100% explainable
OMEGA AXIOM

Every block has a reason.
No block without proof.

Deterministic security for systems that must remain explainable over time.

Download v3.9.8

OMEGA Sentinel Documentation

Loading...

The WHY

Same input. Same logs. Same decision. Every time. Deterministic security you can explain.

Zero Attack Surface

No ports. No API. No remote control. SENTINEL cannot be disabled by an attacker.

Progressive Response

30 min → 6h → 7d → permanent. Behavior, not time, determines consequence.

The WHY

================================================================================ CLI COMMAND ================================================================================ $ omega-sentinel simulate --since 24h ================================================================================ THE WHY ================================================================================ DETERMINISTIC SECURITY — EVERY BLOCK HAS A REASON ================================================================================ Every decision includes: • IP address blocked • Rule that triggered • Evidence count (rationale) • Escalation level • Cryptographic hash (tamper-proof) REAL BLOCK DECISION: ──────────────────────────────────────────────────────────────────────────────── { "type": "decision", "ip": "188.166.58.221", "decision": "block", "rule": "ssh_invalid_user", "ttl": 1800, "offense_number": 1, "escalation_level": "30 minutes", "rationale": "4 events", "timestamp": "2025-12-22T15:53:57.468570", "host": "axiomrx", "hash": "1fc45b532d61c18da4b37451794f3eb5..." } ──────────────────────────────────────────────────────────────────────────────── THE REASON: → IP 188.166.58.221 triggered rule "ssh_invalid_user" → 4 failed login attempts with invalid usernames → Blocked for 30 minutes (first offense) → Decision is cryptographically signed ================================================================================

Audit Trail

================================================================================ CLI COMMAND ================================================================================ $ cat /var/log/omega-sentinel/audit.log | tail -20 ================================================================================ AUDIT TRAIL ================================================================================ COMPLETE RECORD — COMPLIANCE READY — TAMPER-EVIDENT ================================================================================ Every event is logged to /var/log/omega-sentinel/audit.log Format: JSON with hash chain for integrity verification RECENT AUDIT ENTRIES: ──────────────────────────────────────────────────────────────────────────────── { "type": "startup", "version": "3.7.4", "mode": "enforce", "rules_loaded": 14, "allowlist_ips": 2, "timestamp": "2025-12-21T03:37:24.473391", "host": "axiomrx" } { "type": "decision", "ip": "142.93.138.8", "decision": "block", "rule": "ssh_invalid_user", "rationale": "4 events", "timestamp": "2025-12-21T04:26:50.620760" } { "type": "decision", "ip": "134.209.197.94", "decision": "block", "rule": "ssh_invalid_user", "rationale": "4 events", "timestamp": "2025-12-21T14:05:41.034572" } ──────────────────────────────────────────────────────────────────────────────── COMPLIANCE: PCI-DSS 10.2 | SOX Section 404 | HIPAA 164.312 ================================================================================

Chain Integrity

================================================================================ CLI COMMAND ================================================================================ $ omega-sentinel verify [OK] Chain intact (74 entries) ================================================================================ CHAIN INTEGRITY ================================================================================ SHA-256 HASH CHAIN — TAMPER-EVIDENT BY DESIGN ================================================================================ Every log entry contains: • hash → SHA-256 of current entry • prev_hash → SHA-256 of previous entry If anyone modifies a log, the chain breaks. HASH CHAIN EXAMPLE: ──────────────────────────────────────────────────────────────────────────────── Entry #72: { "type": "decision", "ip": "178.62.236.236", "decision": "block", "prev_hash": "e87d76d4c7fc66a73dfd4d9062a462e21430a504...", "hash": "3ac0716ab487aa1f9217090cbca02c8d06c1f5a4..." } Entry #73: { "type": "decision", "ip": "165.232.82.9", "decision": "block", "prev_hash": "3ac0716ab487aa1f9217090cbca02c8d06c1f5a4...", ← matches #72 "hash": "babd196b101470b5e93dfeb19a4f6f305b240e4c..." } ================================================================================

Audit Trail

SHA-256 hash chain. Every entry references the previous. Tamper-evident logs.

Hybrid Collection

~10ms auth detection via journald. ~100ms web detection via file. Zero configuration.

YAML-Only Rules

Create custom rules without coding. No Python. No rebuild. Hot reload in seconds.

