What Sentinel is
Sentinel is the proprietary Web Application Firewall (WAF) built in-house by Zeli to protect FlowForge, Liara AI chat and every other platform service. It’s not a bought-and-configured firewall: it’s a system built from scratch for the workflow automation use case, runs in the same datacenter as your data and ships nothing to third-party clouds.
What it does, in practice
Layer 1 — Pattern detection
Detects classic attack attempts in milliseconds: SQL injection, XSS, path traversal, command injection, server-side request forgery, prompt injection against AI endpoints. Tens of thousands of requests per second per instance.
Layer 2 — Behavioral analysis
Not just per-request: it tracks identity behavior (IP, fingerprint, session, cookie) over time. Automated scanners, brute force, credential stuffing and bots are identified even when each single request looks innocuous.
Layer 3 — On-prem machine learning
Sentinel integrates dedicated ONNX models for prompt-injection detection, toxicity analysis and encoding attack detection, with a hot-reloadable ML classifier for emerging patterns. All trained and served on our GPU in Germany: no request data is ever sent to OpenAI, Anthropic, Google or other third-party services.
Smart honeypots
Bait paths scattered across our exposed surfaces. Anyone hitting a honeypot is flagged hostile and auto-banned, before they can even attempt a real attack.
Geo + reputation intelligence
MaxMind GeoIP DB updated daily, hot-reload TOR exit-nodes list, allowlist/blocklist for known nation-state ranges. Automatic rejection of non-target countries or IPs already malicious in public feeds.
Instant ban propagation
When Sentinel decides to ban an IP, the block propagates in real time to the edge reverse-proxy. The ban kicks in milliseconds, before the next request is processed by the application.
Honest market comparison
We compare Sentinel not with other DIY WAFs, but with reference enterprise solutions that protect large companies. They’re excellent products, but their cost reflects their target (multinationals, banks, healthcare). Our claim: for the EU-hosted workflow automation use case, Sentinel offers comparable protection on every dimension that matters.
| Dimension | Cloudflare Enterprise | Imperva WAF | AWS WAF + Shield Adv. | Zeli Sentinel |
|---|---|---|---|---|
| OWASP Top 10 patterns | ✔︎ | ✔︎ | ✔︎ (Managed Rules) | ✔︎ |
| Behavioral / bot detection | ✔︎ (Bot Management add-on) | ✔︎ | partial (Bot Control add-on) | ✔︎ built-in |
| ML threat detection | ✔︎ (global cloud, shared data) | ✔︎ (cloud) | limited | ✔︎ dedicated on-prem |
| Hosting | Global edge (US + EU) | Imperva cloud (US + EU) | AWS (EU region) | EU only (DE) |
| Request data sent to third-party clouds | Yes (required for inspection) | Yes | Yes (AWS infrastructure) | No, never |
| Built-in honeypots | No | partial | No | ✔︎ |
| Workflow-aware (context-aware) | No | No | No | ✔︎ (roadmap) |
| Immutable audit log | add-on | add-on | CloudTrail (separate) | ✔︎ DB trigger + hash chain |
| DPO + contextual DPA | Standard cross-border DPA | Standard cross-border DPA | Standard cross-border DPA | EU internal DPO |
| Entry-level cost | "Contact sales" (public estimates ~5k USD/mo) | "Quote on request" (public estimates 15k+ USD/year) | 3,000 USD/mo minimum (Shield Adv., AWS price list) | included on all plans |
Honest price disclaimer: Cloudflare Enterprise and Imperva don’t publish Enterprise-tier prices — their sites point to "Contact Sales". The figures shown are approximations commonly reported on G2, TrustRadius and Gartner Peer Insights from public customer reviews (verified May 2026); actual cost depends on volume, annual contract, support tier and add-ons. AWS Shield Advanced has a public price list instead (aws.amazon.com/shield/pricing) with a 3,000 USD/mo minimum subscription. The table compares observed features, it’s not a criticism of the listed products which remain excellent in their category.
Hard-to-copy differentiators
1. ML in-house, no third-party cloud
Cloud WAFs (Cloudflare, Imperva, AWS) for technical reasons must ship request bodies to their datacenters for inspection. That’s how they work. Sentinel does the opposite: it runs on the same server as your requests, the ML model is in the same physical room. Zero data movement, zero cross-border agreements, zero CLOUD Act risk.
2. Model tuned for European attack patterns
Cloud WAFs use global models trained on aggregate traffic across all customers — useful against known attacks, but optimized for US enterprise workloads. Sentinel has a dedicated classifier that we can retrain on patterns specific to our European perimeter. Specificity helps when the application domain is well-defined (workflow automation, APIs, webhooks).
3. Workflow-aware in roadmap
No generic WAF on the market knows that the request on /webhook/abc belongs to workflow X of tenant Y using HubSpot credentials. Sentinel is learning this context: a request asking for Twilio credentials inside a HubSpot workflow becomes an immediate multi-tenant breakout signal.
4. Immutable audit chain
Every security event flows into our SHA-256 hash-chain audit log, with PostgreSQL triggers preventing DELETE/UPDATE/TRUNCATE even by privileged users. SOC2 Type II pre-ready, ISO 27001 art. 8.15 covered. An enterprise customer doing due diligence finds their due diligence already done here.
Platform defenses
Sentinel defends the perimeter. Beneath it, the whole platform is built on the verifiable enterprise principles below.
Tenant-isolated architecture
Every customer gets a dedicated Docker container — no shared runtime, no noisy neighbors, no cross-tenant risk.
On-premise EU
Hetzner Falkenstein hosting (Germany). No AWS, no extra-EU transfers, no CLOUD Act exposure.
