sentinel-harness

Production SecOps agents, built as configuration — on Amazon Bedrock AgentCore Harness

你声明 agent(模型·提示·工具·技能·记忆·限额),AWS 跑完整个 agent loop。零编排代码。

M0–M7 delivered1475 offline tests Registry + AgentCore Runtime · live-validatedCI green
Act 1 · 议程

本次讲解的 10 幕Agenda

问题

SecOps agent 为何难落地:编排代码税

命题

agent = 配置,不是代码

架构

两平面 API + 托管 harness + 三层

北极星

agent 造 agent 自迭代闭环

治理

Registry 双闸门 DRAFT→PENDING_APPROVAL

证据

实盘验证,每条挂 evidence

操作

一键拉起 · CLI · Makefile · 无锁定

Demo

16 个可跑 scenario 串联

好处

解决什么问题 × 怎么解决 × 优势

路线图

M0–M7 + 诚实边界

Act 1 · 问题

一个分析师会的,全团队都会——却缺一个流转框架The missing framework

成熟的安全团队通常已经拥有

模型

Bedrock 上的基础模型

MCP server

内部工具与数据接口

分析师技能

一堆 SOP / SKILL.md

缺的不是零件,而是一个让它们流转起来的框架 —— 让「一个分析师会的,全团队都会」。

sentinel-harness 就是这个框架的参考实现:把常见的三层 SecOps agent 架构(Strategy / Simulation / Foundation)逆向工程进 AgentCore 原语
Act 1 · 问题

别再缴「编排代码税」Stop paying the orchestration-code tax

Stop paying the orchestration-code tax DIY agent orchestration is a tangle you build and maintain; AgentCore Harness is one declarative config while AWS runs the loop. Stop paying the orchestration-code tax Who owns the agent loop — you, or AWS? DIY agent you build + maintain agent loop retries memory HITL gate parallelism observability error handling scaling auth / IAM glue code you own forever vs AgentCore Harness AWS runs the loop one declarative config agent.yaml tools · memory · HITL · policy AWS-managed agent loop retries · memory · parallelism · observability · scaling zero orchestration code to maintain
Act 2 · 命题

agent 是配置,不是编排代码Declare the agent. AWS runs the loop.

Declare the agent. AWS runs the loop. A balance scale: the heavy left pan is hundreds of lines of orchestration code (loop, retry, state) sinking red; the light right pan is a small agent.yaml card (model, prompt, tools, skills, memory, limits) rising green. The beam tilts toward config; swapping a model, adding a tool, or replacing a skill is a config change, not a rebuild. Declare the agent. AWS runs the loop. Agent = configuration, not code AWS-managed runtime · it runs the loop HEAVY LIGHT Orchestration code you own it while not done: step = plan(state) act(step) # retry+backoff state = reduce(state, obs) checkpoint(state) + hundreds more lines agent.yaml you declare it model:sonnet-4-5-v1:0 prompt:system.md tools:[search, fetch, sql] skills:[triage, summarize] memory:session + long-term limits:steps 40 · budget apply swap a model · add a tool · replace a skill = a config change, not a rebuild
Act 2 · 平台

Amazon Bedrock AgentCore HarnessThe managed agent runtime

托管 agent loop + 一组原语。你只写声明,平台跑运行

Memory

托管语义/摘要记忆,actorId 多租户

Gateway

内部 MCP 工具,allowedTools 显式白名单

Browser / Code Interpreter

内建浏览器 + 确定性计算沙箱

inline_function(HITL 门)

