Aegis — Sentel's Autonomous Security Analyst
An AI analyst purpose-built into the Sentel Framework. Aegis runs natural-language investigations across your detections and telemetry, and acts as a hands-on investigator on any endpoint where the Sentel IR agent is installed — grounded in real data, never in hallucinations.
Aegis is not a chatbot pointed at your logs. It is a purpose-built security analyst that operates in two distinct modes — environment-wide analysis from the SOC dashboard, and hands-on per-host investigation on any endpoint running the Sentel IR agent.
From the SOC chat, Aegis answers questions like "Which hosts have talked to this IP in the last seven days?" or "Summarize the critical detections from overnight" by querying detection matches, firewall logs, endpoint events, network telemetry, correlated attack chains, and threat-intelligence feeds in parallel. It correlates across sources, presents evidence-backed verdicts, and never invents indicators that aren't in the data.
On the per-host investigation view, Aegis changes posture. It becomes a senior Linux or Windows engineer sitting on a live root or SYSTEM shell: it proposes the next command, the analyst reviews and approves, the IR agent executes it, and Aegis reads the output to decide the next step. Persistence hunts, suspicious-process triage, network-anomaly checks, pre-containment evidence capture — Aegis walks the playbook while the analyst stays in control of every action that touches the endpoint.
Both modes share the same discipline: identify remote infrastructure before labelling it malicious, enumerate persistence surfaces in full rather than age-filtering them, revise the verdict when new evidence contradicts the working hypothesis, and never escalate on a single weak indicator. The result is an analyst you can trust to show its work.
Natural-Language Investigations
Ask in plain English — "any anomalies overnight," "has this IP ever touched our environment," "what is happening on host X" — and Aegis runs the queries, correlates the results, and replies with a structured, analyst-grade summary instead of raw logs or JSON.
Hands-On Endpoint Investigations
On any Linux or Windows host running the Sentel IR agent, Aegis proposes the next shell command, the analyst approves, and the output flows back into the conversation. Persistence sweeps, live process triage, network-anomaly pivots — analyst-led, Aegis-guided, end-to-end.
Grounded, Never Hallucinated
Every IP, hash, count, severity, and timestamp Aegis reports traces back to a real query or command result. If a source returned zero, Aegis says so — it will not invent data to round out a report. Accuracy over completeness, always.
Cross-Source Correlation
Aegis automatically joins detection matches, firewall syslog, endpoint events, network telemetry, correlated attack chains, and third-party threat intelligence. A single question routes to the right data sources and returns one coherent, evidence-backed picture.
Calibrated Confidence
Aegis won't cry wolf. A single weak indicator is flagged as a lead, not an incident. It requires corroboration across independent layers before calling something malicious, and it revises its hypothesis when new evidence contradicts it rather than hedging its way forward.
Environment-Aware by Design
Aegis recognises Sentel's own infrastructure — the IR agent, backend destinations, shell-session markers, re-enrollment workflows — so your own monitoring stack never shows up as a suspected threat. Known-authorized tools and established false-positive patterns are baked into its reasoning.
Audit-Friendly & Safe by Default
Every query, every proposed command, and every returned result is logged. Destructive actions — isolation, process termination, firewall changes — require explicit analyst approval and sufficient corroborating evidence. Aegis proposes containment; a human decides.
