Sold by: Yadriworks Inc
Deployed on AWS
Prevent unauthorized AI agent actions before they execute. Sentinel-Ops enforces identity, data access, and tool-call policies in under 1ms - no code changes required.
Overview
Prevent Unauthorized AI Actions Before They Execute
Sentinel-Ops is the governance layer for AI-enabled applications in production. It intercepts every tool call, API request, and LLM interaction your application makes and enforces a declarative Safe Operating Envelope (SOE) policy - without modifying your application code.
The Problem: Organizations deploying autonomous AI agents, RAG pipelines, and LLM-powered services face a critical gap - these systems can access unauthorized data, execute destructive commands, or drift beyond their intended scope with no deterministic control plane in place. Security and compliance teams need enforceable guardrails, not just monitoring.
Three Constraints, One Policy File
- Identity - Define what role the application can claim, what authority it has, and which environments it can operate in.
- Data Access - Control which files and paths the application can read and write using glob patterns. Deny access to credentials, PII, and production data.
- Tool Actions - Specify which commands, tools, and API calls the application can execute using glob and regex patterns. Block destructive operations like rm -rf, DROP TABLE, or unauthorized API calls.
Example Use Case
A financial services team running 20 autonomous coding agents needs to ensure no agent can access production credentials, customer PII, or execute database mutations outside a sandbox. With Sentinel-Ops, a single .soe.json policy file enforces these boundaries deterministically across all agents - every violation is denied and logged with full audit context for compliance review.
How It Works
- Define your governance policy in a .soe.json file
- Deploy Sentinel-Ops via CloudFormation (5 minutes)
- Point your AI application through the SOE API or transparent sidecar proxy
- Every tool call is evaluated: ALLOW, DENY, or ESCALATE
Key Capabilities
Deterministic Enforcement: 95% of decisions are made via regex/glob matching in under 1ms. No LLM in the critical path. Zero hallucination risk. Fail-closed - unknown actions are denied by default.
AI-Assisted Classification: For the 5% of ambiguous cases, Sentinel AI uses your LLM provider (Groq or Anthropic) to reason about intent. You provide the API key and control this entirely.
Cumulative Risk Scoring: Arbiter tracks risk across sessions. An application that makes 50 borderline calls gets progressively restricted - even if each individual call is allowed.
Cross-Application Anomaly Detection: Beacon monitors patterns across all governed applications. Detects coordinated attacks, unusual trajectories, and behavioral anomalies.
Immutable Audit Trail: Every decision is logged to an append-only event store with SHA-256 hash chain. Export compliance reports in OSCAL and STIX formats. Route events to Amazon EventBridge for your existing alerting stack.
Content Guardrails: Built-in PII detection (SSN, credit card, phone, email), prompt injection defense, and content safety scanning.
Real-Time Dashboard: Live view of allows, denies, risk budgets, and application activity.
Governs Any AI-Enabled Application
Autonomous agents (Claude Code, LangGraph, CrewAI, AutoGen), multi-agent systems, RAG pipelines, chatbots, LLM-powered microservices, and any HTTP-based AI workload.
Two integration modes - zero code changes required:
- Sidecar proxy - transparent network-level interception
- REST API - direct /v1/evaluate calls from any framework
Architecture and Data Privacy
Your data never leaves your AWS account. Sentinel-Ops runs entirely within your infrastructure as an ECS Fargate service. The only data transmitted externally is aggregate usage counts to AWS Marketplace for billing. No telemetry, no phone-home, no data collection by YadriWorks Inc.
Deployment
CloudFormation creates all required resources: ECS Cluster, Task Definition, Application Load Balancer, WAF, Security Groups, DynamoDB, S3, CloudWatch Logs, Secrets Manager, and IAM roles (least privilege). Multi-AZ high availability with auto-scaling included.
Get Started
Review pricing dimensions on the Pricing tab, then deploy via CloudFormation in minutes. For a guided deployment walkthrough or to request a sample SOE policy tailored to your AI stack, contact the YadriWorks team. Visit https://yadriworks.ai/docs for full documentation and policy examples.
Highlights
- Sub-millisecond deterministic enforcement with zero hallucination risk. 95% of policy decisions resolve via glob and regex matching in under 1ms with no LLM in the critical path. Fail-closed by default - any action not explicitly permitted is denied. A single .soe.json policy file governs identity claims, data access paths, and tool-call permissions across all your AI applications including autonomous agents, RAG pipelines, chatbots, and LLM microservices.
