SentinelIQ: Why I Built a SOC That Reconstructs Attacks Instead of Just Alerting on Them

2026-06-26 · Source: HackerNoon · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Cloud Computing & IT Infrastructure · Depth: Intermediate, medium

Summary

SentinelIQ is a self-hostable FastAPI service designed to transform fragmented security logs into a continuously evolving attack narrative, departing from traditional SIEM systems that treat events as isolated alerts. Built for the Decentralized Compute Track and deployed on Nosana's network, SentinelIQ ingests real-time security events through a pipeline that includes UEBA risk scoring, a correlation engine, MITRE ATT&CK mapping, and an attack graph builder. Unlike log-native SIEMs, it constructs an actual graph where entities are nodes and events are weighted edges, visually representing attack progression. This streaming system updates state immediately, recognizing multi-step attack patterns like brute-force-then-escalation. It runs on a single GPU/CPU node, offering a lightweight, on-demand compute solution, with future plans for ML-based anomaly detection leveraging decentralized GPU power.

Key takeaway

For MLOps Engineers or Security Analysts building next-generation SOC tools, you should consider adopting graph-native, streaming architectures for security event correlation. This approach allows your systems to automatically stitch together fragmented alerts into coherent attack narratives, significantly reducing manual analysis time and improving detection of complex, multi-stage threats. Explore decentralized compute options like Nosana for elastic, cost-effective deployment, especially when integrating future ML-based anomaly detection.

Key insights

SentinelIQ reconstructs attack narratives from security events by treating them as a continuously evolving graph, not isolated alerts.

Principles

• Security events form a graph, not a log.
• Streaming updates enable real-time correlation.
• Decentralized compute offers elastic scaling.

Method

Ingest security events via FastAPI, apply UEBA risk scoring, correlate events by entity/time, map to MITRE ATT&CK, then build and update a persistent attack graph.

In practice

• Deploy a FastAPI service on decentralized compute.
• Use graph structures for attack reconstruction.
• Implement UEBA for dynamic risk scoring.

Topics

• Security Operations Center
• Attack Graph
• MITRE ATT&CK
• UEBA
• Decentralized Compute
• FastAPI

Best for: CTO, VP of Engineering/Data, Entrepreneur, AI Security Engineer, Software Engineer, MLOps Engineer

Related on AIssential

• Essential Data Sources for Detection Beyond the Endpoint — Over-reliance on endpoint security creates critical blind spots, necessitating holistic telemetry correlation across all IT zones.
• SECUREVENT: Hybrid AI/ML Security Monitoring for Distributed Event-Based Systems — Hybrid AI/ML security monitoring is crucial for dynamic distributed event-based systems where static controls fail.
• AttackPathGNN: Cross-function vulnerability detection in smart contracts using state interference graphs and conjunction pooling — Cross-function smart contract vulnerabilities require reasoning over inter-function relationships, not just single-function patterns.
• Context-Aware Web Attack Detection in Open-Source SIEM Systems via MITRE ATT&CK-Enriched Behavioral Profiling — Context-aware behavioral profiling significantly enhances web attack detection and classification in SIEM systems.
• Inside the Modern SOC: The 72-Minute Race — The "speed gap" in SOCs, driven by rapid identity-based attacks, necessitates automated correlation and accelerated response to keep pace.
• Uncovering Hidden Attack Paths in Cloud Environments Using Runtime Signals — Runtime network signals reveal hidden attack paths by correlating live connections with existing cloud risks.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by HackerNoon.