{"id":50652773,"url":"https://github.com/mohhudib/hybrid-rsentry","last_synced_at":"2026-06-07T22:00:53.887Z","repository":{"id":353850191,"uuid":"1203282558","full_name":"Mohhudib/hybrid-rsentry","owner":"Mohhudib","description":"Real-time ransomware detection and auto-containment system for Linux endpoints — entropy analysis, canary files, process lineage scoring, and AI threat classification.","archived":false,"fork":false,"pushed_at":"2026-06-06T01:11:05.000Z","size":2952,"stargazers_count":6,"open_issues_count":20,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-06-06T02:22:19.722Z","etag":null,"topics":["ai","celery","cybersecurity","docker","endpoint-security","fastapi","kali-linux","linux","postgresql","python","ransomware-detection","react","real-time","redis","threat-detection"],"latest_commit_sha":null,"homepage":"https://github.com/Mohhudib/hybrid-rsentry/wiki","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mohhudib.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-06T22:40:51.000Z","updated_at":"2026-06-06T01:10:00.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Mohhudib/hybrid-rsentry","commit_stats":null,"previous_names":["mohhudib/hybrid-rsentry"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/Mohhudib/hybrid-rsentry","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mohhudib%2Fhybrid-rsentry","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mohhudib%2Fhybrid-rsentry/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mohhudib%2Fhybrid-rsentry/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mohhudib%2Fhybrid-rsentry/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mohhudib","download_url":"https://codeload.github.com/Mohhudib/hybrid-rsentry/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mohhudib%2Fhybrid-rsentry/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34039495,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-07T02:00:07.652Z","response_time":124,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai","celery","cybersecurity","docker","endpoint-security","fastapi","kali-linux","linux","postgresql","python","ransomware-detection","react","real-time","redis","threat-detection"],"created_at":"2026-06-07T22:00:24.018Z","updated_at":"2026-06-07T22:00:53.873Z","avatar_url":"https://github.com/Mohhudib.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 🛡️ Hybrid R-Sentry\n\n\u003cdiv align=\"center\"\u003e\n\n**A real-time ransomware detection and auto-containment system for Linux endpoints**\n\n[![Python](https://img.shields.io/badge/Python-3.13-blue?style=flat-square\u0026logo=python)](https://python.org)\n[![React](https://img.shields.io/badge/React-19-61DAFB?style=flat-square\u0026logo=react)](https://reactjs.org)\n[![Vite](https://img.shields.io/badge/Vite-5-646CFF?style=flat-square\u0026logo=vite)](https://vitejs.dev)\n[![FastAPI](https://img.shields.io/badge/FastAPI-0.110+-009688?style=flat-square\u0026logo=fastapi)](https://fastapi.tiangolo.com)\n[![Celery](https://img.shields.io/badge/Celery-5.x-37814A?style=flat-square)](https://docs.celeryq.dev)\n[![Redis](https://img.shields.io/badge/Redis-7.x-DC382D?style=flat-square\u0026logo=redis)](https://redis.io)\n[![PostgreSQL](https://img.shields.io/badge/PostgreSQL-15-336791?style=flat-square\u0026logo=postgresql)](https://postgresql.org)\n[![Tests](https://img.shields.io/badge/tests-71%20passing-brightgreen?style=flat-square)](#testing)\n[![Coverage](https://img.shields.io/badge/coverage-89%25-brightgreen?style=flat-square)](#testing)\n[![Version](https://img.shields.io/badge/version-v2.1.0-blue?style=flat-square)](CHANGELOG.md)\n[![License](https://img.shields.io/badge/License-MIT-yellow?style=flat-square)](LICENSE)\n\n**[Landing Page](https://mohhudib.github.io/hybrid-rsentry/)**\n\n\u003c/div\u003e\n\n---\n\n## Overview\n\nHybrid R-Sentry is a **hybrid ransomware detection system** that combines multiple detection layers with an AI-powered analyst to identify, classify, and automatically contain ransomware threats on Linux endpoints — in real time.