高风险动作暂停等人批准

egress 控制

默认拒绝出网

多 harness + supervisor

并行与角色分解的官方形态

每个会话跑在独立的 Firecracker microVM —— 隔离、用完即弃。

Act 3 · 架构

全景架构The whole picture

sentinel-harness — architecture on Amazon Bedrock AgentCore sentinel-harness Production SecOps agents, built as configuration — on Amazon Bedrock AgentCore Harness M0–M7 delivered · 1475 offline tests · CI green Registry + AgentCore Runtime live-validated on a non-prod account CALLERS Humans OAuth / JWT (aud claim) Services (M2M) SigV4 / client_credentials TWO-PLANE API bedrock-agentcore-control lifecycle · create / update / delete bedrock-agentcore data · invoke / stream / HITL resume MANAGED HARNESS · per-session Firecracker microVM agent loop Memory Gateway Browser Code Intp inline_function — HITL gate egress control (default-deny) multi-harness + supervisor · ≈2.6× parallel speedup supervisor IDENTITY & SECRETS Cognito CUSTOM_JWT human aud · M2M client_id token vault (no raw creds) THREE SECOPS LAYERS L1 · Strategy CVE triage · detection-gen alert triage · feedback loop L2 · Simulation Play Mode · BAS replay detonation (simulated no-op) L3 · Foundation registry · sandbox · factory IaC: CDK (9) + Terraform Guardrail · Identity · Obs NORTH STAR · agent-builds-agents self-iteration loop natural language / alerts / errors → auto-build → test → evaluate → iterate → promote — HITL-gated, evidence-backed meta-agentemits harness spec harness_opscreate → READY → invoke llm-judgescore answer self-improvingupdate → v2 promoteCreateHarnessEndpoint REGISTRY DUAL-GATE GOVERNANCE (live-verified) create recordAGENT_SKILLS / MCP DRAFTnot live PENDING_APPROVALsubmit_for_approval approved ∧ code-mapped ⇒ live · autoApproval=false = the on-account gate · offline mirror in registry.py LIVE A2A ON AGENTCORE RUNTIME (end-to-end, real model) ECR imagearm64 · scan-on-push CreateAgentRuntimemicroVM · PUBLIC · A2A A2A message/send → HTTP 200real Bedrock Haiku → CVETriage proven on a non-prod test account, then torn down (billing stopped) · evidence/live_a2a_runtime_result.json
Act 3 · 架构

两平面 API —— 生命周期 + 调用,HITL 恢复内建Two-plane API

Two-plane API — lifecycle + invoke, HITL resume built in Two-plane API · lifecycle + invoke, HITL resume built in control plane provisions and gates state · data plane invokes and streams · human approval is a first-class pause/resume Caller human / service control plane bedrock-agentcore-control data plane bedrock-agentcore microVM per-session Firecracker CreateHarness(config) wait READY · status CREATING → READY InvokeHarness(sessionId, input) · stream start session + run stream: response chunks (SSE) HITL · human-in-the-loop stop_reason = tool_use → execution pauses human approves invoke_with_tool_result(sessionId) two messages: {role:assistant, toolUse} + {role:user, toolResult} resume session stream: final response → end_turn dashed = async return / stream solid = request
Act 3 · 架构

三层 SecOps 架构Strategy · Simulation · Foundation

Three SecOps layers, reverse-engineered into AgentCore primitives L3 · Foundation registry · sandbox · Agent Factory · IaC (CDK 9 stacks + Terraform) Guardrail / Identity / Observability L2 · Simulation Play Mode · BAS detection-replay · detonation (simulated no-op) L1 · Strategy CVE triage · detection-gen · alert triage · feedback loop signal rises: foundation → strategy feedback loop Foundation primitives compose upward; strategy learnings loop back down.
Act 4 · 北极星

agent 造 agent 的自迭代闭环Agent builds agents

Agent builds agents — self-iteration loop (north star) Agent builds agents · build → test → evaluate → iterate → promote the self-iteration loop — HITL-gated, evidence-backed north star closed self-improving ring HITL gate meta-agent emits harness spec harness_ops create → READY → invoke llm-judge score answer self-improving update → v2 promote CreateHarnessEndpoint
Act 4 · 治理

Registry 双闸门 —— 未经人工批准,永不 liveDual-gate governance

Registry dual-gate · nothing is live until a human approves Governance modeled as a state machine — create → DRAFT → PENDING_APPROVAL → LIVE create record submit_for_approval human approve create record DRAFT exists, NOT live record written to registry; no traffic, no serving PENDING_APPROVAL awaiting a human decision submitted; still NOT live — blocked on approver current state LIVE serving traffic reachable only after approve + code-map not yet reached The gate is AND, not OR A record goes LIVE only if approved AND code-mapped. autoApproval=false is the on-account gate — approval can never be self-granted. registry_governance — evidence closed:true · final_status PENDING_APPROVAL (verified, never advanced to LIVE) Solid nodes are reached states; the dashed LIVE node stays unreachable until a human clears the gate. DRAFT PENDING_APPROVAL LIVE (unreached)
Act 5 · 证据

