SIFT SENTINEL · BUILT BY SRICHARAN SUNKARA

Catches attackers who are using AI themselves.

See last night's run →
runs nightly at 22:30 UTC, autonomous
WHAT IT DOES

Reads a Windows machine and tells you who broke in.

Sift Sentinel takes a forensic image of a compromised Windows computer and works through it the way a human investigator would. It looks at the registry, scheduled tasks, services, and memory. It writes down what it found, with the exact file or registry key as proof. Every claim is cited. Then it grades itself: did it find the real attacker, or did it miss?

AI-USING ATTACKERS DETECTED
On 2026-04-30 the nightly loop caught an attacker planting llama-server.exe with a .gguf model file via a registry Run-key. The agent named the persistence mechanism, the binary, and the model file. AI-using attackers leave concrete forensic evidence (inference-server binaries, model weights in unexpected locations, prompt-injection in registry values); we hunt for those anchors directly.
EXAMPLE FROM A REAL RUN
A registry key on a workstation pointing to c:\windows\system32\dllhost\svchost.exe. There is no real folder by that name; the attacker hid a fake svchost there.
SAME PATTERN, THREE HOSTS
Sentinel found the same key on three different Windows machines in the same network. That is independent corroboration of one intrusion.
HOW IT WORKS

A learning loop, run nightly.

1. READ
fresh threat-intel from the public web
2. PLANT
synthetic copies of new attacker tradecraft
3. HUNT
run the agent against the prepared image
4. SCORE
what did it catch, what did it miss
5. LEARN
draft a new rule from each miss; ship it tomorrow

The agent is not a static demo. Every night it reads new attacker tradecraft from public sources, plants synthetic copies on a fresh test machine, runs against them, and writes down a candidate rule for every miss. A human reviewer approves the rules. Tomorrow's run picks them up automatically. The system improves while I sleep.

PROOF

Real numbers from real runs.

32
audited runs
0
factual hallucinations
15+
Windows hosts covered
2
rules promoted into live agent
CONCRETE FIND
On a 2026 Windows Server image, Sentinel surfaced a scheduled task using PsExec to push a payload called rename.exe to six other workstations with the password letmein. A real attacker artifact, with a real citation, on a real disk image.
Backed by a 24-line citation chain to the source disk evidence record.
See last night's findings.
Open Today's run →