SZLHOLDINGS · Security Layer
sentra
Security gates that emit DSSE receipts.
6 parallel checks. One signed envelope per scan. OTel spans to Jaeger, Tempo, or Honeycomb.
Security gates that emit DSSE receipts.
6 parallel checks. One signed envelope per scan. OTel spans to Jaeger, Tempo, or Honeycomb.
sentra is the anomaly detection and observability substrate of the SZL Holdings governed platform. It applies Kitaev-surface posture drift detection to AI agent telemetry — flagging 6 attack categories per prompt, then emitting a DSSE-signed receipt for every scan. Not a firewall. Not a SIEM. A typed, proof-sealed security gate layer.
Taps SZL audit fiber events and raw agent payloads. Every packet passes through
sentra_immune — the canonical heuristic scanner — before downstream processing.
Security posture is modeled as a topological surface. Drift from the ground-state triggers a classified drift event, ranked by CVSS-weighted severity and fed to the operator surface.
Every gate run produces a DSSE envelope (application/vnd.szl.sentra.security-gate-receipt+json)
HMAC-signed with the SZL dev key. Receipts are proof-chain ready for the audit fiber.
Sentra emits OpenTelemetry spans to Jaeger, Tempo, or Honeycomb. Gate results appear as span attributes — no vendor lock-in on the telemetry backend.
All incident remediation passes through the Covenant Policy engine before execution. No automated response without human confirmation — every action is audit-sealed.
Heuristic patterns drawn from arXiv:2403.04957, arXiv:2302.12173, and SZL-original classifications. All 6 gates run in parallel per prompt. Source: szl-holdings/sentra.
Each gate runs independently on every prompt. A PASS/FAIL verdict and reason string are written
into the DSSE receipt payload. Gate IDs use the FG-S prefix (Frontier Gate, Sentra domain).
| Gate ID | Name | Description | Authority |
|---|---|---|---|
| FG-S1 | Prompt Injection | Keyword scan + direct injection markers. Detects ignore previous instructions,
role-override, XML-tag injection, and canonical threat signatures from
sentra_immune.py. |
arXiv:2403.04957
Liu et al. 2024 — Prompt Injection Attacks and Defenses |
| FG-S2 | Exfiltration Signals | URL-based exfiltration patterns, system-prompt extraction attempts, encoding-evasion
techniques (base64), and sensitive URL parameter extraction. |
SZL Holdings classification OWASP LLM Top 10: LLM01 |
| FG-S3 | Jailbreak Markers | DAN-style bypass, fiction/roleplay exploits, grandma-exploit patterns, safety-filter circumvention phrases, encoding obfuscation (rot13/hex/morse). |
arXiv:2302.12173
Liu et al. 2023 — Jailbreaking ChatGPT via Prompt Engineering |
| FG-S4 | Unicode Smuggling | Zero-width character injection (U+200B–200F), bidirectional-override abuse (U+202A–202E), specials-block characters (U+FFF0–FFFF), and tag-block homoglyphs (U+E0000–E007F). |
SZL Holdings classification Unicode Security Considerations |
| FG-S5 | Receipt-Chain Tampering | Checks DSSE envelope integrity in the SZL audit chain. Detects attempts to forge, replay, or corrupt receipt payloads before downstream proof-chain consumption. SZL ORIGINAL |
SZL Holdings original DOI 10.5281/zenodo.20434276 |
| FG-S6 | Governance-Gate Bypass | Detects attempts to circumvent the Covenant Policy engine — crafted payloads designed to trigger automated remediation without human confirmation. SZL ORIGINAL |
SZL Holdings original Ouroboros Thesis v18 §Λ-axis |
Every AI agent payload enters the sensor adapter, fans out to all 6 gates simultaneously, and the combined verdict is wrapped in a DSSE envelope. Spans flow to the OTel backend of your choice — Jaeger, Tempo, or Honeycomb.
The sentra-security-gates Space runs the full 6-gate heuristic scanner and returns a DSSE receipt for every prompt. Try injecting a jailbreak, a unicode zero-width character, or a system-prompt extraction attempt to see which gates trip.
sentra is not a SIEM. The table below is honest: Y/N only, no marketing claims. Each cell reflects public documentation as of May 2026.
| Capability | Splunk ES | CrowdStrike Falcon | Palo Alto Cortex XSIAM | Datadog Security | sentra |
|---|---|---|---|---|---|
| AI-prompt-injection detection | N | N | N | N | Y — FG-S1, arXiv:2403.04957 |
| Jailbreak detection | N | N | N | N | Y — FG-S3, arXiv:2302.12173 |
| DSSE receipt per scan | N | N | N | N | Y — signed HMAC envelope |
| Governance-gate bypass detection | N | N | N | N | Y — FG-S6, Covenant policy gate |
| Unicode smuggling detection | N | N | N | N | Y — FG-S4, bidi/zero-width/tag-block |
| OTel-native telemetry | N — proprietary ingest | N — vendor-locked | N — Cortex-only pipeline | Y — OTLP supported | Y — OTLP, Jaeger, Tempo, Honeycomb |
| Open source | N | N | N | N | Partial — BSL-1.1 source available |
| Endpoint / EDR | Y | Y — primary use case | Y | Y | N — not an EDR |
| SIEM / log aggregation | Y — primary use case | Partial | Y | Y | N — not a SIEM |
| SOC2 compliance tooling | Y | Y | Y | Y | N — Phase 2 roadmap |
| Runtime enforcement engine | Partial | Y | Y | Partial | N — Phase 2 roadmap |
| Formal Lean-verified invariants | N | N | N | N | Y — Lutar/QEC/KitaevSurface basis |
Vendor capabilities are derived from public documentation: Splunk ES, CrowdStrike Falcon, Palo Alto Cortex XSIAM, Datadog Security Monitoring. "N" means no public documentation for that capability. Claims may change as vendor products evolve. sentra's "N" entries are honest — it does not claim capabilities it does not have.
Honesty about scope prevents misuse. sentra has a narrow, well-defined job.
sentra does not provide SOC2 audit tooling, compliance dashboards, or certification evidence. SOC2 integration is Phase 2 — not available today.
sentra does not aggregate logs, correlate events across network infrastructure, or replace Splunk / Elastic / Datadog for enterprise log management.
sentra does not monitor processes, file systems, or network connections on host machines. Use CrowdStrike, SentinelOne, or similar for endpoint coverage.
sentra detects and receipts — it does not block, quarantine, or kill processes. Runtime enforcement is Phase 2. Today, gates report; humans decide.
sentra operates at the AI-agent payload layer, not the network layer. It does not inspect TCP/IP traffic, DNS, or TLS sessions.
sentra is one layer — the AI-agent observation layer — in a defense-in-depth posture. It complements, does not replace, existing security tooling.
All arXiv URLs verified HTTP 200 before embedding. All vendor URLs verified HTTP 200.