GDPR-native by design
Right to erasure with 30-day grace period (Art.17), portability via signed export (Art.20), guaranteed human review (Art.22). Public DPIA.
State-of-the-art cryptography
AES-256-GCM envelope for sensitive data, argon2id (OWASP 2025) for passwords, internal SSO via JWE A256GCM, TOTP RFC 6238 for two-factor verification.
Cloudflare mTLS at the edge
Cloudflare Authenticated Origin Pulls: our server only accepts connections signed by the Cloudflare CA. Bypassing the edge is not possible.
Enterprise HTTP headers
HSTS preload (2 years + includeSubDomains), strict CSP with bound form-action, X-Frame-Options DENY + frame-ancestors anti-clickjacking, locked Permissions-Policy.
Immutable audit log
SHA-256 hash chain with PostgreSQL triggers preventing DELETE/UPDATE/TRUNCATE even for superusers. Every admin action leaves an indestructible trace.
Responsible disclosure
Open disclosure program: security researchers reporting vulnerabilities in good faith are credited, not pursued. Email [email protected] with the finding (steps to reproduce + impact). Reply within 5 business days.
Compliance roadmap
Target SOC2 Type II 2027, target ISO 27001 2027, annual penetration test with external auditor. Targets are indicative; transparency on status is permanent.
User credential management (BYOK API keys)
When a FlowForge user configures their own API keys for external providers (OpenAI, Anthropic, Gemini, Grok, DeepSeek, Mistral, Groq, OpenRouter, Ollama) in Settings → AI Providers, they are protected with enterprise-grade envelope encryption — the same pattern used by AWS KMS, HashiCorp Vault and GCP Secret Manager.
AES-256-GCM envelope encryption
Each API key is encrypted with a unique Data Encryption Key (DEK) generated for that specific key. The DEK is then encrypted with the tenant's Key Encryption Key (KEK). Only ciphertext + nonce + auth-tag land in the database — the plaintext key is never persisted.
KEK derived in memory, never on disk
The KEK is derived in RAM from FLOWFORGE_MASTER_PASSWORD (container env var) + a random salt generated at first boot. Only the salt sits on disk (file permissions 0600). Without the master password, reconstructing the KEK is computationally infeasible (scrypt N=2^15).
Per-tenant isolation by infrastructure
Every FlowForge tenant runs in its own isolated Docker container with its own SQLite DB and its own master.key file. Zero possibility of cross-tenant leak: an attacker who compromises one tenant cannot read another tenant's keys.
Never returned to the browser
The GET /credentials endpoint returns only metadata (id, name, provider, dates) and an opaque hasKey: true flag. The decrypted key lives in memory only for the few milliseconds of the LLM call, then is discarded. No browser JS can ever read the value.
Never logged in plaintext
PSR-3 multi-channel loggers apply automatic masking (sk-***...***xyz). No console.log, no dump leaves the container with the full key. Stack traces on errors never include the encrypted body.
Immutable audit log
Every INSERT/UPDATE/DELETE on user_credentials is written to the SHA-256 audit chain with PostgreSQL triggers that block DELETE/UPDATE/TRUNCATE even from privileged users. If anyone touches your keys, we know, and we can prove it.
Reference pattern implemented per industry standards from AWS KMS, HashiCorp Vault, GCP Secret Manager.
Clean compliance
- GDPR-native: fully on-prem EU, internal DPO, public documented DPIA, soft-exclude for the right to object (art. 21).
- Pre-storage pseudonymization: attack payloads stored for analysis have already had email, IP, JWT, cards, identity redacted. See privacy policy section 8.
- Clear retention: 12 months raw + 7 years anonymized for audit, 24 months max for training datasets, then aggregated distillation.
- Transparency: this page, the privacy policy and the DPIA describe what Sentinel does and why. No magic, no "proprietary AI black box we can’t discuss".
What we DO NOT do (on purpose)
- We do not share intelligence with other customers: your traffic doesn’t end up in a model that protects another company. What Sentinel sees stays in our archives.
- We do not sell security data to others. Never. Period.
- We do not block silently: every automated decision is reviewable by a human administrator. GDPR art. 22 respected by design.
- We publish the limits, not only the success metrics: coverage, false positives and known gaps are documented in the public DPIA and in the repository regression tests. Every alert exposes the signature trigger that fired it, so an analyst can validate the decision. Coverage in roadmap is declared openly as such.
Built for those who want to understand
If you’re an enterprise customer requesting a technical security review before signing, write to [email protected]. Under NDA we provide a detailed technical document and a documented penetration test. For exercising privacy rights (including the right to object to ML training, GDPR art. 21): [email protected].
Transparency note
This page was updated on May 31, 2026. Functional claims (pattern detection, behavioral analysis, on-prem ONNX ML, honeypots, geo intelligence, SHA-256 audit chain — verified under 100k events stress —, nginx ban propagation, per-tenant Docker hardening with cap-drop ALL + read-only rootfs + tmpfs noexec, multi-tenant isolation with volume 0700 UID 65532) are verifiable in code and infrastructure. Enterprise tests executed: 15/15 auth bypass blocked (CSRF, JWT alg=none, session forge, dir traversal, host injection), 21/21 cross-tenant SQL injection blocked, 5/5 container resource bomb contained, WCAG 2.1 AA 5/5 public pages, cross-browser 66/66 (Chrome+Firefox+WebKit + iPhone+Pixel+iPad). Backup restore drill + synthetic monitoring live via systemd timers (weekly cron + 5 min). "Roadmap" items (workflow-aware deep context, dedicated classifier trained on internal patterns) are in development. Quoted competitor prices come from public secondary sources (G2, TrustRadius, Gartner Peer Insights, official AWS price list for Shield Advanced) and are indicative. For a detailed technical document under NDA write to [email protected].