这不是 PPT 工程,是实盘Proof, not slides

23 份 evidence,M0–M7,Registry + Runtime 实盘验证。每一条能力都能对上一个 evidence/*.json

CVE 分诊

零编排代码:确定性计算 + HITL 门 + 记忆

多 harness 并行

2.64× 实测加速

HITL 全闭环

closed_hitl_loop: true

Guardrail 实盘

GUARDRAIL_INTERVENED 遮蔽假 key

隔离 VPC

default-deny,无 IGW/NAT

live A2A on Runtime

HTTP 200 · 真 Bedrock 模型 · CVSS 10.0

账号 id 在所有 evidence 中脱敏为 000000000000。

Act 5 · 证据

多 harness 并行 + supervisor —— 2.64× 加速Parallelism, measured

One harness is single-agent; parallelism = many harnesses + a supervisor One harness is single-agent · parallelism = many harnesses + a supervisor Same 4 tasks, two execution models — wall-clock measured end to end START SERIAL · ONE HARNESS 4 tasks run end-to-end on a single long bar task 1 task 2 task 3 task 4 serial finish (1.00x) PARALLEL · MANY HARNESSES + SUPERVISOR 4 harnesses run at once, then a supervisor synthesizes harness A task 1 harness B task 2 harness C task 3 harness D task 4 parallel finish — much sooner supervisor synthesizes 4 results into one answer reconciles · dedupes 2.64x wall-clock speedup measured: same 4 tasks, serial vs 4 harnesses + supervisor synthesis LEGEND serial bar = one harness, tasks back-to-back short bars = harnesses running concurrently supervisor = single-agent that fans in + synthesizes traveling dot = fan-out request · ants = live flow
Act 5 · 证据

HITL 全闭环 —— pause → approve → resumeThe loop actually closes

High-stakes actions pause for a human, then the loop resumes High-stakes actions pause for a human · then the loop resumes Full-pause HITL — the loop stops at an inline_function gate AGENT LOOP TIMELINE agent runs reasoning loop tools in-VM request_containment_ approval inline_function emits tool_use LOOP PAUSES stop_reason = tool_use no auto-run amber gate held human approves out-of-band review grant / deny decision invoke_with_tool_result two messages · same toolUseId assistant · toolUse id: tu_01 user · toolResult id: tu_01 agent resumes continues from gate runs to completion closed_hitl_loop: true real · pause + resume verified end-to-end Gate cannot self-clear — resume requires the two-message assistant.toolUse + user.toolResult pair (same toolUseId). LEGEND agent invoke flow pause · approval request resume · tool_result path blinking gate = loop held traveling dot = resumed run inline_function HITL gate
Act 5 · 证据

L3 安全实盘 —— 密钥遮蔽 + 默认拒绝出网Secure by default, deployed

Secrets masked, egress default-deny — deployed and validated on AWS Left: Guardrail intercepts a tool response containing a fake AWS key and masks it. Right: an isolated VPC with no internet gateway, no NAT, no default route, reachable only via PrivateLink interface endpoints. Secrets masked, egress default-deny — deployed and validated on AWS L3 security, proven live: Guardrail redaction + an isolated VPC with default-deny egress L3 · live-validated GUARDRAIL — SECRET MASKING tool response (in) aws-access-key-id: AKIAIOSFODNN7EXAMPLE Guardrail GUARDRAIL_INTERVENED sensitiveInformationPolicy masked output (out) "aws-access-key-id": AKIA…EXAMPLE {aws-access-key-id} secret removed before it reaches the model or logs ISOLATED VPC — DEFAULT-DENY EGRESS VPC · private subnet private subnet AgentCore Runtime workload ENI no public IP · no route to internet RFC-5737 test range 198.51.100.0/24 BLOCKED EGRESS PATHS Internet Gateway NAT Gateway 0.0.0.0/0 route PrivateLink interface endpoints bedrock-agentcore ecr.api ecr.dkr logs sts AWS services inbound/egress denied default-deny egress · live-validated Guardrail masks secrets before they reach the model or logs; the workload can only reach AWS over PrivateLink. No IGW, no NAT, no 0.0.0.0/0 route — proven on AWS with a non-prod account. GUARDRAIL_INTERVENED PrivateLink-only
Act 5 · 证据

