Official source code for ZonForge Sentinel — AI-Native Security Operations Platform for threat detection, investigation, risk scoring, and security automation.
Website: zonforge.com · Documentation: zonforge.com/features · Pricing: zonforge.com/pricing
ZonForge Sentinel is a monorepo-based cybersecurity platform for event ingestion, analytics, risk scoring, alerting, and AI-assisted SOC workflows.
Positioning: Production-Oriented Platform Under Active Development — structured for real deployment patterns, with proof-backed local validation and ongoing hardening across optional services and production paths.
This repository contains the core backend services, AI services, shared platform packages, dashboard applications, collectors, and infrastructure definitions used to run ZonForge Sentinel in local and deployment environments.
The current verified local developer path focuses on a required service subset that can be started and validated end-to-end on Windows PowerShell. Not every service, integration, or deployment surface is fully validated yet; see docs/ROADMAP.md and docs/VERIFICATION_INDEX.md for current scope.
- Monorepo consistency for services, shared contracts, and tooling.
- Explicit service boundaries across ingestion, detection, correlation, risk, and alert pipelines.
- AI modules integrated as first-class services instead of ad-hoc scripts.
- Verification-first local workflow with documented health checks and proof artifacts.
- Event ingestion and normalization pipeline.
- Detection and threat intelligence enrichment.
- Correlation and risk scoring engines.
- Alerting and AI-assisted triage/investigation services.
- API gateway and web dashboard for platform access and operations.
The required local path is composed of:
- Shared packages (
packages/*) for config, types, logging, auth, schema, and DB access. - Core runtime services (
apps/*) for ingestion through alert lifecycle. - AI services (
apps/*) for behavioral analytics, triage, and SOC assistance. - UI (
apps/web-dashboard) for operational visibility.
See docs/ARCHITECTURE.md for the full architecture summary and request/data flow.
Architecture diagram assets:
- docs/demo/architecture/zonforge-platform-architecture.md
- docs/demo/architecture/zonforge-platform-architecture.mmd
zonforge-platform/
apps/ # Microservices and apps
collectors/ # External source collectors
packages/ # Shared libraries and contracts
infra/ # IaC, monitoring, deployment assets
security/ # Security hardening, policies, rules
docs/ # Architecture, local dev, demo, troubleshooting
scripts/ # Developer helper scripts
proof/runs/ # Execution and verification reports
Verified required local path:
| Service | Package | Port | Status in verified path |
|---|---|---|---|
| API Gateway | @zonforge/api-gateway |
3000 | Required |
| Ingestion Service | @zonforge/ingestion-service |
3001 | Required |
| Normalization Worker | @zonforge/normalization-worker |
3002 | Required |
| Detection Engine | @zonforge/detection-engine |
3003 | Required |
| Threat Intel Service | @zonforge/threat-intel-service |
3005 | Required |
| Correlation Engine | @zonforge/correlation-engine |
3006 | Required |
| Risk Scoring Engine | @zonforge/risk-scoring-engine |
3007 | Required |
| Alert Service | @zonforge/alert-service |
3008 | Required |
| AI SOC Analyst | @zonforge/ai-soc-analyst |
3015 | Required |
| Behavioral AI | @zonforge/behavioral-ai |
3020 | Required |
| Alert Triage AI | @zonforge/alert-triage-ai |
3021 | Required |
| Security Assistant | @zonforge/security-assistant |
3022 | Required |
| Web Dashboard | @zonforge/web-dashboard |
5173 | Required UI |
Full map: docs/SERVICE_MAP.md
Prerequisites:
- Node.js 20+
- npm 10+
- Docker Desktop (for PostgreSQL, Redis, ClickHouse)
npm install
npm run infra:up
npm run build:required
npm run dev:requiredWindows helper scripts:
./scripts/demo-start-required.ps1
./scripts/demo-health-check.ps1Detailed setup: DEVELOPMENT.md · docs/LOCAL_DEVELOPMENT.md
Demo guide and walkthrough: docs/DEMO.md
Demo assets:
- API examples: docs/demo/api
- Screenshots and capture notes: docs/demo/screenshots/README.md
- Portfolio screenshot placeholders: docs/demo/screenshots/portfolio/README.md
- Architecture visuals: docs/demo/architecture/README.md
Dashboard local surface (real capture):
Gateway health and API visibility (real capture):
Service runtime proof (real capture from live runtime output):
Required-path health proof (real capture from live health command output):
AI module readiness proof (real capture from running AI service endpoint):
Required health endpoints can be validated with:
./scripts/demo-health-check.ps1Reference verification output and reports:
Demo payloads and sample responses:
- docs/demo/api/ingest-event-request.json
- docs/demo/api/ingest-event-response.json
- docs/demo/api/health-check-output.txt
Example ingestion request (demo sample):
curl -X POST "http://localhost:3001/v1/events/ingest" \
-H "Content-Type: application/json" \
-d @docs/demo/api/ingest-event-request.jsonFull index: docs/README.md
| Topic | Document |
|---|---|
| Development | DEVELOPMENT.md |
| Architecture | docs/ARCHITECTURE.md |
| Local setup | docs/LOCAL_DEVELOPMENT.md |
| Demo | docs/DEMO.md |
| Troubleshooting | docs/TROUBLESHOOTING.md |
| Service map | docs/SERVICE_MAP.md |
| Verification | docs/VERIFICATION_INDEX.md |
| Security | docs/SECURITY.md · SECURITY.md |
| Roadmap | docs/ROADMAP.md |
Release notes category mapping for GitHub Releases:
- Do not commit
.env.localor production secrets. - Use dedicated local-only credentials for development infrastructure.
- Treat all demo/sample payloads as synthetic unless explicitly marked as real captures.
- Review docs/SECURITY.md before external deployment.
Security disclosure and response process:
Near-term and medium-term priorities are tracked in docs/ROADMAP.md.
Current repository status:
- Required local platform path is verified and documented.
- Optional services remain intentionally outside minimum local success criteria until individually validated.
Maintenance references:




