Sentinel XAI — Explainable Threat Detection

Security operations overview

Real-time detection with transparent model reasoning. Every alert comes with a human-readable explanation.

Active threats in feed

streaming live

Critical alerts open

3 need triage

Model accuracy

98.0%

+0.17pp · F1 0.968

Events / tick

520

-43 · Σ 16.0K

Traffic vs. detections

Rolling live window · updates as new telemetry arrives.

Events · 520Threats · 1

Attack type distribution

Share of the 9 most recent detections. Updates live.

Brute Force
2 · 22.2%
SQL Injection
1 · 11.1%
DDoS
1 · 11.1%
Data Exfiltration
1 · 11.1%
Port Scan
1 · 11.1%
Malware C2
1 · 11.1%
Phishing
1 · 11.1%
Privilege Escalation
1 · 11.1%

Live threat feed

9 recent events · tap any row to see the model explanation.

streaming

Brute Force185.220.101.42 → :22
critical
15:52:31
97.0%active
SQL Injection92.118.161.18 → :443
critical
15:51:01
94.0%investigating
DDoS203.0.113.88 → :80
high
15:49:31
88.0%contained
Data Exfiltration10.0.3.41 → :8443
critical
15:48:01
91.0%active
Port Scan41.220.77.9 → :0
medium
15:46:31
76.0%contained
Malware C210.0.2.88 → :6667
high
15:45:01
89.0%investigating
Phishing198.51.100.14 → :25
medium
15:43:31
72.0%contained
Privilege Escalation10.0.4.44 → :389
high
15:42:01
84.0%active
Brute Force172.58.12.9 → :443
low
15:40:31
58.0%contained

Time	Event	Source → Dest	Attack	Severity	Confidence	Status
15:52:31	EVT-48291	185.220.101.42→10.0.4.17:22	Brute Force	critical	97.0%	active
15:51:01	EVT-48288	92.118.161.18→10.0.2.105:443	SQL Injection	critical	94.0%	investigating
15:49:31	EVT-48275	203.0.113.88→10.0.1.22:80	DDoS	high	88.0%	contained
15:48:01	EVT-48262	10.0.3.41→45.33.12.209:8443	Data Exfiltration	critical	91.0%	active
15:46:31	EVT-48251	41.220.77.9→10.0.5.200:0	Port Scan	medium	76.0%	contained
15:45:01	EVT-48240	10.0.2.88→178.62.14.33:6667	Malware C2	high	89.0%	investigating
15:43:31	EVT-48229	198.51.100.14→10.0.6.3:25	Phishing	medium	72.0%	contained
15:42:01	EVT-48218	10.0.4.44→10.0.0.1:389	Privilege Escalation	high	84.0%	active
15:40:31	EVT-48204	172.58.12.9→10.0.7.15:443	Brute Force	low	58.0%	contained

Why was this flagged?· EVT-48291

Per-prediction explanation using SHAP and LIME

Brute Force

Prediction

THREAT

threshold 0.50 · TCP

Confidence

97.0%

Origin

185.220.101.42

RU · dest :22

Base value 0.12f(x) = 0.97

pushes toward threatpushes toward benign

Each row shows how much a feature shifted the prediction from the base value. Positive (red) contributions raise the threat score; negative (cyan) contributions lower it.

failed_login_attempts
= 247 in 60s
+0.38
source_ip_reputation
= malicious (Tor exit)
+0.24
auth_protocol
= SSH
+0.11
geo_risk_score
= 0.89
+0.09
user_history
= first contact
−0.06
time_of_day
= 03:12 local
+0.05
tls_fingerprint
= known botnet
+0.04

Global feature importance

Average absolute SHAP value across the model's training distribution.