\n\nUnlike signature-based solutions, Hybrid R-Sentry uses **behavioral analysis** to catch unknown and zero-day ransomware variants before they can cause significant damage.\n\n---\n\n## Features\n\n### Detection Engine\n- **Canary Files** — Strategically placed bait files with 4 naming prefixes (`AAA_`, `aaa_`, `ZZZ_`, `zzz_`) placed at 30 per-directory locations for 4× coverage; any touch or rename triggers CRITICAL alert; in eBPF mode, renames are blocked at the kernel level (`-EPERM`) via BPF LSM before any data is overwritten\n- **Shannon Entropy Analysis** — Monitors file entropy deltas to detect encryption activity in progress; memory-capped at 5 000 files with LRU eviction and 65 KB partial reads to prevent OOM on large watch paths\n- **Process Lineage Scoring** — Scores suspicious process ancestry chains including parent names, spawn location, and binary SHA-256 verified against 416 K dpkg hashes (MATCH / MISMATCH / UNKNOWN verdicts)\n- **Ransomware Extension Detection** — Renames to `.enc`, `.locked`, `.wcry`, `.crypted` etc. trigger CRITICAL (if the source was a document) or HIGH alert\n- **Markov Chain Repositioning** — Adaptively moves canary files to predicted high-risk directories based on observed filesystem access patterns; blocks repositioning into `.git/`, `/proc/`, `/sys/`, `/dev/`, `/run/`\n- **eBPF Kernel Sensor** (`agent/monitor_ebpf.py`) — 5-syscall behavioral detection (`openat`, `vfs_write`, `unlink`, `rename`, `execve`); per-process `proc_profile` BPF map with behavioral scoring (0–100); **BPF LSM canary blocking** (`-EPERM` in nanoseconds, requires `lsm=bpf`); velocity burst, family profiling (LockBit 5.0 / Akira / ESXi); BCC 0.35, kernel ≥ 6.19\n- **Combined Threat Scoring** — Fuses entropy and lineage signals into a weighted threat score for accurate severity classification\n- **False Positive Suppression** — Comprehensive whitelist system (`agent/exceptions.py`) covering browsers, package managers, system paths, archive formats, media files, and smart temp-dir filtering to eliminate noise on live Linux systems\n\n### Auto-Containment Pipeline\nWhen a CRITICAL threat is detected, the system automatically executes a tree-aware multi-stage containment sequence across the entire process tree:\n1. **SIGSTOP** — Immediately freezes the malicious process and all children (two-sweep enumeration catches race conditions)\n2. **Evidence Capture** — Collects process metadata, open files, and network connections (up to 48 files per process tree)\n3. **iptables DROP** — Blocks all outbound network traffic from the process owner UID\n4. **SIGKILL** — Terminates the process tree permanently\n\n### AI Threat Analyst\n- Multi-provider fallback chain: **Cerebras** (fastest, optional) → **NVIDIA API** (key 1) → **NVIDIA/Groq** (key 2)\n- Auto-detects Groq keys by `gsk_` prefix; backward compatible with `NVIDIA_API_KEY` / `NVIDIA_API_KEY_ALERTS`\n- Publishes a PENDING state immediately, then updates with the real result\n- AI results cached in Redis for 24 hours for forensic export\n- Auto-acknowledges alerts classified as Benign or LOW risk\n- System health check: analyzes recent activity patterns and reports overall endpoint status\n\n### SIEM Dashboard\n- Kibana-style 3-column layout: **FacetRail** filter panel, center (MetricsStrip + stacked histogram + sortable AlertsTable), **DetailFlyout** on alert click\n- **TopBar** horizontal navigation with 6 tabs + live alert count badge; **StatusBar** at the bottom with agents/EPS/WS status/cluster\n- **D3 v7 force-directed filesystem graph** — Obsidian-style node graph inside DetailFlyout