Production-grade AI cybersecurity backend detecting phishing, scams, and social engineering in real-time.
API Docs β’ Architecture β’ Setup β’ Docker
SentinelX is a modular, AI-ready backend platform that continuously monitors communication streams β email, SMS, messaging, and phone calls β to detect malicious intent before credential theft or system compromise occurs.
| Feature | Technology |
|---|---|
| NLP Phishing Detection | HuggingFace DistilBERT / Zero-Shot Classification |
| Behavioral Analysis | Rule-based social engineering pattern engine |
| URL Threat Scoring | Regex heuristics + optional VirusTotal API |
| Speech-to-Text | OpenAI Whisper (tiny β large models) |
| Risk Scoring | Weighted multi-signal composite engine |
| Async Processing | Celery + Redis task queues |
| Authentication | JWT + bcrypt + RBAC |
| Database | PostgreSQL + SQLAlchemy + Alembic |
| Containerization | Docker + Docker Compose |
SentinelX Backend
β
βββ app/
β βββ api/
β β βββ routes/ # FastAPI route handlers
β β β βββ auth.py # POST /auth/register, /login, GET /me
β β β βββ analyze.py # POST /analyze/{email,sms,call}, /transcribe/audio
β β β βββ alerts.py # GET /alerts, POST /alerts/{id}/acknowledge
β β β βββ dashboard.py # GET /dashboard/{stats,threats,trends}
β β βββ dependencies/ # Auth dependency injectors
β β βββ middleware/ # Request logging, tracing
β β
β βββ core/
β β βββ config.py # Pydantic Settings (env vars)
β β βββ security.py # JWT + bcrypt
β β βββ logging.py # Structured JSON logging
β β
β βββ database/
β β βββ base.py # SQLAlchemy DeclarativeBase
β β βββ session.py # Engine + session factory
β β βββ models/ # User, Threat, Alert, AuditLog
β β
β βββ schemas/ # Pydantic request/response models
β β
β βββ services/ # Business logic orchestration
β β βββ email_service.py
β β βββ sms_service.py
β β βββ call_service.py
β β βββ alert_service.py
β β βββ risk_service.py
β β βββ dashboard_service.py
β β
β βββ ml/ # AI/ML inference layer
β β βββ phishing_model.py # HuggingFace zero-shot classifier
β β βββ sms_model.py # SMS-specific scam detector
β β βββ url_detector.py # URL threat analysis
β β βββ behavior_model.py # Social engineering pattern engine
β β βββ whisper_service.py # Speech-to-text
β β βββ risk_engine.py # Composite risk scorer
β β
β βββ workers/
β β βββ celery_worker.py # Async task definitions
β β
β βββ main.py # FastAPI app entry point
β
βββ alembic/ # Database migrations
βββ Dockerfile
βββ requirements.txt
βββ .env.example
RiskScore = 0.35 Γ NLPScore
+ 0.25 Γ BehaviorScore
+ 0.20 Γ URLScore
+ 0.20 Γ ReputationScore
| Score Range | Threat Level |
|---|---|
| 0 β 30 | π’ LOW |
| 31 β 60 | π‘ MEDIUM |
| 61 β 85 | π HIGH |
| 86 β 100 | π΄ CRITICAL |
- Docker β₯ 24.0 + Docker Compose β₯ 2.0
- OR: Python 3.11+, PostgreSQL 16, Redis 7
git clone https://github.com/your-org/SentinelX.git
cd SentinelX
# Create environment file
cp backend/.env.example backend/.env
# IMPORTANT: Generate a secure JWT secret key
python -c "import secrets; print(secrets.token_hex(32))"
# Paste the output as SECRET_KEY in backend/.envSECRET_KEY=your-generated-256-bit-key-here
DATABASE_URL=postgresql://sentinelx:sentinelx_pass@postgres:5432/sentinelx_db
REDIS_URL=redis://redis:6379/0docker-compose up --buildThis starts:
- PostgreSQL on port 5432
- Redis on port 6379
- FastAPI backend on port 8000
- Celery worker (email, sms, call queues)
| Interface | URL |
|---|---|
| Swagger UI | http://localhost:8000/docs |
| ReDoc | http://localhost:8000/redoc |
| Health Check | http://localhost:8000/health |
docker-compose --profile monitoring up --build
# Flower dashboard at http://localhost:5555# View backend logs
docker-compose logs -f backend
# View Celery worker logs
docker-compose logs -f celery_worker
# Run database migrations
docker-compose exec backend alembic upgrade head
# Stop all services
docker-compose down
# Stop and remove volumes (clean slate)
docker-compose down -v# 1. Create virtual environment
cd backend
python -m venv .venv
source .venv/bin/activate
# 2. Install dependencies
pip install -r requirements.txt
# 3. Set environment variables
cp .env.example .env
# Edit .env with local DATABASE_URL and REDIS_URL
# 4. Run database migrations
alembic upgrade head
# 5. Start the API server
uvicorn app.main:app --reload --host 0.0.0.0 --port 8000
# 6. In a separate terminal, start Celery worker
celery -A app.workers.celery_worker.celery_app worker --loglevel=infoAll endpoints are prefixed with /api/v1.
| Method | Endpoint | Description | Auth Required |
|---|---|---|---|
POST |
/api/v1/auth/register |
Create a new user | No |
POST |
/api/v1/auth/login |
Get JWT access token | No |
GET |
/api/v1/auth/me |
Get current user profile | Yes |
curl -X POST http://localhost:8000/api/v1/auth/register \
-H "Content-Type: application/json" \
-d '{
"name": "John Doe",
"email": "john@example.com",
"password": "SecurePass123",
"role": "operator"
}'curl -X POST http://localhost:8000/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "john@example.com", "password": "SecurePass123"}'Response:
{
"access_token": "eyJhbGci...",
"token_type": "bearer",
"expires_in": 3600
}All analysis endpoints require Authorization: Bearer <token>.
curl -X POST http://localhost:8000/api/v1/analyze/email \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"sender": "security@paypa1-alert.xyz",
"subject": "URGENT: Your account has been suspended",
"body": "Click here immediately to verify your account and avoid permanent suspension."
