SYNTREX
Book a Demo
HomeOverviewGuidesAPI Reference
Changelog
Architecture Reference

Data Flow Diagrams

End-to-end data flows through the Sentinel AI SOC platform, from input to operator response.

1. Standard Detection Flow

The primary flow for processing an AI request through the full security pipeline:

┌──────────────┐ │ AI Request │ │ (user/API) │ └──────┬───────┘ │ ┌────────▼────────┐ │ Shield (C11) │ │ │ │ 1. Protocol ID │ │ 2. Rate check │ │ 3. Guard check │ │ 4. Charset OK? │ └───┬─────────┬───┘ │ │ ┌────▼──┐ ┌──▼─────┐ │ BLOCK │ │ PASS │ │(logged)│ │ │ └───────┘ └──┬─────┘ │ ┌────────────▼────────────┐ │ sentinel-core (Rust) │ │ │ │ 66 engines parallel: │ │ ├── Core (12 engines) │ │ ├── Lattice (8) │ │ ├── Domain (17) │ │ ├── Math (5) │ │ ├── ML (3) │ │ └── Other (22) │ │ │ │ Result: AnalysisResult │ └─────────┬──────────────┘ │ ┌──────────────▼──────────────┐ │ Event Bus (10-step pipeline)│ │ │ │ Step 0: Secret Scanner ✓ │ │ Step 1: Sensor Auth ✓ │ │ Step 2: Rate Limit ✓ │ │ Step 3: Dedup ✓ │ │ Step 4: Schema ✓ │ │ Step 5: Decision Log ✓ │ │ Step 6: Persist (SQLite) ✓ │ │ Step 7: Correlate │──── Match against 15 rules │ Step 8: Playbook │──── Auto-respond or Zero-G │ Step 9: Push (SSE) │──── Dashboard + webhooks └──────────────────────────────┘

2. Multi-Stage Attack Correlation

How the Correlation Engine links three events into one incident:

T+0s: injection detected │ Source: sentinel-core │ Severity: MEDIUM │ ┌─────────────────────────────────┐ │ │ Event Bus → Persist → Correlate │ │ │ Rule check: no match (solo) │ │ └─────────────────────────────────┘ │ T+30s: tool_abuse detected │ Source: sentinel-core │ Severity: HIGH │ ┌─────────────────────────────────┐ │ │ Event Bus → Persist → Correlate │ │ │ Rule: INJECTION_TO_EXEC │ │ │ Match: injection(T+0) → │ │ │ tool_abuse(T+30) < 3m ✓ │ │ │ Action: Create Incident INC-001 │ │ │ Severity: HIGH │ │ └─────────────────────────────────┘ │ T+60s: exfiltration detected │ Source: sentinel-core │ Severity: CRITICAL │ ┌─────────────────────────────────┐ │ │ Event Bus → Persist → Correlate │ │ │ Rule: EXFILTRATION_CHAIN │ │ │ Match: injection + tool_abuse + │ │ │ exfiltration < 5m ✓ │ │ │ Action: Update INC-001 │ │ │ Severity: CRITICAL ↑↑ │ │ │ Playbook: BLOCKED (Zero-G req.) │ │ │ SSE: Push to dashboard │ │ └─────────────────────────────────┘ │ T+60s: Dashboard shows: ╔══════════════════════════════════════╗ ║ INCIDENT INC-001 ■ CRITICAL ║ ║ ║ ║ Kill Chain: ║ ║ [Recon] → [Exploit] → [Exfil] ║ ║ T+0s T+30s T+60s ║ ║ ║ ║ Events: 3 linked ║ ║ Requires: Operator approval ⚠️ ║ ╚══════════════════════════════════════╝

3. Cross-Sensor Correlation (Shield + Core)

When Shield blocks an attack but something gets through:

