SENTINEL CORE · v8.3.1
DOSSIER № 002 / PLATFORM

Built for the adversary that doesn't sleep.

The platform is three things working in concert: an inference engine trained on twelve years of attack telemetry, a four-layer defense architecture deployed at the edge and at the host, and a control plane your engineers will actually want to use.

Inspect Architecture vs Traditional WAF
01 / 05 — Engine
Sentinel Core

The model is the moat.

Sentinel Core is an ensemble of three specialist models — signature, statistical, and intent — coordinated by a meta-classifier that arbitrates disagreement. Trained on 4.2 petabytes of labeled attack telemetry and retrained continuously against live traffic, it makes a decision on every request before the request finishes arriving.

→ MODEL I

Signature inference

A transformer trained on 18 million attack signatures across CVE-mapped families. Catches the known. Not pattern-matching — semantic understanding of attack shape, so it generalizes to mutations that defeat regex-based WAFs.

  • CVE coverage96.4%
  • Mutation toleranceHIGH
  • Inference latency1.8ms p99
→ MODEL II

Statistical anomaly

An unsupervised model that learns each customer's normal traffic distribution within 72 hours of deployment, then flags outliers. Catches the never-before-seen by noticing it's not the always-before-seen.

  • Baseline window72 HOURS
  • Drift adjustmentCONTINUOUS
  • Zero-day surfaceBROAD
→ MODEL III

Intent classification

A behavioral model that scores the sequence of actions, not just the action itself. A login is not suspicious. A login followed by twenty failed logins followed by a password reset request is the start of an account takeover.

  • Window depthSESSION + 24H
  • Sequence modelTRANSFORMER
  • False-positive rate< 0.03%
→ ARBITER

Meta-classifier

When the three models agree, action is automatic. When they disagree, the arbiter weighs the asset's value, the attack's blast radius, and the cost of a false positive — then decides. Human review is reserved for the rare 0.4% that arbitration cannot resolve.

  • Auto-resolution99.6%
  • Escalation tierSOC PARTNER
  • Audit trailFULL
02 / 05 — Architecture
Defense in depth

Four layers. One adversary.

Most defenses fail because they sit in one place. RiseEagle deploys at four — each catching what the layers above missed, each feeding the layers below richer context.

L1 — Edge
Perimeter
Global anycast network with 47 PoPs absorbs volumetric and protocol attacks before they reach your origin. Layer 3/4 DDoS, TLS termination, IP reputation, geo policy. The cheap attacks die here.
14.2Bthreats / month
L2 — Application
Request plane
Adaptive WAF, bot management, and API protection. Schema-aware inspection of REST, GraphQL, and gRPC. Catches injection, deserialization, business logic abuse, and sophisticated bot fleets that pass standard challenges.
2.1Brequests / day
L3 — Runtime
Host & container
eBPF-based sensors at the kernel see what the application can't — process spawning, network egress, file system writes, container escapes, privilege changes. Lateral movement is caught here, even when the front door held.
180Kprotected hosts
L4 — Data
Sensitive surface
Data loss prevention, query auditing, and exfiltration detection. Tags sensitive fields (PII, PCI, PHI) at rest and watches them in motion. An anomalous SELECT across customer records is treated as the attack it usually is.
0.08%false positive
03 / 05 — Detection
How threats are found

Five lenses. One verdict.

Every event is evaluated through five complementary methods. The percentage shown is the share of confirmed threats each method was first to catch in 2025 — they overlap by design.

Signature matching

31.4%

Known attack families, CVE-mapped exploits, and toolkit fingerprints. Fast, precise, and the floor — every modern defense has this.

  • CVE database — updated hourly
  • Toolkit fingerprints (Sentry MBA, OpenBullet, etc.)
  • Botnet ASN intelligence — 14M+ records

Behavioral baseline

28.7%

Catches what signatures miss: zero-days, custom exploits, and slow-burn attacks. Learns what your traffic looks like, alerts when reality diverges from that.

  • Per-endpoint distribution modeling
  • Diurnal & seasonal drift adjustment
  • 72-hour cold-start, continuous refinement

Intent & sequence

22.1%

Looks at the trajectory of a session, not just the request. The action that triggers the alert is rarely the action that gave the attacker away.

  • Account takeover chains
  • Reconnaissance → exploitation patterns
  • Insider abuse detection

Threat intelligence

12.8%

External signal: leaked credential databases, dark-web chatter, exposed-asset scans, and intelligence shared across the RiseEagle fleet.

  • 15B credential records — checked at every login
  • Threat actor profile graph — 8,400+ profiles
  • Fleet-wide attack-pattern propagation

Deception & traps

5.0%

Honeypot endpoints, decoy credentials, and tarpitted responses. Small in volume, high in signal — a request to a deception endpoint is, by construction, never legitimate. Catches the patient, surgical attacker that everything else misses.

04 / 05 — Response
What happens next

The verdict has consequences.

Detection without response is theater. Sentinel Core selects from a graded set of actions — proportionate to confidence, asset value, and the cost of being wrong.

→ ACTION I

Challenge

Low-friction proof-of-work or invisible browser check. Used for ambiguous signals where the cost of blocking a real user exceeds the cost of letting a bad one through.

→ ACTION II

Block

HTTP refusal with a clean error. The request never reaches your origin. Logged, attributed, and contributed to the model's continuing education.

→ ACTION III

Sever

TCP reset, ASN-wide soft block, and propagation across the fleet. Reserved for high-confidence malicious sources — botnets, known toolkits, sustained attackers.

→ ACTION IV

Isolate & rollback

For runtime compromise: pause the affected container, snapshot for forensics, route traffic to healthy replicas, and roll back if state was mutated.

05 / 05 — Posture
vs Traditional WAF

Different category. Different category of result.

We're often compared to traditional WAF and CDN-based protection. The honest comparison is below. Where they match us, we say so.

Capability Legacy WAF CDN bundles RiseEagle
OWASP Top 10 — known signatures ✓ full ✓ full ✓ full
Zero-day & unknown exploit detection — signature lag ~ limited heuristics ✓ behavioral
API schema enforcement (REST/GraphQL/gRPC) — partial / addon ~ REST only ✓ native
Sophisticated bot mitigation ~ rate limits ✓ headless detection ✓ behavioral fingerprint
Runtime / kernel-level visibility — none — none ✓ eBPF sensors
Account takeover & identity defense — external addon ~ basic ✓ integrated
Cross-tenant attack propagation defense — none ~ partial ✓ fleet learning
False-positive rate on production traffic — often > 1% ~ 0.3–0.8% < 0.03%
Median decision latency ~ 80–200ms ~ 25–60ms 38ms

Inspect the platform against your own traffic.

Start a Proof-of-Defense See Enterprise Options