and EventDetailModal; zoom, drag, tooltip, selected path pulled to center\n- Clickable TacticalResponseLog events → EventDetailModal with Summary/Entity/MITRE/Filesystem/Raw tabs\n- Live WebSocket feed — MetricsStrip, histogram, and table refresh instantly on new events\n- Host risk panel with radial risk score gauge and alert breakdown by severity\n- AI Analyst page with pending spinners, error cards, and 4-minute analysis persistence\n- **PDF Forensic Export** — date filter, severity filter, host-aware Hosts Overview table, per-alert drill-down with AI analysis; SHA-256 integrity footer on every page\n\n---\n\n## Architecture\n\n```\n┌─────────────────────────────────────────────────────────────┐\n│                        Linux Endpoint                        │\n│                                                             │\n│  ┌─────────────────────────────────────────────────────┐   │\n│  │  Sensor: inotify (watchdog) OR eBPF (kernel 6.19+)  │   │\n│  │   monitor.py                 monitor_ebpf.py         │   │\n│  │   (watchdog, userspace)      (TRACEPOINT_PROBE,      │   │\n│  │                               velocity burst,        │   │\n│  │                               family profiling)      │   │\n│  └───────────────────┬─────────────────────────────────┘   │\n│                      │                                      │\n│  ┌───────────────┐   │   ┌───────────────┐   ┌──────────┐  │\n│  │   Entropy     │◀──┴──▶│    Lineage    │   │Extension │  │\n│  │   Engine      │       │    Scorer     │   │Detection │  │\n│  └───────────────┘       └───────────────┘   └──────────┘  │\n│         │                        │                │         │\n│         ▼                        ▼                ▼         │\n│  ┌──────────────┐       ┌─────────────────────────────┐    │\n│  │    Markov    │       │     Auto-Containment         │    │\n│  │ Repositioner │       │  SIGSTOP→evidence→iptables   │    │\n│  └──────────────┘       │  →SIGKILL (tree-aware)       │    │\n│                         └─────────────────────────────┘    │\n└─────────────────────┬───────────────────────────────────────┘\n                      │ HTTP POST /api/events\n                      ▼\n┌─────────────────────────────────────────────────────────────┐\n│                      FastAPI Backend                         │\n│                                                             │\n│  ┌──────────────┐   ┌──────────────┐   ┌────────────────┐  │\n│  │   Events     │   │   Alerts     │   │     Hosts      │  │\n│  │   Router     │   │   Router     │   │    Router      │  │\n│  └──────┬───────┘   └──────────────┘   └────────────────┘  │\n│         │                                                   │\n│         ▼                                                   │\n│  ┌──────────────┐   ┌──────────────┐   ┌────────────────┐  │\n│  │    Celery    │   │  PostgreSQL  │   │     Redis      │  │\n│  │   Workers    │   │  (Events,    │   │  (Broker +     │  │\n│  │  (AI, ACK,   │   │   Alerts,    │   │   3 WS chans)  │  │\n│  │   WS push)   │   │   Hosts)     │   │                │  │\n│  └──────────────┘   └──────────────┘   └────────┬───────┘  │\n└─────────────────────────────────────────────────┼───────────┘\n                                                  │ WebSocket\n                                                  ▼\n┌─────────────────────────────────────────────────────────────┐\n│              React 19 SIEM Dashboard (Vite 5)                │\n│  TopBar + 6 tabs │ FacetRail │ Histogram │ D3 force graph   │\n│  Alert flyout │ AI analysis │ Host risk │ PDF export        │\n└─────────────────────────────────────────────────────────────┘\n```\n\n---\n\n## Tech Stack\n\n| Layer | Technology |\n|---|---|\n| Agent (inotify) | Python 3.13, watchdog 6, psutil, networkx, scipy, numpy |\n| Agent (eBPF) | Python 3.13, BCC 0.35 (`python3-bpfcc`), Linux kernel ≥ 6.19 |\n| Backend | FastAPI, SQLAlchemy (async), PostgreSQL, asyncpg |\n| Task Queue | Celery, Redis |\n| AI | Cerebras / NVIDIA / Groq (OpenAI-compatible, multi-provider fallback) |\n| Frontend | React 19, Vite 5, Tailwind CSS 3, **D3 v7**, Recharts, jsPDF, IBM Plex Sans/Mono, Font Awesome 6.5.1 |\n| Infrastructure | Docker Compose (PostgreSQL + Redis), Node.js 22 |\n\n---\n\n## Getting Started\n\n### Prerequisites\n- Python 3.13\n- Node.js 22\n- Docker \u0026 Docker Compose\n- **For eBPF sensor (default):** Linux kernel ≥ 6.19 + `sudo apt install python3-bpfcc bpfcc-tools -y`\n  - If kernel is older or BCC unavailable, set `SENSOR_BACKEND=inotify` in `.env`\n\n### Quick Start (recommended)\n\n**Step 1 — Clone and run first-time setup**\n```bash\ngit clone https://github.com/Mohhudib/hybrid-rsentry.git\ncd hybrid-rsentry\n# Install BCC for eBPF sensor (skip if using inotify fallback)\nsudo apt install python3-bpfcc bpfcc-tools -y\nbash setup.sh\n```\n\n`setup.sh` installs system packages (requires sudo), creates the Python venv, installs all Python and Node dependencies, and copies `.env.example` to `.env`.\n\n**Step 2 — Configure your environment**\n```bash\n# Edit .env — you must set these before running:\n#   POSTGRES_PASSWORD   — choose a strong password\n#   DATABASE_URL        — update to match POSTGRES_PASSWORD\n#   NVIDIA_API_KEY      — your AI provider API key\n#   NVIDIA_API_KEY_ALERTS\n#   WATCH_PATH          — a directory OUTSIDE the project folder\nnano .env\n```\n\n**Step 3 — Start everything**\n```bash\nbash start.sh\n```\n\n`start.sh` starts all five processes in the correct order and logs to `/tmp/rsentry-*.log`. Press `Ctrl+C` to stop all services cleanly.\n\nOpen [http://localhost:3000](http://localhost:3000) to access the dashboard.\n\n---\n\n### Subsequent Runs\n\nOnce the venv and node_modules are in place, just:\n```bash\nbash start.sh\n```\n\n---\n\n### Manual Start (for development or debugging)\n\nEach process runs in its own terminal.\n\n**Terminal 1 — Infrastructure**\n```bash\ndocker compose up -d\n```\n\n**Terminal 2 — Backend**\n```bash\nset -a \u0026\u0026 source .env \u0026\u0026 set +a\nsource venv/bin/activate\nuvicorn backend.main:app --reload\n```\n\n**Terminal 3 — Celery workers**\n```bash\nset -a \u0026\u0026 source .env \u0026\u0026 set +a\nsource venv/bin/activate\nPYTHONPATH=. celery -A backend.workers.tasks:celery_app worker --loglevel=info\n```\n\n**Terminal 4 — Agent** (requires root to set iptables rules)\n```bash\nset -a \u0026\u0026 source .env \u0026\u0026 set +a\nsudo -E venv/bin/python -m agent.monitor\n```\n\n\u003e `sudo -E` is mandatory — it preserves `WATCH_PATH` and the AI keys through the privilege boundary. Without it the agent watches the wrong path.\n\n**Terminal 5 — Frontend**\n```bash\ncd frontend\nnpm start\n```\n\nOpen [http://localhost:3000](http://localhost:3000) to access the dashboard.\n\n\u003e **Important:** `WATCH_PATH` must point to a directory **outside** the project folder. Placing canary files inside the repo corrupts `.git/refs`. The agent will refuse to start if this rule is violated.\n\n---\n\n## Environment Variables\n\n| Variable | Required | Description |\n|---|---|---|\n| `POSTGRES_PASSWORD` | Yes | PostgreSQL password — used by Docker Compose and `DATABASE_URL` |\n| `DATABASE_URL` | Yes | PostgreSQL connection string (asyncpg) — no default, backend fails immediately if unset |\n| `REDIS_URL` | Yes | Redis connection string |\n| `SECRET_KEY` | Yes | Secret key (32+ chars for production) |\n| `HOST_ID` | Yes | Identifier for this endpoint (e.g. `kali-endpoint-01`) |\n| `BACKEND_URL` | Yes | Backend URL the agent posts events to |\n| `WATCH_PATH` | Yes | Directory to monitor — **must be outside the project folder** |\n| `CANARY_COUNT` | No | Number of canary files to place (default: `30`, across 4 prefixes) |\n| `NVIDIA_API_KEY` | Yes* | API key for live event AI analysis (also readable as `AI_API_KEY`) |\n| `NVIDIA_API_KEY_ALERTS` | Yes* | API key for on-demand alert AI analysis (also readable as `AI_API_KEY_ALERTS`) |\n| `AI_API_KEY_CEREBRAS` | No | Cerebras API key — if set, becomes the primary AI provider (fastest); NVIDIA/Groq used as fallback |\n\n*Groq keys are also accepted — auto-detected by the `gsk_` prefix.