SENTINEL Data & Panel Guide
← Back to dashboard

What you're looking at

SENTINEL blends three kinds of data: live feeds from real security organizations, a simulated attack stream shaped by real-world statistics, and a fictional organization that demonstrates internal security monitoring. Every panel below is labeled with its tier.

No real attack victims or attackers are depicted. Simulated IP addresses are fabricated and imply no attribution. Live vulnerability and sensor data comes from CISA, FIRST.org, and the SANS Internet Storm Center. Panels showing live feeds say LIVE in their header; if a feed is unreachable they fall back to a labeled STATIC SNAPSHOT. CVE entries, advisories, and sensor ports are clickable — each opens its original source record (nvd.nist.gov, cisa.gov, isc.sans.edu) in a new tab. In kiosk mode these links are intentionally disabled so a wall display can't be navigated away by a stray click or touch.

Live data

Real feeds from real organizations, refreshed automatically. Nothing here is invented.

KEV Priority List LIVE

The 40 most recently confirmed actively-exploited vulnerabilities from CISA's Known Exploited Vulnerabilities catalog, ranked by EPSS — a FIRST.org model estimating each flaw's probability of exploitation in the next 30 days. Red badges mark vulnerabilities used in ransomware campaigns.

Source: CISA KEV + FIRST.org EPSS · refreshed every 6h
Click any CVE ↗ its official record on nvd.nist.gov — full technical description, CVSS severity scores, affected products and versions, and links to vendor patches.

KEV Watch Ticker LIVE

The scrolling feed along the bottom edge: each entry is a real vulnerability, in a real product, being exploited right now, with the date CISA added it to the catalog.

Source: CISA KEV · refreshed every 6h
Click any CVE ↗ hover to pause the scroll, then click through to the vulnerability's record on nvd.nist.gov.

Threat Intel — CISA Advisories LIVE

The latest security advisories published by the US Cybersecurity & Infrastructure Security Agency, tagged by type: ICS (industrial control systems), ALERT, or ADVISORY.

Source: CISA advisories feed · refreshed every 3h
Click any advisory ↗ the full advisory on cisa.gov — affected products and versions, exploitation details, recommended mitigations, and indicators of compromise where published.

Internet Sensors — SANS ISC LIVE

Real telemetry from the SANS Internet Storm Center's global sensor network: the most-attacked ports on the internet over the last complete day, with attacking-source counts. The header shows ISC's "Infocon" threat level (green / yellow / orange / red).

Source: SANS Internet Storm Center · daily
Click any port ↗ that port's page on isc.sans.edu — historical attack activity graphs, source and target trends, and which services commonly run on it.

Simulated attack traffic

These panels all read from one simulated event stream. Individual events are generated, but the statistics are modeled on how internet attack traffic actually behaves: source-country weights reflect real threat reporting, the 17 attack types and their ports are genuine techniques (SSH brute force on 22, VPN exploit probes, Log4Shell-style RCE attempts), and the map's country borders are real geographic data. IP addresses are fabricated — no real machine is ever accused.

Global Attack Map SIMULATED

Each arc is one simulated attack: origin country, target country, severity by color. Countries glow red as attack sources and flash when struck.

Realness: simulated events over real geography

Event Stream SIMULATED

The raw feed: one line per event with time, severity, type, fabricated source IP, route, port, and firewall verdict.

Realness: simulated; realistic format and rates

Threat Condition SIMULATED

A rolling 60-second severity-weighted index of the event stream, mapped to LOW → SEVERE, alongside 12-hour totals for events, block rate, unique sources, and open incidents.

Realness: honest computation, simulated input

Event Volume SIMULATED

Events per 5 seconds over the last 5 minutes. The y-axis rescales as attack "campaign" bursts come and go.

Realness: simulated

Attack Vectors / Top Sources / Top Targets / Targeted Ports SIMULATED

Rolling 12-hour leaderboards of the stream by technique, origin country, destination country, and port. Bar colors indicate volume tiers.

Realness: simulated events; realistic proportions

Severity Mix SIMULATED

The 12-hour breakdown of critical / high / medium / low events as a stacked bar with counts and percentages.

Realness: simulated

Incident Queue SIMULATED

About 30% of critical events spawn an incident that a virtual SOC team works through OPEN → TRIAGE → CONTAINED.

Realness: fully simulated workflow

Firewall Actions SIMULATED

The blocked / flagged / allowed ratio of the event stream. In a real deployment this maps directly to firewall logs.

Realness: derived from the simulated stream

Fictional organization

These panels simulate the inside view of a made-up ~800-person company with about 1,240 endpoints, showing what identity, infrastructure, and security-program monitoring look like in practice. Names, hosts, and accounts are invented.

Anomalous Logins FICTIONAL ORG

Flagged sign-ins: "impossible travel" (two logins too far apart to physically travel between — the distances shown are real great-circle calculations), brute-force lockouts, and first logins from new countries.

Realness: fictional users; real math

Privilege Escalations FICTIONAL ORG

Accounts granted admin, root, or domain rights, reviewed by a virtual security team and either approved or revoked.

Realness: fictional

MFA Coverage FICTIONAL ORG

Multi-factor authentication enrollment across the workforce, hardware security key adoption, and recent MFA bypasses.

Realness: fictional

Stale Accounts FICTIONAL ORG

User and service accounts idle for 30+ days, plus accounts pending disablement — the cleanup queue every real IT team knows.

Realness: fictional

Endpoint Health FICTIONAL ORG

The state of the company's device fleet: fully healthy, patches pending, EDR agents gone stale, or offline entirely.

Realness: fictional fleet; realistic proportions

Container Security FICTIONAL ORG

Running containers, registry image scans over the last day, and any critical vulnerabilities or misconfigurations the scanner surfaced.

Realness: fictional

Phishing Metrics FICTIONAL ORG

Employee-reported phishing over 30 days, click rate on simulated phishing campaigns, credentials compromised, and awareness-training completion.

Realness: fictional

Hardware Lifecycle FICTIONAL ORG

Network gear (firewalls, switches, routers) ranked by how close each device is to its vendor support end-of-life — the countdown badges are computed against real calendar dates.

Realness: fictional inventory; real date math

Bandwidth — Egress FICTIONAL ORG

Outbound traffic over the last five minutes. Red markers flag anomalous spikes — the kind of pattern that suggests data exfiltration. Bursts correlate with the attack simulation's campaign activity.

Realness: fictional traffic model

Honeypot Activity FICTIONAL ORG

Interactions with decoy servers planted to attract attackers: port probes, credential-guessing logins, exploit attempts, and payload drops.

Realness: fictional decoys; built to swap to a real honeypot feed later