SentinelFlow Security Layer

❌ Hard-coded credentials

Problem: Passwords stored in scripts or configuration files.

Impact: Security audit failures and breach risk if files leak.

❌ Cloud-based vaults

Problem: Sensitive credentials sent to third-party SaaS platforms.

Impact: Data sovereignty concerns and compliance headaches.

❌ No audit trail

Problem: No reliable record of who accessed what, and when.

Impact: Difficult investigations and regulatory non-compliance.

❌ Token sprawl

Problem: OAuth tokens stored insecurely or never rotated.

Impact: Long-lived, “zombie” access with no clear owner.

🔐 Step 1: Vault retrieval

Credentials stay in your vault.

SentinelFlow retrieves credentials from:

• CyberArk Application Access Manager (AAM)
• 1Password CLI
• Windows Credential Manager
• Azure Key Vault (coming soon)

Credentials are never stored in Flow configuration files or logs.

🏠 Step 2: Local authentication

OAuth tokens, API keys or username/password pairs are used to authenticate directly from your infrastructure to the target systems.

There is no cloud proxy, no third-party middleman, and no data exfiltration risk.

✅ Step 3: Execution and logging

Every credential retrieval and API call is logged with:

• Timestamp
• User or service account
• Target system and endpoint
• Success / failure status
• Optional email alerts

Ideal for SOC 2, ISO 27001 and internal audit evidence.

🗑️ Step 4: Token lifecycle

OAuth tokens are refreshed automatically and expired tokens are purged. No stale credentials lingering in memory or on disk.

CyberArk AAM

Application Access Manager integration with support for Central Credential Provider and credential rotation.

Best for enterprises with existing CyberArk deployments.

1Password Business

Uses the 1Password CLI for secret access by vault or item ID, with team-managed policies.

Ideal for teams already standardised on 1Password.

Windows Credential Manager

Uses built-in Windows encryption with no additional licensing or external services.

Well suited to sandbox, test or single-server environments.

Azure Key Vault (coming soon)

Microsoft Azure–native credential store with managed identities and RBAC.

Available: Q2 2026.

🔐 Vault-native architecture

Integrates with CyberArk, 1Password or Windows Credential Manager – no proprietary sentinel vault to manage.

🏠 Local execution only

Runs inside your infrastructure, with no cloud SaaS and no persistence of customer data outside your network.

✅ Complete audit trail

Every credential access and API call is logged – timestamp, identity, system and status – ready for compliance reviews.

🔄 OAuth lifecycle management

Automated token refresh, expiry handling and cleanup – no stale credentials or manual rotation scripts.

🌍 Export-compliant design

EAR99 classification – suitable for international deployments without complex export licensing in most cases.

🔒 Zero Trust compatible

Designed to work with Zero Trust network architectures, enforcing least-privilege access on every flow.

SOC 2 Type II ready

• Detailed event logging of access and execution.
• Documented controls for credential access.
• Change tracking for flows and policies.

ISO 27001 alignment

• A.9.4.1 – Information access restriction.
• A.9.4.2 – Secure log-on procedures.
• A.12.4.1 – Event logging and monitoring.

GDPR & NIST support

• Article 32 encryption and logging support.
• NIST CSF: PR.AC-1, PR.AC-4, DE.AE-3 alignment.
• Evidence trail for breach detection processes.

Financial services

Scenario: Bank automates Planview user provisioning from HR.

Challenge: PCI-DSS requires vault-secured credentials and no cloud storage.

Solution: SentinelFlow + CyberArk AAM + FoliosFlow.
Result: Zero audit findings and 100% credential security.

Healthcare

Scenario: Hospital automates ServiceNow ITSM workflows.

Challenge: HIPAA requires encryption and full audit trail for access.

Solution: SentinelFlow + 1Password + ServiceFlow.
Result: Detailed logs and credentials never exposed in plaintext.

Energy and utilities

Scenario: Utility automates governance across multiple systems.

Challenge: NERC CIP standards require strict privileged access management.

Solution: SentinelFlow + CyberArk + FlowBridge.
Result: Centralised credential management across three systems.

Government contractor

Scenario: Defence contractor automates Planview reporting.

Challenge: ITAR/EAR export controls and FedRAMP alignment.

Solution: SentinelFlow (EAR99) with on-prem execution.
Result: Approved for use in controlled environments.

Foundation – from £10,000/year

Core SentinelFlow capabilities for a single environment.

• Windows Credential Manager support.
• Basic audit logging and email alerts.
• Ideal for initial deployments or non-production estates.

Professional – from £17,500/year

Multi-environment coverage with richer logging and integrations.

• Multiple environments (for example sandbox, test and production).
• 1Password CLI integration.
• Enhanced logging with report-ready exports.
• Priority support for security teams.

Enterprise – from £35,000/year

Designed for complex estates and high-assurance environments.

• CyberArk AAM / CCP integration and support.
• Custom vault integrations where required.
• Architectural advisory for security and governance.