Zero Attack Surface

================================================================================ CLI COMMAND ================================================================================ $ omega-sentinel status ============================================================ OMEGA Sentinel v3.9.8 - Status ============================================================ [OK] Config: /etc/omega-sentinel/config.yaml Mode: enforce [OK] Host: 127.0.0.1 (secure) [OK] License: ENTERPRISE [OK] Allowlist: 2 IPs, 0 nets [OK] Rules: 14 loaded [OK] Firewall: nftables/SENTINEL [OK] Audit: Chain intact (74) [OK] Egress: 1 baseline, port>=32768 ============================================================ [OK] All checks passed! ============================================================ ================================================================================ ZERO ATTACK SURFACE ================================================================================ NO PORTS — NO API — CANNOT BE DISABLED REMOTELY ================================================================================ SENTINEL is a guardian, not a service. NO LISTENING PORTS: ──────────────────────────────────────────────────────────────────────────────── $ ss -tlnp | grep sentinel (no output - SENTINEL opens no ports) $ sudo nft list chain inet filter SENTINEL table inet filter { chain SENTINEL { type filter hook input priority -100; policy accept; } } ================================================================================

Egress Control

================================================================================ CLI COMMAND ================================================================================ $ omega-sentinel egress --status ============================================================ Egress Monitor Status ============================================================ Deny: 16 | Allow: 19 Baseline: 1 processes, 1 IPs Alerts: 0 | Ephemeral>=32768 ============================================================ ================================================================================ EGRESS CONTROL ================================================================================ DETECT REVERSE SHELLS — CATCH DATA EXFILTRATION ================================================================================ Your web server shouldn't make outbound calls. If it does, SENTINEL sees it. REAL EGRESS ALERT (from audit log): ──────────────────────────────────────────────────────────────────────────────── { "type": "egress_alert", "severity": "warning", "process": "monarx-agent", "remote_ip": "52.32.9.48", "remote_port": 443, "reason": "Process connected to IP not in baseline", "timestamp": "2025-12-19T07:19:17.120213", "host": "axiomrx" } ──────────────────────────────────────────────────────────────────────────────── SENTINEL detected an outbound connection from a process that wasn't in the baseline. Immediate alert generated. ================================================================================

Progressive Response

================================================================================ CLI COMMAND ================================================================================ $ omega-sentinel escalation --status ================================================================================ PROGRESSIVE RESPONSE ================================================================================ REPEAT OFFENDERS FACE ESCALATING CONSEQUENCES ================================================================================ Escalation Levels: • 1st offense → 30 minutes • 2nd offense → 6 hours • 3rd offense → 7 days • 4th offense → PERMANENT REAL ESCALATION DATA: ──────────────────────────────────────────────────────────────────────────────── Tracked IPs: 49 192.0.2.100 Offenses: 2 | Next Level: 7 days | Last: 2025-12-23 88.88.88.88 Offenses: 1 | Next Level: 30 minutes | Last: 2025-12-21 55.55.55.55 Offenses: 1 | Next Level: 30 minutes | Last: 2025-12-21 ──────────────────────────────────────────────────────────────────────────────── → Decisions escalate deterministically → Same behavior produces predictable consequences → Full history tracked per IP ================================================================================

Hybrid Collection

================================================================================ STARTUP LOG ================================================================================ $ journalctl -u omega-sentinel | grep -i collector ================================================================================ HYBRID COLLECTION ================================================================================ JOURNALD FOR AUTH — FILES FOR WEB — ZERO CONFIGURATION ================================================================================ SENTINEL automatically detects the best collector for each service: Collector(auth): journald (sshd, sudo) Collector(web): file (/var/log/nginx/access.log) Collector(container): journald (docker, podman, containerd) HOW IT WORKS: ──────────────────────────────────────────────────────────────────────────────── AUTH (sshd, sudo) Method: journald Latency: ~10ms Why: Systemd-native, sub-second blocking WEB (nginx, apache) Method: file Latency: ~100ms Why: Most reliable, no hacks required CONTAINERS (docker, podman) Method: journald Latency: ~10ms Why: Systemd-native integration ──────────────────────────────────────────────────────────────────────────────── WHY THIS MATTERS: → Fresh system, sudo never used? Still monitored from day one. → Journald fails? Automatic fallback to file collector. → nginx doesn't use journald? We read files instead. No hidden dependencies. No "works on my machine" surprises. ================================================================================

YAML-Only Rules

================================================================================ CLI COMMAND ================================================================================ $ cat /etc/omega-sentinel/rules.d/ssh_bruteforce.yaml ================================================================================ YAML-ONLY RULES ================================================================================ CREATE CUSTOM RULES WITHOUT CODING — HOT RELOAD IN SECONDS ================================================================================ REAL RULE FILE: ──────────────────────────────────────────────────────────────────────────────── # SSH Brute Force Detection rule_id: SSH_BRUTEFORCE version: "1.0" priority: 90 enabled: true when: events: [auth_fail, invalid_user] match: threshold: 8 window: 120s group_by: ip then: action: block ttl: 30m explain: "{count} auth failures from {ip} in {window}" ──────────────────────────────────────────────────────────────────────────────── AVAILABLE RULES (19 total): ──────────────────────────────────────────────────────────────────────────────── $ omega-sentinel rules --list ssh_bruteforce.yaml ssh_invalid_user.yaml sudo_abuse.yaml credential_stuffing.yaml sql_injection.yaml xss_attempt.yaml path_traversal.yaml web_scanner.yaml api_abuse.yaml reverse_shell.yaml egress_violation.yaml port_scan.yaml conn_flood.yaml nginx_block.yaml ssh_key_theft.yaml postfix.yaml dovecot.yaml proftpd.yaml vsftpd.yaml ──────────────────────────────────────────────────────────────────────────────── HOT RELOAD (no restart needed): $ omega-sentinel rules --reload [OK] 19 rules reloaded → Edit YAML → Reload → Active in seconds → No Python. No compilation. No downtime. ================================================================================

From Events to Decisions

Most tools collect signals. SENTINEL produces decisions.