┌──────────────┐ │ Attacker │ └──────┬───────┘ │ ┌────────────▼────────────┐ │ Shield (C11 DMZ) │ │ │ │ Request 1: BLOCKED │──── Event: shield_block │ Request 2: PASSED │ (rate limit trigger) │ (evasion via │ │ unicode obfuscation) │ └────────────┬────────────┘ │ Request 2 passes ┌────────────▼────────────┐ │ sentinel-core (Rust) │ │ │ │ Evasion engine: DETECT │──── Event: evasion_detected │ (unicode normalization │ Source: sentinel-core │ catches obfuscation) │ └─────────────────────────┘ Event Bus Correlation: Event 1 (T+0s): shield_block [source: shield] Event 2 (T+12s): evasion_detected [source: sentinel-core] Rule: BYPASS_SHIELD_THEN_INJECT Condition: shield_block → core_detect within 30s Match: ✓ (12s < 30s) Action: → Create INCIDENT: "Shield Evasion Attempt" → Severity: HIGH → Block source IP in Shield → Alert operator

4. Playbook Execution Flow

Incident Created (INC-042) │ ├── Severity = MEDIUM │ │ │ └── Auto-response allowed ✓ │ │ │ ├── Playbook: auto_block_jailbreak │ │ │ │ │ ├── Step 1: Block IP in Shield │ │ ├── Step 2: Update incident status │ │ ├── Step 3: Log action in Decision Logger │ │ └── Step 4: Notify via webhook │ │ │ └── Execution: Wasm Sandbox (SEC-009) │ ├── Memory limit: 64MB │ ├── Timeout: 30s │ └── No network access (sandboxed) │ ├── Severity = CRITICAL │ │ │ └── Auto-response BLOCKED ✘ │ │ │ └── Zero-G Mode activated │ │ │ ├── Dashboard: "⚠️ Operator Approval Required" │ ├── SSE push: Real-time notification │ │ │ └── Operator reviews: │ ├── [Approve] → Playbook executes │ └── [Deny] → Manual response

5. Watchdog Mesh (immune Integration)

┌──────────────────────────────────────────────────────┐ │ Watchdog Mesh │ │ │ │ immune ◄──── Heartbeat (5s) ────► Shield │ │ │ │ │ │ │ ┌───────────┐ │ │ │ └────────►│ GoMCP │◄────────────┘ │ │ │ (SOC) │ │ │ └───────────┘ │ │ │ │ Failure detection: │ │ • Shield heartbeat missed (>15s) → immune restarts │ │ • GoMCP heartbeat missed → immune alerts + restart │ │ • immune crash → GoMCP detects, spawns replacement │ │ │ │ MTTD: <60 seconds │ │ MTTR: <30 seconds │ └──────────────────────────────────────────────────────┘

6. P2P Resonance Mesh (Multi-Node)

┌──────────────┐ ┌──────────────┐ │ Node A │ │ Node B │ │ (GoMCP) │ │ (GoMCP) │ │ │ │ │ │ Genome: │◄──UDP──►│ Genome: │ │ hash=a3b8.. │ │ hash=a3b8.. │ │ │ │ (matching!) │ │ Facts: L0-L1 │◄─WS+TLS─►│ Facts: L0-L1│ │ (sync) │ │ (sync) │ └──────────────┘ └──────────────┘ │ │ │ Genome mismatch? │ │ → REJECT peer │ │ → No fact sync │ │ → Alert operator │

Handshake Protocol:

  1. Exchange genome Merkle hashes (UDP)
  2. Verify hash match (identical genes = trusted peer)
  3. Establish encrypted channel (WebSocket + TLS)
  4. Sync L0/L1 facts bidirectionally
  5. Periodic heartbeat (detect peer death)

7. Compliance Report Generation

Operator clicks "Generate Report" │ ├── Framework: EU AI Act Article 15 │ ├── Collect data: │ ├── Decision Logger entries (hash chain verified) │ ├── Incident history (severity, resolution times) │ ├── Sensor status (uptime, availability) │ ├── Correlation metrics (MTTD, MTTR) │ └── Hardening status (28/28 tasks) │ ├── Generate report: │ ├── Article 15.1: Technical documentation ✅ │ ├── Article 15.2: Quality management ✅ │ ├── Article 15.3: Risk assessment ✅ │ ├── Article 15.4: Monitoring data ✅ │ └── Article 15.5: Accessibility ⚠️ PARTIAL │ └── Output: ├── PDF report (timestamped, signed) ├── Machine-readable JSON └── Dashboard page update

Next Steps