SentinelCore
Help & Documentation
Documentation v1

How SentinelCore works

SentinelCore is a lab-management portal that provisions, controls, monitors, documents, and scores isolated cyber-range exercises. This guide explains every module of the portal, defines the security terminology you will encounter, and describes why cyber-range training is valuable at every level of experience.

Why this lab is offered

Cybersecurity is a discipline you cannot master by reading alone. Attackers, defenders, and the systems they use behave in ways that only reveal themselves under real conditions. SentinelCore exists to provide a safe, repeatable, and observable environment where learners and teams can practice the full workflow of modern cyber operations — provisioning vulnerable systems, detecting intrusions, collecting forensic evidence, and writing defensible reports — without any risk to production networks.

Traditional classroom training stops at theory. Public CTF platforms teach puzzle solving but not operational discipline. Enterprise incident-response drills are expensive and infrequent. SentinelCore closes that gap by giving instructors and operators a portal that:

  • Spins up isolated virtual networks on demand, so exercises never touch real infrastructure.
  • Enforces containment automatically — a compromised lab machine cannot escape its network segment.
  • Records every action to an immutable audit trail, so students learn accountable behaviour from day one.
  • Grades performance against measurable objectives instead of subjective impressions.

Target audience

The platform is designed to serve four broad experience levels simultaneously:

Beginner
Curious learners & IT students
Never opened a terminal in anger? Start with guided introductory labs on Linux fundamentals, basic networking, and how attackers think. Every action is explained, every command is scaffolded, and the environment resets if you break it.
Intermediate
Junior analysts & sysadmins
Already comfortable with the shell and a SIEM dashboard? Practice triaging real alerts, pivoting between endpoint and network telemetry, and writing incident reports that hold up to review.
Advanced
Red / blue / purple teams
Rehearse full engagement scenarios — initial access, lateral movement, privilege escalation, detection engineering, and containment — against reproducible target environments with full packet capture and endpoint telemetry.
Educators
Instructors & program leads
Build a curriculum from reusable lab templates, version scenarios like code, publish them to cohorts, and grade student sessions against objective scoring rubrics with an immutable evidence trail.

Roles & permissions

SentinelCore enforces least privilege — every account is granted only the capabilities its role requires. Roles are stored server-side and validated by database row-level security; the browser cannot elevate itself.

Student
Runs assigned lab sessions, uploads evidence, and reads published reports. Cannot see other students' data or organizational configuration.
Instructor
Authors courses, assigns lab templates to cohorts, reviews student work, and publishes reports. Can see alerts and evidence within their organization.
Lab Operator
Provisions and controls the underlying virtual infrastructure, submits allow-listed agent actions (power, snapshot, isolate), and investigates SIEM alerts.
Administrator
Manages users, roles, and organization settings, and reads the immutable audit log. Cannot demote themselves — a safeguard against accidental lock-out.

Architecture & safety model

The single most important architectural rule of SentinelCore is that the browser never talks directly to hypervisors, firewalls, or SIEM administrative APIs. Every privileged operation is routed through authenticated server functions and a central orchestration agent. This means:

  • No credentials for Proxmox, pfSense, or Wazuh ever reach the client.
  • Every action is scoped to an organization and a session before execution.
  • Destructive actions require an explicit confirmation and are logged with the actor's identity.
  • Session state is guarded by a database trigger — the state column cannot be modified directly, only through the state-machine RPC.

Labs & Sessions

A lab template describes an exercise — its virtual machines, network topology, objectives, and scoring rubric. A lab session is a live instance of that template, assigned to specific participants and tracked through an eleven-state lifecycle:

  1. 1scheduled
  2. 2provisioning
  3. 3ready
  4. 4running
  5. 5paused
  6. 6containment_warning
  7. 7containment_breach
  8. 8stopping
  9. 9completed
  10. 10failed
  11. 11archived

Transitions between states are validated server-side against an explicit finite state machine. Stuck transient states (e.g. provisioning that never completed) are swept automatically by a scheduled job so sessions cannot silently hang.

Lab Catalog

The catalog is the library of reusable lab templates. Templates move through a simple lifecycle:

  • Draft — editable, invisible to students. Author the specification and iterate.
  • Published — a specific version is marked as current and becomes available to instructors and students.
  • Archived — retired from new use but preserved for auditability.

Every published version is immutable. If a scenario needs to change, a new version is drafted and republished — this guarantees that any student grade can be reproduced against the exact scenario they experienced.