It does not ask "could this be an attack?"

It answers "this is an attack — and here is the proof."

What SENTINEL Understands

14 detection rules across 100+ attack patterns

SSH Attacks

  • Brute force
  • Credential stuffing
  • Invalid users
  • Max auth exceeded
  • OpenSSH 9.x patterns

Web Attacks

  • SQL injection (45+ patterns)
  • XSS (13 patterns)
  • Path traversal
  • Web scanner detection
  • API abuse/rate limiting
  • URL-encoded payloads

Post-Exploitation

  • Reverse shell detection
  • SSH key theft (correlation)
  • Data exfiltration
  • Privilege escalation
  • Lateral movement

Sudo Abuse

  • Auth failures
  • pam_unix patterns
  • Incorrect passwords

Network Attacks

  • Port scanning
  • SYN floods
  • Connection floods

Anomalies

  • Baseline learning
  • Statistical detection
  • Auto-promote rules

What SENTINEL Sees

Real detection examples from production systems

SSH Brute Force
Failed password for root from 192.168.1.100 port 22 ssh2
auth_fail 192.168.1.100 Block 30m after 8 attempts
XSS Attempt
GET /search?q=<script>alert(1)</script>
xss_attempt 198.51.100.25 Immediate block 24h
SQL Injection
GET /page?id=1' OR '1'='1 HTTP/1.1
sql_injection 10.0.0.50 Immediate block 24h
Path Traversal
GET /../../etc/passwd HTTP/1.1
path_traversal 203.0.113.50 Immediate block 24h
Attack Chain Correlation
auth_fail(3x) → auth_success → sudo_fail [same IP: 10.99.88.77]
correlation_match 10.99.88.77 Brute force followed by login detected

Why SENTINEL

Most IDS tools see events in isolation. SENTINEL connects the dots. When someone brute forces, logs in, and tries sudo — we see the attack chain.

Security systems that cannot explain past decisions become liabilities.
SENTINEL was built to prevent that.

SENTINEL Fail2Ban CrowdSec OSSEC
Attack chain correlation
Tamper-evident audit
Egress monitoring
Zero attack surface (no ports)
SQL injection patterns 45+
Zero cloud dependency
Single binary
SIEM-ready (structured logs) ✓ Native Config Agent Server
Flexible response (log/alert/block)
Progressive escalation
Decisions remain explainable months later

SENTINEL is designed to remain correct as systems change — not to chase threats, trends, or training cycles.

Get Started

Up and running in 60 seconds

Recommended: One-command install 

curl -fsSL https://omegacortex.ai/install.sh | sudo bash

Or add repository manually:

Add repository (one-time setup): 

curl -fsSL https://omegacortex.ai/gpg.key | sudo gpg --dearmor -o /usr/share/keyrings/omegacortex.gpg
echo "deb [signed-by=/usr/share/keyrings/omegacortex.gpg] https://omegacortex.ai/apt stable main" \
  | sudo tee /etc/apt/sources.list.d/omegacortex.list
sudo apt update && sudo apt install omega-sentinel

Updates: sudo apt update && sudo apt upgrade

Add repository (one-time setup): 

sudo tee /etc/yum.repos.d/omegacortex.repo << REPO
[omegacortex]
name=OMEGA Sentinel Repository
baseurl=https://omegacortex.ai/rpm/stable/x86_64
enabled=1
gpgcheck=0
REPO
sudo dnf install omega-sentinel

Updates: sudo dnf upgrade omega-sentinel

That's it. SENTINEL is now protecting your server. All features enabled. Enforce mode active. No configuration needed.

Pricing

Simple pricing. No hidden fees. Start free, upgrade when you need more.

Standard Fail2ban Professional Enterprise
SSH brute force detection
Sudo abuse detection
SHA-256 audit chain
nftables support
Single binary (no deps)
Zero configuration
Web attack detection (SQL/XSS) 45+ patterns 45+ patterns
Attack chain correlation
Progressive escalation 30m→6h→7d 30m→6h→7d
Custom rules regex 5 rules Unlimited
Baseline anomaly learning
Egress monitoring
SIEM integration Config Native
Price per server/year Free Free $49 $199
Free

Standard

Forever free • SSH/sudo protection • 1 server
Download
$49

Professional

Per server/year • Web detection • Correlation
Buy Now
$199

Enterprise

Per server/year • All features • Priority support
Contact

Download SENTINEL v3.9.8

30-day trial • All features • 1 server

Ubuntu / Debian
.deb package
Download
Fedora / RHEL
.rpm package
Download