- Immutable compliance audit trail with OSCAL and STIX export. Every allow, deny, and escalation decision is cryptographically logged to an append-only event store with SHA-256 hash chain verification. Route real-time governance events to Amazon EventBridge for integration with your existing SIEM and incident response workflows. Cross-application anomaly detection via Beacon identifies coordinated threats and suspicious behavioral patterns.
- Deploy in 5 minutes with zero code changes to your AI applications. Transparent sidecar proxy intercepts tool calls at the network level - no SDK integration, no code modifications, no vendor lock-in. Works with Claude Code, LangChain, CrewAI, AutoGen, and any HTTP-based AI workload. CloudFormation provisions all AWS resources with least-privilege IAM. Your data never leaves your AWS account - no telemetry, no phone-home, no external data collection by YadriWorks.
Details
Sold by
Categories
Delivery method
Supported services
Delivery option
Sentinel-Ops CloudFormation Stack
Sentinel-Ops CloudFormation
Sentinel-Ops : Audit and enforce AI compliance for Agents
Latest version
Operating system
Linux
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/12 months |
|---|---|---|
Essentials - Up to 10 Agents, 500 k Evaluations per Month | Everything in StarterPack for up to 10 agents, plus AI-assisted classification for ambiguous tool calls (bring your own LLM key: Amazon Bedrock, Groq, or Anthropic). Includes 500,000 evaluations/month. Never interrupted at the cap: additional usage is billed automatically in 100,000-evaluation blocks at $150/block. Standard support, 2-business-day response. | $5,988.00 |
Professional - Up to 100 Agents, 1.5M Evaluations per Month | Everything in Essentials for up to 100 agents, plus Beacon cross-agent anomaly detection, Access Graph visualization, and EventBridge/SIEM integration. Includes 5,000,000 evaluations/month. Never interrupted at the cap: additional usage is billed automatically in 1,000,000-evaluation blocks at $750/block. Priority support, 1-business-day response. | $29,888.00 |
Enterprise - Unlimited Agents, Unlimited Evaluations | Custom pricing (contact seller for a private offer) Everything in Professional with unlimited agents and unlimited evaluations (no caps, no overage). Adds 24/7 dedicated support, 4-hour critical-response SLA, a named CSM, dedicated Slack channel, custom integrations, and professional services for SOE policy design. Priced per environment. Request a private offer via AWS Marketplace. | $179,888.00 |
StarterPack - 1 Agent, 10k evaluations per month | Governance for a single AI agent. Deterministic SOE enforcement (identity, data access, tool actions), cumulative risk scoring, immutable audit trail, real-time Command Center dashboard, and OSCAL/STIX export. Includes 10,000 policy evaluations per month, a true hard cap (evaluations are denied fail-closed once reached; no overage charges, ever). Community support, no SLA. No time limit. | $0.00 |
StarterPack (Free) | 1 agent, 10,000 evaluations/month (hard cap) | $0.00 |
Essentials | Up to 10 agents, 500,000 evaluations/month, AI-assisted classification | $5,988.00 |
Professional | Up to 100 agents, 5,000,000 evaluations/month, Beacon + Access Graph + SIEM | $29,888.00 |
Enterprise | Unlimited agents, unlimited evaluations, 24/7 SLA + CSM | $179,888.00 |
Essentials overage block | 100,000 additional evaluations beyond the Essentials monthly cap | $150.00 |
Professional overage block | 1,000,000 additional evaluations beyond the Professional monthly cap | $750.00 |
Vendor refund policy
30-day money-back guarantee. Contact support@yadriworks.ai within 30 days of subscription for a full refund. After 30 days, subscriptions are non-refundable for the remainder of the contract term.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
Sentinel-Ops CloudFormation Stack
Supported services: Learn more
- Amazon ECS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
Sentinel-Ops v1.6.7 - AI agent governance engine
Additional details
Usage instructions
Sentinel-Ops - Usage Instructions
1. Launch the Stack
Open this URL in your browser to deploy:
Fill in the parameters:
- LlmApiKey (required): A credential for one of the supported providers - AWS Bedrock, Anthropic, or Groq (see docs/SUPPORTED_PROVIDERS.md for the authoritative list)
- SoeMode: audit (default) or enforce
- ACMCertificateArn: Required only for enforce mode
Check the IAM capability box and click Create Stack. Deploys in ~15 minutes.