live A2A on AgentCore Runtime —— 端到端,真模型The crown jewel

Live A2A on AgentCore Runtime — a real specialist, a real model, end-to-end Live A2A on AgentCore Runtime · a real specialist, a real model, end-to-end ECR image → CreateAgentRuntime → real Firecracker microVM (A2A) → JSON-RPC message/send → HTTP 200 → real Bedrock Haiku → structured CVETriage → teardown HTTP 200 · the crown jewel STEP 1 ECR image arm64 scan-on-push STEP 2 Create AgentRuntime control-plane call STEP 3 Firecracker microVM PUBLIC net · A2A READY STEP 4 A2A message/send JSON-RPC 200 HTTP OK STEP 5 cve-intel specialist real A2A agent STEP 6 CVETriage Log4Shell CVSS 10.0 STEP 7 teardown delete_runtime billing stopped Bedrock Haiku REAL model · Converse API invoke JSON Proven on a non-prod test account, then torn down. Log4Shell CVE-2021-44228 · a real specialist reached READY over PUBLIC A2A, called a real Bedrock Haiku, returned structured CVETriage (CVSS 10.0) — then deleted, billing stopped.
Act 6 · 操作

一键拉起 —— free-tier 默认几乎零成本One command to lift off

One command to stand up the foundation — free-tier by default make deploy → human gate → cdk deploy → four stacks power on → seed · create · smoke make deploy or ./deploy.sh confirm account + region HUMAN GATE · type to approve acct 000000000000 · us-east-1 cdk deploy provision stacks 4 free-tier stacks · sequential power-on guardrail SCPs · policy baseline identity roles · least-privilege observability logs · metrics · traces network VPC · subnets · routing lift-off optional make deploy-endpoints adds PrivateLink endpoints ≈ $30 / mo 9 CDK stacks total free-tier default ≈ $0 · endpoints opt-in once foundation is up make seed-registry populate the registry baseline entries make create-harnesses generate agent harnesses DRY_RUN default make smoke verify end-to-end smoke tests pass
Act 6 · 操作

日常操作 —— CLI + Makefile + harness.yamlDay-to-day

sentinel CLI

sentinel create <harness.yaml>
sentinel invoke / list / delete
sentinel cleanup   # 拆掉本 repo 建的所有 harness
sentinel run-scenario <name>

Makefile

make test          # 1475 离线测试
make deploy        # free-tier 4 栈
make seed-registry # 双闸门治理检查
make create-harnesses  # DRY_RUN 默认
make smoke         # 验收

harness.yaml(声明式)

name: alert-triage
model: ${SENTINEL_MODEL}
systemPrompt: system_prompt.md
allowedTools: [siem_query, enrich_ioc, create_ticket]
memory: [SEMANTIC, SUMMARIZATION]
inlineGates: [request_containment_approval]

${ENV} 展开、system_prompt.md 解析、inline HITL 门自动注入。改一行 = 换模型/加工具/换技能。

Act 6 · 操作

无锁定 & 一键拆No lock-in

sentinel export

把 harness 配置导出成可编辑的 Strands agent 代码 —— 迁到 Runtime / 自托管,随时带走

make destroy

一键拆掉全部 CDK 栈(确认账号+region)

