WASViking Docs
⌘K
Sentinel agent

Sentinel architecture

How the agent dials outbound mTLS to open a tunnel, and why no inbound port is ever required.

WASViking® Sentinel is a Go binary you install on a host inside your network. The agent dials outbound to WASViking over mutual TLS and opens a bidirectional gRPC tunnel. Every dynamic analyzer routes its HTTP probes through that tunnel transparently, with no analyzer-specific code.

Transport

  • Outbound only. No inbound ports, no static IP allow-listing, no VPN. The agent initiates.
  • Mutual TLS. The client certificate is provisioned during wasviking-sentinel register and rotates on schedule.
  • gRPC over HTTP/2. Long-lived stream, server-side flow control.
  • Standard load-balancer compatible. Works behind common managed load balancers that terminate mTLS and forward the verified client certificate.
  • Org binding. The certificate's CN/O identifies the organization. Cross-tenant requests are refused at the gRPC service layer.

Hardening on the host

The Sentinel package ships a systemd unit with:

  • NoNewPrivileges=true
  • ProtectSystem=strict
  • MemoryDenyWriteExecute=true
  • Restricted system calls
  • Cosign-signed releases (verifiable with the published public key)

An obfuscated enterprise build is available for environments that require it.

Operator privacy

The gRPC service redacts secrets at the boundary. The server never logs full proto, job, or response payloads. Cookies, CSRF tokens, and internal target bodies do not appear in operator logs.

This is enforced in code at the service layer, not in policy. Every new gRPC method has redaction baked in by design.

Tunneled analyzers

The tunnel is a property of the platform, not a feature of one scanner. The same DAST analyzers that run against external targets run against internal targets through the tunnel:

  • SQL Injection, XSS, JWT, and the injection-class checks.
  • GraphQL, SOAP/WSDL, and WebSocket.
  • Component detection, sensitive file and path exposure, and security headers.

No analyzer carries tunnel-specific code. The HTTP layer routes transparently.

What the agent can do beyond DAST

The Sentinel CLI also exposes:

  • wasviking-sentinel sbom: premise-side SBOM generation, OSV + KEV enrichment, REST submission.
  • wasviking-sentinel secrets: filesystem and git history secrets scan, optional live verification, hash + masked preview transit only.
  • wasviking-sentinel ci: CI/CD gate for SCA, secrets, and template-driven scans, with deterministic exit codes.

See the next pages in this section for each subcommand.

Job dispatch

Internal scans are queued on the WASViking side. The gRPC server hands a job to the connected agent for the right organization, the agent runs it locally, and streams results back. Heartbeats keep the connection healthy and detect zombie agents.

Failure modes

Symptom Likely cause
Agent fails to register Token expired or rotated. Reissue via the portal.
Tunnel drops every few minutes Network proxy enforces idle timeout. Configure keep-alive.
403 on submit endpoints Org binding mismatch. Re-register or check certificate CN.
Scans queued but not running Agent disconnected. Check systemctl status wasviking-sentinel.

The Sentinel Agents page in the portal shows agent state, last heartbeat, and provisioning history.