arc·sentinel
Request access
consent-based · v1.0.0 · operational

Watch the surfaceyou already own.

ArcSentinel is a sealed, consent-first OSINT and diagnostics workspace. Map your perimeter, audit your TLS, watch your DNS, and seal what matters in a vault only you can open.

Request accessSee it in motion
consent verified
100%
scan modules
12
vault encryption
AES-256
median scan p50
<200ms
live feed
> ASN AS13335 :: tls handshake :: ok> vault entry sealed :: aes-256-gcm> scan job 0x9af7 :: completed in 1.42s> consent gate :: triple-verified> intel.shodan :: 12 new banners> dns trail :: ns1 → ns2 → resolve> rate-limit :: 47/100> egress firewall :: rfc1918 blocked> argon2id :: derived> sentinel agent :: heartbeat OK> ASN AS13335 :: tls handshake :: ok> vault entry sealed :: aes-256-gcm> scan job 0x9af7 :: completed in 1.42s> consent gate :: triple-verified> intel.shodan :: 12 new banners> dns trail :: ns1 → ns2 → resolve> rate-limit :: 47/100> egress firewall :: rfc1918 blocked> argon2id :: derived> sentinel agent :: heartbeat OK

// 01 capabilities

Twelve surgical modules.
One sealed pipeline.

Modules ship with hard guardrails: consent gating, SSRF protection, private-IP refusal, rate-limiting, and structured output.

Targeted recon

DNS, TLS, headers, subdomain mapping, ASN lookups. Triple-gated by consent.

01 / 06

Consent-first

Every scan ships with a sealed consent record. UI, API, and worker re-verify.

02 / 06

Sealed vault

AES-GCM in the browser. Argon2id keys at rest. Even we cannot read your notes.

03 / 06

Live globe

Watch your fleet pulse on a 3D sentinel orb. Pings, arcs, scan rings.

04 / 06

API keys & SDK

Mint scoped keys. Rotate on tap. Embed scans into your own pipelines.

05 / 06

Audit trail

Every action is logged. Filter by case, scan, target, or user. Exportable.

06 / 06

// 02 workflow

Four steps. Zero ambiguity.

  1. step 01

    Declare ownership

    Add a target, attest you own it, paste evidence. We refuse to scan otherwise.

  2. step 02

    Compose a scan

    Pick modules. Tune depth. Sign the consent gate. Watch it run live.

  3. step 03

    Review intel

    Findings stream into your case file. Tag, annotate, seal to vault.

  4. step 04

    Act on it

    Export to PDF or JSON. Open a remediation ticket. Re-scan on a cadence.

arcsentinel · cliv1.0.0
$

// 03 security model

Threat-modelled, then audited.

verified

SSRF guard

Outbound requests refuse RFC1918, link-local, and loopback ranges. CIDR-aware.

verified

Argon2id at rest

API keys are hashed with Argon2id. Memory-hard, side-channel resistant.

verified

Browser-side AES-GCM

Vault entries are sealed in the browser. Server only sees ciphertext.

verified

HSTS + CSP + XFO

Edge proxy enforces strict transport, content security, and frame denial.

verified

Rate-limited everywhere

Upstash-backed token-bucket on every API surface. No back doors.

verified

Triple consent

UI, API, and worker independently re-verify the consent record on every scan.

// 04 embed

Drop a live status badge anywhere.

Embed a sealed sentinel widget in your status page, internal wiki, or README. Updates over a signed channel. No tracking.

embed.htmlcopy
<iframe
  src="https://arcsentinel.app/embed/status/yourcase"
  loading="lazy"
  width="100%"
  height="160"
  style="border:0;border-radius:6px"
></iframe>
Operational
all systems green · last scan 3m ago
dns
ok
tls
ok
shodan
ok
Degraded
tls cert renewing · 4 days remaining
dns
ok
tls
warn
shodan
ok

// initialize

Boot the sentinel.

Sign in, declare a target, and scan. Your console runs on encrypted rails by default.

Create accountSign in