What you're looking at
SENTINEL blends three kinds of data: live feeds from real security organizations, a simulated attack stream shaped by real-world statistics, and a fictional organization that demonstrates internal security monitoring. Every panel below is labeled with its tier.
Live data
Real feeds from real organizations, refreshed automatically. Nothing here is invented.
KEV Priority List LIVE
The 40 most recently confirmed actively-exploited vulnerabilities from CISA's Known Exploited Vulnerabilities catalog, ranked by EPSS — a FIRST.org model estimating each flaw's probability of exploitation in the next 30 days. Red badges mark vulnerabilities used in ransomware campaigns.
KEV Watch Ticker LIVE
The scrolling feed along the bottom edge: each entry is a real vulnerability, in a real product, being exploited right now, with the date CISA added it to the catalog.
Threat Intel — CISA Advisories LIVE
The latest security advisories published by the US Cybersecurity & Infrastructure Security Agency, tagged by type: ICS (industrial control systems), ALERT, or ADVISORY.
Internet Sensors — SANS ISC LIVE
Real telemetry from the SANS Internet Storm Center's global sensor network: the most-attacked ports on the internet over the last complete day, with attacking-source counts. The header shows ISC's "Infocon" threat level (green / yellow / orange / red).
Simulated attack traffic
These panels all read from one simulated event stream. Individual events are generated, but the statistics are modeled on how internet attack traffic actually behaves: source-country weights reflect real threat reporting, the 17 attack types and their ports are genuine techniques (SSH brute force on 22, VPN exploit probes, Log4Shell-style RCE attempts), and the map's country borders are real geographic data. IP addresses are fabricated — no real machine is ever accused.
Global Attack Map SIMULATED
Each arc is one simulated attack: origin country, target country, severity by color. Countries glow red as attack sources and flash when struck.
Event Stream SIMULATED
The raw feed: one line per event with time, severity, type, fabricated source IP, route, port, and firewall verdict.
Threat Condition SIMULATED
A rolling 60-second severity-weighted index of the event stream, mapped to LOW → SEVERE, alongside 12-hour totals for events, block rate, unique sources, and open incidents.
Event Volume SIMULATED
Events per 5 seconds over the last 5 minutes. The y-axis rescales as attack "campaign" bursts come and go.
Attack Vectors / Top Sources / Top Targets / Targeted Ports SIMULATED
Rolling 12-hour leaderboards of the stream by technique, origin country, destination country, and port. Bar colors indicate volume tiers.
Severity Mix SIMULATED
The 12-hour breakdown of critical / high / medium / low events as a stacked bar with counts and percentages.
Incident Queue SIMULATED
About 30% of critical events spawn an incident that a virtual SOC team works through OPEN → TRIAGE → CONTAINED.
Firewall Actions SIMULATED
The blocked / flagged / allowed ratio of the event stream. In a real deployment this maps directly to firewall logs.
Fictional organization
These panels simulate the inside view of a made-up ~800-person company with about 1,240 endpoints, showing what identity, infrastructure, and security-program monitoring look like in practice. Names, hosts, and accounts are invented.
Anomalous Logins FICTIONAL ORG
Flagged sign-ins: "impossible travel" (two logins too far apart to physically travel between — the distances shown are real great-circle calculations), brute-force lockouts, and first logins from new countries.
Privilege Escalations FICTIONAL ORG
Accounts granted admin, root, or domain rights, reviewed by a virtual security team and either approved or revoked.
MFA Coverage FICTIONAL ORG
Multi-factor authentication enrollment across the workforce, hardware security key adoption, and recent MFA bypasses.
Stale Accounts FICTIONAL ORG
User and service accounts idle for 30+ days, plus accounts pending disablement — the cleanup queue every real IT team knows.
Endpoint Health FICTIONAL ORG
The state of the company's device fleet: fully healthy, patches pending, EDR agents gone stale, or offline entirely.
Container Security FICTIONAL ORG
Running containers, registry image scans over the last day, and any critical vulnerabilities or misconfigurations the scanner surfaced.
Phishing Metrics FICTIONAL ORG
Employee-reported phishing over 30 days, click rate on simulated phishing campaigns, credentials compromised, and awareness-training completion.
Hardware Lifecycle FICTIONAL ORG
Network gear (firewalls, switches, routers) ranked by how close each device is to its vendor support end-of-life — the countdown badges are computed against real calendar dates.
Bandwidth — Egress FICTIONAL ORG
Outbound traffic over the last five minutes. Red markers flag anomalous spikes — the kind of pattern that suggests data exfiltration. Bursts correlate with the attack simulation's campaign activity.
Honeypot Activity FICTIONAL ORG
Interactions with decoy servers planted to attract attackers: port probes, credential-guessing logins, exploit attempts, and payload drops.