\n\n---\n\n## Alert Severity Levels\n\n| Severity | Trigger | Auto-Action |\n|---|---|---|\n| CRITICAL | Canary file touched or deleted; ransomware extension rename on a document; combined score ≥ 70 | Immediate tree-aware auto-containment |\n| HIGH | Combined score 40–69 (entropy + lineage); new file with ransomware extension | AI analysis + alert record |\n| MEDIUM | Entropy spike alone | AI analysis + alert record |\n| LOW | Heartbeat / system events | Logged only |\n\n---\n\n## Project Structure\n\n```\nhybrid-rsentry/\n├── agent/                       # Endpoint monitoring agent\n│   ├── monitor.py               # Main watchdog orchestrator (inotify backend)\n│   ├── monitor_ebpf.py          # eBPF kernel sensor (TRACEPOINT_PROBE, BCC 0.35)\n│   ├── graph.py                 # Filesystem graph + BFS canary placement\n│   ├── entropy.py               # Shannon entropy engine (memory-capped)\n│   ├── lineage.py               # Process lineage scorer + dpkg hash verification\n│   ├── adaptive.py              # Markov chain repositioner + _is_safe_target() guard\n│   ├── containment.py           # Tree-aware auto-containment pipeline\n│   ├── exceptions.py            # Whitelist rules + smart /tmp filter\n│   └── client.py                # Backend HTTP client\n├── backend/\n│   ├── main.py                  # FastAPI app entry point\n│   ├── models/                  # SQLAlchemy ORM + Pydantic schemas\n│   ├── routers/                 # events, alerts, hosts, ws\n│   ├── services/                # AI analyst (multi-provider fallback chain)\n│   └── workers/                 # Celery tasks\n├── frontend/\n│   ├── index.html               # Vite root; IBM Plex fonts + Font Awesome 6.5.1\n│   ├── vite.config.js           # Vite: React plugin + proxy + process.env shim\n│   └── src/\n│       ├── App.jsx              # Root — TopBar + StatusBar layout; WS + AI state\n│       ├── index.css            # CSS variable design system + SIEM utility classes\n│       ├── pages/               # Overview, AlertsPage, HostsPage, FilesystemPage,\n│       │                        # AIAnalystPage, ReportsPage\n│       ├── components/          # TopBar, StatusBar, FacetRail, MetricsStrip,\n│       │                        # AlertsHistogram, AlertsTable, DetailFlyout,\n│       │                        # EventDetailModal, FileSystemGraph, FileSystemTree,\n│       │                        # TacticalResponseLog, AIAnalystPanel, ...\n│       ├── hooks/               # useWebSocket\n│       └── api/                 # Axios client\n├── landing/                     # 3D cinematic landing page (React Three Fiber + Framer Motion)\n├── tests/\n│   ├── unit/agent/              # 71 tests — entropy, lineage, adaptive, severity (89% coverage)\n│   └── test_lockbit.py          # LockBit 5.0 4-metric evaluation — all targets met\n├── simulations/                 # Attack simulation scripts\n│   ├── sim_common.py            # Shared engine (profile, corpus, run_attack, backup/restore)\n│   ├── sim_lockbit.py           # LockBit 5.0 two-pass simulation\n│   ├── sim_akira.py             # Akira intermittent encryption simulation\n│   ├── sim_qilin.py             # Qilin percent-encryption simulation\n│   └── sim_depth.py / sim_dfs.py / sim_random.py   # Earlier traversal simulations\n├── docs/\n│   └── CODE_WALKTHROUGH.md      # Full file-by-file code walkthrough\n├── .github/workflows/           # CI lint + Docker build + landing page deploy\n├── start.sh                     # One-command startup script\n├── test_event.sh                # One-command pipeline test (sends CANARY_TOUCHED event)\n└── docker-compose.yml\n```\n\n---\n\n## Testing\n\n```bash\npip install -r requirements-dev.txt\npytest\n```\n\n71 tests covering `entropy.py`, `lineage.py`, `adaptive.py`, severity classification, and simulation safety. All tests are isolated (no live services required).