非 CDK 资源 teardown

Registry / ECR / role / Runtime 的完整清单在 deploy/README

配置不够用时,导出代码;用完,一键清干净。不锁定、可复现。

Act 7 · Demo

16 个可跑 scenario —— 每次运行都写 evidenceRunnable, offline, deterministic

16 runnable scenarios · every run drops evidence 16 runnable scenarios · every run drops evidence 01 cve_triage 02 multi_harness 03 detection_gen 04 hitl_resume 05 play_mode 06 bas_replay 07 egress_control 08 agent_factory_loop 09 self_improve_loop 10 alert_triage_poc 11 feedback_loop 12 cve_asset_triage 13 detonation 14 registry_governance 15 named_supervisor 16 live_a2a_runtime offline & deterministic · each writes evidence/*.json · run: python scenarios/scenario_<name>.py
Act 7 · Demo

现场脚本 A · CVE-asset triageLive demo A

python scenarios/scenario_cve_asset_triage.py —— 离线、秒级、确定性。

① 取 CVE

CVE-2021-44228 (Log4Shell)

② 富化

nvd_lookup + epss_kev / KEV

③ 资产关联

asset_lookup → 谁暴露了该服务

④ 爆炸半径

reachable hosts + internet-exposed

⑤ CVETriage

结构化裁决:CVSS / KEV / affected

⑥ HITL 门

分析师签核后才可行动

结果落 evidence/cve_asset_triage_result.json(closed:true)。

Act 7 · Demo

现场脚本 B · feedback loop(正循环)Live demo B

python scenarios/scenario_feedback_loop.py —— 处置结果自动反哺策略。

一批误报 (FP)

噪声规则积累 4 条 FP 处置

自动触发

detect_triggers 按 fp_rate 触发 whitelist 优化

保住真阳 (TP)

whitelist_optimizer 可证明不误杀 Log4Shell TP

规则再生

生成 rule_regeneration 任务交回 M1/M2 引擎

HITL 门控

只有经 request_publish_approval 才发布

闭环

closed:true —— 处置 → 策略改进

Act 8 · 价值

解决什么问题 × 怎么解决 × 证据What it solves · how · proven by

What it solves · how · proven by PROBLEM → MECHANISM → EVIDENCE Problem Mechanism Evidence Rebuild the agent loop for every use case declarative harness config cve_triage zero orchestration code One harness is single-agent multi-harness + supervisor 2.64x speedup LLM hallucinates high-stakes actions inline_function HITL gate closed_hitl_loop:true Ungoverned tools/agents sprawl Registry dual-gate DRAFT → PENDING_APPROVAL Secrets / egress risk Guardrail + default-deny VPC GUARDRAIL_INTERVENED no IGW / NAT
Act 8 · 价值

为什么团队选 sentinel-harnessWhy teams pick it

Why teams pick sentinel-harness Why teams pick sentinel-harness Config-first SecOps agents on Amazon Bedrock AgentCore — seven reasons Faster delivery Config, not code — one YAML ships an agent. No orchestration code Runtime wires tools, memory and model for you. Governance built-in Dual-gate approval required before deploy. Secure by default Guardrail plus default-deny tool policy. Observable CloudWatch metrics and Budgets alarms. No lock-in sentinel export builds a portable Strands agent. Reproducible 1475 offline tests, all green in CI. M0–M7 delivered · config-first · portable
Act 9 · 路线图

M0–M7 已交付 · 诚实的剩余边界Delivered, and honestly what's next

已交付并验证

M0–M7 全交付

策略/模拟/基础三层 + 自迭代 + 交付形态

Registry + Runtime

控制面 + microVM live A2A 实盘验证

三个 L3 栈

Guardrail / Identity / Observability 实盘部署

诚实剩余(不夸大)

full cdk deploy

Registry/runtime 原生 CFN 类型 GA 前会失败

*_LIVE 接真实后端

接客户 SIEM/asset/工单需客户账号

detonation

诚实的模拟 no-op(无真实恶意软件/VM)

三步上手,几分钟见效

1 git clone → make test1475 离线测试,零 AWS
2 make demo平台叙事巡演,看 evidence
3 make deployfree-tier 上 AWS,一键拆

agent = 配置,不是代码 · 治理与安全默认内建 · 无锁定 · 可复现

github.com/neosun100/sentinel-harnessRelease v0.2.0docs/ · evidence/