2. Get Your Credentials
Once the stack shows CREATE_COMPLETE, go to the Outputs tab. You will find:
- ApiEndpoint -- your API base URL
- ApiTokenSecretArn -- Secrets Manager ARN for your auth token
- ApiKeySecretArn -- Secrets Manager ARN for your API key
Retrieve them with:
# Get auth token aws secretsmanager get-secret-value \ --secret-id <ApiTokenSecretArn-from-outputs> \ --query SecretString --output text | jq -r .token # Get API key aws secretsmanager get-secret-value \ --secret-id <ApiKeySecretArn-from-outputs> \ --query SecretString --output text | jq -r .key3. Quick Test
4. Deploy Your SOE Policy
Create my-agent.soe.json defining identity, data access, and tool action boundaries:
{ "agentId": "my-agent", "version": "1.0.0", "identity": { "role": "DevOps", "environmentScope": ["development", "uat"] }, "dataAccess": { "readAllow": ["deploy/**"], "readDeny": ["**/.env", "**/credentials*"], "writeAllow": ["deploy/uat/**"], "writeDeny": ["production/**"] }, "toolActions": { "bash": { "allow": ["git *", "docker build *"], "deny": ["rm -rf *", "DROP TABLE *"] } } }Deploy it:
curl -X POST <ApiEndpoint>/v1/deploy \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $TOKEN" \ -d @my-agent.soe.json5. Run Your Agent (Zero Code Changes)
Your agent runs unmodified. All outbound HTTP is transparently intercepted by the SOE sidecar and evaluated against your policy.
Deployment Modes
- audit (default) -- Evaluates all policies and logs decisions, but allows all actions through. No TLS required.
- enforce -- Actively blocks denied actions. Requires HTTPS via ACMCertificateArn parameter.
Start with audit to validate your policies, then switch to enforce when ready.
API Reference
- POST /v1/evaluate -- Evaluate a tool call against SOE policy
- POST /v1/simulate -- Test without enforcing
- POST /v1/deploy -- Deploy or update an SOE policy
- POST /v1/validate -- Validate an SOE definition
- GET /v1/health -- Health check
- GET /v1/agents -- List governed agents
- GET /v1/events/stream -- Real-time event stream (SSE)
All endpoints require Authorization: Bearer <token> header.
Troubleshooting
- Stack fails with "enforce mode requires HTTPS": Set SoeMode=audit or provide ACMCertificateArn.
- Stack creation fails: Check the Events tab. The stack needs a default VPC.
- Agent denied unexpectedly: Check your .soe.json policy. Use /v1/simulate to test first.
- Audit mode allows everything: Expected. Check the originalDecision field in responses.
Support
- Docs: https://yadriworks.ai/d
Support
Vendor support
Support Channels
Email: support@yadriworks.ai
All support requests can be submitted via email. The YadriWorks support team provides assistance with deployment, SOE policy configuration, integration guidance, and troubleshooting for Claude Code, LangChain, CrewAI, AutoGen, and other AI frameworks.
Support Tiers
Essentials Tier
- Standard support
- 2 business day response time
- Deployment assistance and SOE policy guidance
Professional Tier
- Priority support
- 1 business day response time
- Deployment assistance and SOE policy guidance
Enterprise Tier
- 24/7 dedicated support
- 4-hour critical issue response time
- Named Customer Success Manager
- Dedicated Slack channel
- Deployment assistance and SOE policy guidance
Included With All Tiers
- Deployment and CloudFormation setup assistance
- SOE policy authoring guidance
- Integration support for all compatible AI frameworks
- Troubleshooting and issue resolution
- Refund requests handled via support@yadriworks.ai
Getting Help
For urgent production issues on Enterprise tier, use your dedicated Slack channel for fastest response. For all other inquiries including billing questions, refund requests, or general product support, email support@yadriworks.ai with your AWS account ID and a description of the issue.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
This DevSecOps review provides immediately-actionable recommendations for the customer's software development team, from a team of cybersecurity professionals with expertise in development and infrastructure. This offering is designed to set a secure and well-positioned baseline for managing DSO and CI/CD into the future.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.