Getting started
Quick start
Run individual scanners directly, or let the agent orchestrate them for you.
Run individual scanners (no LLM required)
sentinel scan file ./suspect.exe
sentinel scan yara ./downloads --rules ./rules/sentinel.yar
sentinel scan processes
sentinel scan network --listening-only
sentinel scan persistence
sentinel scan scheduled
sentinel scan hosts
sentinel scan browser
sentinel scan recent --hours 24 --path ~/Downloads --path /tmp
sentinel scan ioc ./quarantine --ioc-file ./feeds/abuse_ch.txttools lists every registered tool with its description:
sentinel toolsRun the agent one-shot
Run the agent against your local Ollama for a single goal:
sentinel agent \
--model llama3.2 \
--goal "Audit my Downloads folder and report anything suspicious."Interactive chat REPL
Hold a persistent planning conversation in your terminal:
sentinel chat --model llama3.2
# :help list meta-commands
# :tools show the scanners the agent can call
# :findings findings accumulated this session
# :reset start a fresh conversation
# :quit exitLocal web chat UI
Or chat with it interactively in your browser:
sentinel serve --model llama3.2 --bind 127.0.0.1:7878
# then open http://127.0.0.1:7878
The chat UI keeps a single conversation per browser tab: every user message
extends the same ChatSession, so prior tool results and the
model’s earlier answers stay in context. Each assistant turn shows the
plan, the per-turn reasoning, the tool calls it made, and any structured
findings produced.
Machine-readable output for CI
sentinel --format sarif scan persistence > persistence.sarif
sentinel --format json --fail-on high scan processes --fail-on <severity> exits with status code 2
if any finding meets or exceeds the threshold — suitable as a pre-commit / CI
gate. See Output & SARIF for
the full format reference.