CASE STUDY
Sentrii
Threat Hunter AI
A threat-hunting agent for suspicious links, files, and wallet interactions. Sentrii investigates targets in layers—security-vendor intelligence, local URL analysis, isolated browser observation, wallet-transaction forensics, and file malware enrichment—then returns a plain-English verdict backed by evidence, before you risk your real browser, device, or wallet.
ROLE
Founder & Lead Engineer
TIMELINE
2025
PLATFORM
Threat Hunting AI
The Problem
Most users cannot safely judge a suspicious crypto link by looking at it. A scam page can copy a real brand. A fake airdrop can look legitimate. A wallet prompt can hide dangerous transaction behavior. Traditional checks often stop at one question: "Is this link already on a blocklist?" That is useful, but it is not enough.
🔗 Links That Look Safe
New attacks appear before blocklists catch up. Some malicious sites behave differently after a wallet connects. Risks often appear only after the page loads, redirects, or requests a signature.
🎭 Social Engineering at Scale
Modern attacks look like partnerships, integrations, security prompts, and normal wallet workflows until value moves. Fake wallet checks and seed phrase recovery pages are everywhere.
⚡ Transaction Substitution
What you sign and what lands on-chain can differ. Drainers, approval traps, authority hijacks, and TOCTOU-style execution hide behind polished frontends users cannot inspect manually.
Sentrii solves this by running a full investigation—not relying on one signal—at the moment before trust becomes loss.
See Sentrii in Action
🎬 Introduction
▶️ Live Demo
How Sentrii Works
Vendor Intelligence
Sentrii queries configured security vendors—VirusTotal, Google Web Risk, PhishTank, urlscan.io, AbuseIPDB, URLhaus, ThreatFox, Hybrid Analysis, MalwareBazaar, and more—then compares global intelligence with its own local heuristics.
Isolated Browser Investigation
For deep scans, Sentrii opens the target in a controlled browser—not yours—and records redirects, forms, network calls, downloads, screenshots, and wallet prompts as the page actually behaves.
Wallet & File Forensics
Wallet scans use a scout wallet to observe drains, approval traps, authority changes, and bit-flip evidence. Files are hashed and enriched with malware vendors and sandbox detonation when configured.
Verdict Receipt
Every investigation ends in a receipt: SAFE, SUSPICIOUS, MALICIOUS, or CRITICAL—with risk score, confidence, top signals, and a plain-English narrative. Hard evidence sets a deterministic risk floor the AI cannot undercall.
Paste a link. Attach a file. Get a receipt.
Submit any suspicious target through Threat Hunter AI at sentrii.io. Sentrii investigates before you put your real browser, device, or wallet at risk.
The Verdict Receipt
When an investigation completes, Sentrii delivers a Verdict Receipt—verdict tier, risk score, confidence, subject, recommendation, and a plain-English explanation of what was observed. Receipts are backed by evidence from vendors, browser observation, and wallet forensics—not a black-box AI guess.
Wallet forensics — transaction substitution
CRITICAL: what landed on-chain was not what the wallet approved—a transaction substitution attack.
Link investigation — how this scan ran
CRITICAL link scan with full methodology: forms detected, network events, reputation signals, and brand-authority mismatch explained in plain English.
Threat Hunter Workspace
The Threat Hunter workspace is where investigations start. Paste a link, ask a question, or attach a file—Sentrii runs the investigation and returns an evidence-backed receipt you can act on.
Verdict Receipts
Every scan returns tier, risk score, confidence, and evidence
Conversational Investigation
Paste links, ask questions, or attach files to start a hunt
Critical Signals
Transaction substitution, credential theft, drains, and vendor hits
When Threats Are Confirmed
Sentrii escalates when observed behavior is hostile—not when a page merely looks odd. These are the signals that drive CRITICAL and MALICIOUS verdicts.
Transaction Substitution
The signed transaction and confirmed transaction do not match—what landed on-chain was not what the wallet approved. Sentrii flags this as a siren-level integrity failure.
Credential Harvesting
Canary credentials observed leaving the page in outbound traffic, or seed phrase / private key prompts treated as major theft surfaces.
Wallet Drain Execution
Confirmed SOL outflow beyond fees, drain logs, unlimited delegate approvals, and authority-change instructions observed during investigation.
Vendor-Confirmed Malware
When VirusTotal, URLhaus, PhishTank, MalwareBazaar, or similar vendors already know a target is bad, Sentrii brings that evidence into the receipt.
Investigation at a Glance
Vendor Integrations
Verdict Tiers
Evidence-Controlled Floor
The Investigation Pipeline
Step 1: Submit & Normalize
Paste a link, attach a file, or ask a question. Sentrii validates and normalizes the target, selects the scan mode (normal, deep, browser step, or deep wallet interaction), and queues or runs the investigation.
Step 2: Intelligence & Heuristics
The Omni provider layer queries configured vendors while local heuristics check URL structure, brand lookalikes, lure language, domain age, and known malicious patterns—establishing a baseline before any page is opened.
Step 3: Live Browser Observation
In an isolated browser, Sentrii records redirects, forms, network calls, downloads, screenshots, console output, and wallet prompts—answering what the target actually does, not just what the URL looks like.
Step 4: Wallet & File Forensics
Wallet-interaction scans use a scout wallet to detect drains, approvals, authority changes, TOCTOU behavior, and bit-flip mismatches. Captured files are hashed and enriched through malware vendors and sandboxes.
Step 5: Verdict & Receipt
A deterministic risk floor is computed from all evidence. The AI judge explains findings in plain English—but cannot soften concrete hostile behavior into a safe result. You receive a full security receipt with verdict, scores, signals, and recommendation.
Technology Stack
Next.js
Playwright
OpenAI
Rust
PostgreSQL
VirusTotal
Fastify
Solana
System Impact
Sentrii is an automated threat analyst for the moment before someone clicks, downloads, connects, or signs. It turns uncertainty into an investigation—and investigations into explainable receipts, not black-box AI guesses.
For Users
Paste a suspicious link or file and get a clear verdict with evidence. Understand risk before exposing your real browser, device, or wallet—no security expertise required.
For the Ecosystem
Teams get one evidence receipt instead of fragmented screenshots. Support, partnerships, and community channels can triage suspicious links and signing flows before trust becomes execution.
NEXT PROJECT