Infrastructure & the Agent

The Infrastructure module lists the virtual machines managed by SentinelCore and their current power state, containment level, and owning session. Operators submit agent jobs — small, allow-listed instructions — to the orchestration agent, which is the only component permitted to talk to the hypervisor.

Allow-listed agent actions:

  • Power on / off — start or hard-stop a VM.
  • Reboot — orderly restart.
  • Suspend / resume — freeze VM state to disk.
  • Snapshot — capture a point-in-time image for later revert or forensics.
  • Revert — restore a VM to a prior snapshot.
  • Isolate — cut a VM off from all networks except a management interface. Used to contain suspected breaches.

Any action the agent does not recognise is rejected. Preconditions (for example, you cannot snapshot a powered-off VM) are checked in the database before the agent is invoked.

Alerts & SIEM

A SIEM (Security Information and Event Management) system aggregates logs and telemetry from every host, network device, and application in a monitored environment, then applies detection rules to surface events that may indicate malicious activity. SentinelCore uses Wazuh as its SIEM backend and exposes the resulting alerts in the Alerts module.

Each alert has a severity, a source rule, an affected host, and a status:

  • New — freshly generated, not yet triaged.
  • Investigating — an analyst has claimed it.
  • Resolved — closed with a rationale. Requires explicit confirmation to prevent accidental dismissal.
  • False positive — resolved with a note that the detection rule fired on benign activity.

Evidence & Chain of Custody

Evidence is any artefact a participant collects during a session — a screenshot, a log excerpt, a memory dump, a network capture. When uploaded, every artefact is hashed with SHA-256 and its hash, uploader, timestamp, and originating session are recorded on an append-only timeline called the chain of custody.

Chain of custody is the same principle used in criminal forensics: any handling event — access, transfer, analysis — must be recorded, and the artefact's integrity must be verifiable at every step. If a hash later fails to match, the evidence has been tampered with and is no longer admissible.

Reports

Reports document what happened during a session — what was detected, how it was handled, and what conclusions were reached. Every report is versioned as an append-only sequence of revisions: once written, a revision cannot be edited or deleted. Publishing a report makes it visible to the students associated with the session; archiving retires it without destroying history.

Audit Log

The audit log is an immutable record of every security-relevant action taken in the portal — role changes, session transitions, agent jobs, evidence uploads, report publications. Administrators can search and export it but nobody, including administrators, can modify or delete entries.

Glossary of key terminology

Cyber range
An isolated virtual environment purpose-built for hands-on cybersecurity training, exercises, and tool evaluation. Traffic never leaves the range, so anything can be safely broken.
Containment
The property that a compromised host inside the range cannot reach the outside world or other unrelated sessions. SentinelCore surfaces containment as isolated, warning, or breach.
Hypervisor
Software that runs virtual machines on physical hardware. SentinelCore targets Proxmox; the browser never talks to it directly.
SIEM
Security Information and Event Management. Collects and correlates logs and alerts across an environment.
IDS / IPS
Intrusion Detection / Prevention System — inspects network traffic for known malicious patterns; an IPS also blocks them.
EDR
Endpoint Detection and Response — an agent on each host that records process, file, and network activity, and can respond to threats.
Firewall (pfSense)
A network device that enforces which traffic may cross a boundary. pfSense is the firewall used to segment SentinelCore lab networks.
Row-Level Security (RLS)
A database feature that filters rows visible to each user based on policies evaluated inside the database itself, not the application.
Least privilege
A design principle: every actor is granted the minimum permissions required to perform its function, and nothing more.
Finite State Machine
A model where an entity is always in exactly one of a fixed set of states and may only transition between them along defined edges. Lab sessions use one.
Snapshot / Revert
A snapshot captures a VM's disk and memory at a moment in time. Revert restores that state, discarding everything that happened after. Useful for retries and forensic preservation.
Chain of Custody
The documented, unbroken record of who handled a piece of evidence, when, and how. Required for evidence to be trusted.
Red / Blue / Purple team
Red simulates attackers, blue defends, purple describes the collaboration between them — sharing findings so detections improve.
CTF (Capture the Flag)
A competition style where participants recover hidden tokens by solving security challenges. SentinelCore supports CTF-style scoring inside its labs.
Ready to run your first exercise?
Sign in and open the Dashboard to see labs assigned to you.