\n\n---\n\n## Detection Flow\n\n```\nFile system event\n      │\n      ▼\nIs it a canary file? ──YES──▶ CRITICAL alert → Auto-containment\n      │\n      NO\n      ▼\nRansomware extension rename? ──YES──▶ CRITICAL (doc) or HIGH alert\n      │\n      NO\n      ▼\nIs path/process whitelisted? ──YES──▶ Skip (suppress false positive)\n      │\n      NO\n      ▼\nEntropy delta \u003e threshold?\n      │\n      ├──YES──▶ Lineage score \u003e= 40? ──YES──▶ COMBINED_ALERT (CRITICAL/HIGH)\n      │                               └──NO───▶ ENTROPY_SPIKE (MEDIUM)\n      │\n      └──NO───▶ Lineage score \u003e= 40? ──YES──▶ PROCESS_ANOMALY (CRITICAL/HIGH)\n                                     └──NO───▶ Skip (low signal)\n      │\n      ▼\nAI analyst classifies threat → publishes result to dashboard\n```\n\n---\n\n## Security\n\nA security audit of this repository was conducted in May 2026. The following issues were identified and fixed:\n\n| Fix | Detail |\n|---|---|\n| Removed `python-jose` dependency | Had CVE-2024-33664 and CVE-2024-33663; was never imported |\n| Removed hardcoded DB password fallback | `database.py` now raises a clear `RuntimeError` if `DATABASE_URL` is unset |\n| Parameterised Docker Compose credentials | `docker-compose.yml` reads `${POSTGRES_PASSWORD}` from the environment |\n| Canary file git corruption prevented | `.gitignore` excludes `AAA_*.txt`; agent validates `WATCH_PATH` at startup; Markov repositioner blocks `.git/` targets |\n\n**Dependabot:** The frontend has been migrated from Create React App to Vite, which resolved all 26 npm security alerts that were embedded in the `react-scripts` build toolchain.\n\nFor reporting vulnerabilities, see [SECURITY.md](SECURITY.md).\n\n---\n\n## Roadmap \u0026 Issue Tracking\n\nDevelopment is tracked in the **[R-Sentry Roadmap GitHub Project](https://github.com/users/Mohhudib/projects/1)**.\n\n| Milestone | Scope | Target |\n|---|---|---|\n| [v2.1.0](https://github.com/Mohhudib/hybrid-rsentry/milestone/1) | CI hardening, Dependabot security fixes, eBPF Kali validation | 2026-06-15 |\n| [v2.2.0](https://github.com/Mohhudib/hybrid-rsentry/milestone/2) | Integration tests, Exception Management UI, Alembic migrations | 2026-07-31 |\n\nSee the [Roadmap wiki page](https://github.com/Mohhudib/hybrid-rsentry/wiki/Roadmap) for the full list of completed and planned items.\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for the full guide. In brief:\n\n1. Fork the repository\n2. Create a feature branch off `main` (`git checkout -b feature/your-feature`)\n3. Commit your changes using the `feat:` / `fix:` / `docs:` prefix style\n4. Push and open a Pull Request against **`main`**\n\nPRs that introduce new false positives on a live Kali system will not be merged.\n\n---\n\n## License\n\nThis project is licensed under the MIT License — see [LICENSE](LICENSE).\n\n---\n\n\u003cdiv align=\"center\"\u003e\nBuilt as a cybersecurity capstone project — combining behavioral detection, adaptive defense, and AI-assisted threat analysis.\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohhudib%2Fhybrid-rsentry","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmohhudib%2Fhybrid-rsentry","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmohhudib%2Fhybrid-rsentry/lists"}