Sentinel Stack (DevSecOps)

Recently, I came across an article (https://www.garudax.id/pulse/security-gate-devsecops-cicd-anton-murashko-theqe/?trackingId=4ljbk11kQSW6FWjJkmSPgg%3D%3D) about DevSecOps and realized it was missing something important — the second part: how to protect what is already running in production.

This led me to build my own monitoring and response subsystem — Sentinel Stack.

The article focused on Security Gate, which is usually built around:

• code analysis (SAST),
• dependency analysis (SCA),
• application testing (DAST),
• container scanning.

But once the application is deployed, new questions arise:

• Who monitors suspicious activity in the system?
• How quickly can incidents be handled?
• What can be automated so the response doesn’t rely on manual work?

Sentinel Stack: the production security layer

All tools in this stack are open-source, because let’s be honest — security budgets are often the last to get approved:

• Wazuh (SIEM) — log collection, event correlation, and alerting.
• TheHive (Incident Response) — a central hub for incident management.
• StackStorm (SOAR) — automated playbooks for:
• Prowler (Cloud Security Benchmark) — auditing AWS (also supports GCP, Azure, and Kubernetes) against best practices.

How it all works together

1. Suspicious activity is detected in the logs → Wazuh raises an alert.
2. The alert is automatically turned into an incident in TheHive, and the team gets notified via Slack or email.
3. StackStorm executes a playbook: check with VirusTotal, notify the team, and if needed — take action (e.g., isolate a node or service).
4. Prowler runs independently, auditing the cloud environment to reduce risks even before incidents occur.

Results

• Faster reaction: from detection to response in minutes.
• Centralization: all incidents visible in one place.
• Scalability: the stack can be easily extended with new modules and integrations.

In short, Security Gate ensures what we deploy is safe, while Sentinel Stack protects what’s already running. Together, they close the DevSecOps loop.

#DevSecOps #Security #SIEM #SOAR #Wazuh #TheHive #StackStorm #CloudSecurity