}'Response:
{
"threat_id": "550e8400-e29b-41d4-a716-446655440000",
"threat_detected": true,
"risk_score": 87.4,
"threat_level": "CRITICAL",
"confidence": 0.92,
"classification_label": "phishing",
"reasons": [
"NLP classified as 'phishing' (score: 91.0)",
"Urgency manipulation tactics detected (2 indicators)",
"Authority or brand impersonation detected (1 indicator)",
"Suspicious TLD (.xyz)"
],
"extracted_urls": [],
"nlp_score": 91.0,
"behavior_score": 78.5,
"url_score": 25.0,
"reputation_score": 60.0,
"processing_mode": "sync"
}curl -X POST http://localhost:8000/api/v1/analyze/sms \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"sender": "+91XXXXXXXXXX",
"message": "Congratulations! You won a free iPhone. Claim now: https://bit.ly/abc123"
}'curl -X POST http://localhost:8000/api/v1/analyze/call \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{
"transcript": "Hello this is IRS. You owe taxes. Pay now or you will be arrested.",
"caller_id": "+18005551234",
"duration_seconds": 120
}'curl -X POST http://localhost:8000/api/v1/transcribe/audio \
-H "Authorization: Bearer <token>" \
-F "file=@/path/to/call_recording.mp3"Pass "async_processing": true to any analysis endpoint to queue via Celery:
{
"sender": "...",
"subject": "...",
"body": "...",
"async_processing": true
}Response includes task_id for polling via Celery result backend.
| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/alerts |
List alerts (paginated) |
POST |
/api/v1/alerts/{id}/acknowledge |
Acknowledge an alert |
# Get unacknowledged alerts
curl http://localhost:8000/api/v1/alerts?unacknowledged_only=true \
-H "Authorization: Bearer <token>"
# Acknowledge an alert
curl -X POST http://localhost:8000/api/v1/alerts/550e8400.../acknowledge \
-H "Authorization: Bearer <token>"| Method | Endpoint | Description |
|---|---|---|
GET |
/api/v1/dashboard/stats |
KPI statistics |
GET |
/api/v1/dashboard/threats |
Recent threats list |
GET |
/api/v1/dashboard/trends |
Daily trends (past N days) |
# Get KPI stats
curl http://localhost:8000/api/v1/dashboard/stats \
-H "Authorization: Bearer <token>"
# Get 14-day trends
curl "http://localhost:8000/api/v1/dashboard/trends?days=14" \
-H "Authorization: Bearer <token>"# Generate a new migration after model changes
alembic revision --autogenerate -m "add_new_field"
# Apply all pending migrations
alembic upgrade head
# Roll back one migration
alembic downgrade -1
# View current migration status
alembic currentThe system uses DistilBERT in zero-shot classification mode by default.
Classification labels:
safeβ No threat detectedphishingβ Phishing attemptscamβ General scamcredential_theftβ Targeting credentialsmalicious_linkβ Contains malicious URLsimpersonationβ Identity spoofing
Fallback: If HuggingFace is unavailable, the system automatically falls back to regex keyword heuristics.
Configure model size in .env:
| Model | VRAM | Speed | Accuracy |
|---|---|---|---|
tiny |
~1 GB | ~32x | Good |
base |
~1 GB | ~16x | Better |
small |
~2 GB | ~6x | Great |
medium |
~5 GB | ~2x | Excellent |
large |
~10 GB | 1x | Best |
| Variable | Default | Description |
|---|---|---|
SECRET_KEY |
β | Required. 256-bit JWT signing key |
DATABASE_URL |
β | PostgreSQL connection string |
REDIS_URL |
β | Redis connection string |
NLP_MODEL_NAME |
distilbert-base-uncased |
HuggingFace model name |
WHISPER_MODEL_SIZE |
base |
Whisper model variant |
ALERT_TRIGGER_THRESHOLD |
61 |
Min risk score to generate alert |
VIRUSTOTAL_API_KEY |
β | Optional VirusTotal API key |
LOG_LEVEL |
INFO |
Logging verbosity |
- JWT Keys: Always generate a unique
SECRET_KEYper environment - Password Hashing: bcrypt with 12 rounds
- Rate Limiting: 100 requests/minute per IP (configurable)
- CORS: Restricted to configured origins
- Non-root Docker: Container runs as
sentinelxuser (UID 1001) - Input Sanitization: Pydantic v2 strict validation on all inputs
- Content Truncation: Email/SMS body stored as 2000-char excerpts
- Kafka integration for real-time stream processing
- WebSocket push notifications for live alerts
- Multilingual support (Whisper multi-language + multilingual NLP)
- Deepfake voice detection pipeline
- MITRE ATT&CK framework mapping
- SOC integration (Splunk, Elastic SIEM)
- AI voice agent detection
- Live telecom integrations (Twilio, Vonage)
MIT License β See LICENSE for details.
Built with β€οΈ for cybersecurity operators worldwide.