

Does Sentinel use AI?

The current shipped product primarily uses deterministic, explainable correlation and verification logic. Experimental statistical detectors exist separately and are not the core packaged product.

Can Sentinel guarantee absolute security?

No security product can guarantee absolute security. Sentinel helps reduce blind spots, improve detection confidence, and preserve verifiable evidence.

Where is data stored?

The current architecture stores operational data on the guardian using SQLite and local event files. Fleet communication is designed around a controlled Tailscale network.

Can the system work during an outage?

Yes. Leaves buffer events locally and retry delivery. The guardian deduplicates catch-up traffic.

Can a compromised guardian execute commands on leaves?

The command system is pull-only and limited to predefined signed verbs. It does not provide arbitrary code execution.

How are reports verified?

Reports and evidence packs contain an Ed25519 signature, public key, fingerprint, and digest. They can be checked offline.

Start with a controlled pilot.

Deploy Sentinel to a small group of machines, validate the event pipeline, simulate an attack chain, and measure whether your organization can detect and explain it.