Continuous monitoring — NIST SP 800-53 SI-4

Streaming anomaly detection and incident investigation for federal zero trust architectures.

Three-model ensemble scoring, transparent per-model contributions, investigation-first analyst workflow, and OSCAL 1.1.3 continuous monitoring evidence emitted on demand. Built for FedRAMP Moderate and CMMC Level 2.

Try the demo Read the trust evidence

3Events per second on the demo deploymentVerify in the trust center

1,840Anomalies detected in the last 24 hoursAudit chain integrity

14NIST 800-53 control families coveredRead the KSI catalog

How it works

Six-tier architecture, end-to-end

Vector edge collectors normalize syslog, OTLP, and HEC payloads into ECS, route through Kafka, and land in a Postgres feature store with TimescaleDB hypertables. A three-model ONNX ensemble scores every event on the hot path. Analysts open every anomaly directly into an investigation panel with pgvectorscale similarity over 100M+ rows and a hash-chained audit log on every action. The reference deployment runs in AWS GovCloud or Azure Government; every tier scales to the platform’s 50,000 events-per-second target.

Tier 1 · Ingestion
Vector edge collectors normalize syslog, OTLP, and HEC payloads into ECS, then route through Kafka with backpressure.
- · Vector aggregator + enricher
- · Kafka / Redpanda topics events.raw, events.enriched
- · Postgres feature store with TimescaleDB hypertables
Tier 2 · Detection
Three-model ONNX ensemble scores every event on the hot path. Per-model contributions are surfaced to analysts.
- · Statistical baseline (rolling z-score)
- · Isolation Forest (unsupervised)
- · XGBoost supervised classifier
- · Ensemble combiner with calibrated confidence
Tier 3 · Investigation
Analysts open every anomaly into an investigation panel with vector similarity over 100M+ rows and a hash-chained audit log on every action.
- · pgvectorscale similarity search
- · Hash-chained audit log (AU-9)
- · Annotation, escalation, and runbook surfaces
Tier 4 · Alerting
Five notification providers with secret redaction at the boundary and end-to-end audit envelopes.
- · Slack
- · PagerDuty
- · Microsoft Teams
- · Email
- · Webhook
Tier 5 · Compliance
OSCAL 1.1.3 SSP, component definition, and POA&M emitted continuously. 61 FedRAMP Moderate KSIs Cosign-signed.
- · OSCAL emission with NIST schema validation
- · KSI catalog + signed JSONL emissions
- · AU-9 hash-chained audit with S3 Object Lock retention
Tier 6 · Supply chain
SLSA Level 3 build provenance, Cosign image signatures, CycloneDX SBOM for every release.
- · Reproducible builds with pinned digests
- · Cosign keyless attestation
- · CycloneDX 1.5 SBOM ingested by GUAC

Reference

Read the deeper architecture

The technical specification at docs/architecture.md is the source of truth. The threat model lives at compliance/threat-models/stride.md and is also rendered at the trust center. Data-flow diagrams are published at compliance/data-flow-diagrams/.

Federal posture

FedRAMP Moderate baseline, CMMC Level 2 aligned

The platform produces an OSCAL 1.1.3 SSP, component definition, and POA&M that validate against the NIST schema. 61 FedRAMP Moderate Key Security Indicators emit continuously and are Cosign-signed with 10-year retention. Audit logs are hash-chained, AU-9 generated occurred-at-canonical, and shipped to S3 with Object Lock in COMPLIANCE mode for production deployments.

Control family	Controls	How SentryGrid implements it
Audit and accountability	`AU-2AU-3AU-6AU-9AU-12`	Forward-only hash-chained audit log; AU-9 row recompute on verifyChain; S3 Object Lock in COMPLIANCE mode for 10-year retention.
Continuous monitoring	`CA-7SI-4SI-4(2)SI-4(11)SI-4(13)SI-4(24)`	OSCAL 1.1.3 evidence emitted continuously; 61 FedRAMP Moderate KSIs Cosign-signed; ensemble traffic-anomaly analysis on the hot path.
Identification and authentication	`IA-2AC-2AC-3AC-6`	Keycloak OIDC against the agency IdP; Casbin RBAC + ABAC at the API gateway; default-deny on every resource type.
System and communications protection	`SC-7SC-8SC-13`	mTLS between services; default-deny egress; FIPS 140-3 validated cryptographic modules in the production overlay.
Configuration management	`CM-3`	Two-party approval queue on rule promotion, model promotion, and retention changes. Enforced at the API layer, not the UI.
Incident response	`IR-4IR-5`	Investigation-first workflow with annotation, escalation chains, and runbook attachment. Every state transition lands in the audit chain.

The public sandbox runs the demo profile — sample data only, magic-link auth, no FedRAMP claim. The production posture overlay (infra/helm/sentrygrid/values.govcloud.yaml) is the reference for customer engagements.

Verify in the trust center

Capability statement

Built for the FY26 cybersecurity priorities

Aligned to OMB / ONCD FY2026 cybersecurity investment priorities and CISA’s Continuous Diagnostics and Mitigation program data quality plan. Independently developed under FedRAMP Moderate baseline controls; FY26 readiness lives in the trust center.

Contact

Federal evaluation inquiries

Federal program managers, primes evaluating subs, and authorizing officials: contact [email protected]. Trust evidence is published continuously at the trust center.