Risk Sentinel watches the contracts you care about and fires customer-specific alerts for governance, treasury, oracle, bridge, and approval risk. Every alert maps to a named rule and an on-chain event you can read — not a black-box score. Run it yourself, or let us run it.
Ethereum + Arbitrum · governance, treasury, oracle, bridge & approval coverage · signed, replay-protected alerts · open core on GitHub
POST https://hooks.acme.xyz/risk X-Risk-Sentinel-Signature: sha256=f3a1b2c3… X-Risk-Sentinel-Timestamp: 1714000000000 { "customer_id": 42, "rule_type": "governance", "message": "Governance action 'Upgraded' detected on 0xfd08…fcbb9", "chain_id": 42161, "token_address": "0xfd08…fcbb9", "timestamp_ms": 1714000000000 }
// HMAC-SHA256 + replay protection · every field traces to a rule and an on-chain event
Protocol security teams tell us the same things. Defender-era automation is going away, and the OSS successors hand you parts, not a running stack. Generic threat scores fire often and explain little — and no one wants to defend a black-box alert to auditors or multisig signers.
The hosted platform retires July 1, 2026. The OSS successors ship as Docker images and config — capable, but not a running detection stack you can deploy on Monday.
Global rules and shared thresholds fire on every protocol the same way. On-call drowns in alerts that aren't theirs, and ignores the ones that are.
When the alert fires at 03:00, you need to explain it to your team and your auditors. "The model said so" is not an answer either group accepts.
Generic tools don't know which contracts are your treasury, which roles your governance grants, which feeds your oracles. They watch chains; you need them to watch your protocol.
Each rule is customer-scoped to your contracts and thresholds. Rules are transparent source you can audit — and they surface specific on-chain risk signals, not generic exploit predictions.
Ownership transfers, role grants and revokes, pause and unpause, proxy upgrades on the contracts you watch.
// surfaces: admin takeover, unauthorised upgrades, governance compromise
Token movements above a per-token, per-chain threshold you set.
// surfaces: treasury drains, unexpected outflows
Large transfers directed into known cross-chain bridge contracts.
// surfaces: funds moving off-chain ahead of disclosure
Large ERC-20 approvals and infinite (uint256.max) approvals against your contracts and treasury accounts.
// surfaces: approval-drain setups, dangerous spender grants
Mint and burn events above your per-token limits.
// surfaces: unauthorised supply changes, peg or accounting anomalies
Chainlink price-feed moves beyond a basis-point threshold between updates.
// surfaces: feed deviations relevant to liquidations and oracle-dependent positions
// strongest coverage is on risks that begin with an on-chain administrative action — ownership changes, role grants, upgrades — which leave a detectable signal before funds move. Scope and limits are stated plainly in honest scope.
// chains today: Ethereum + Arbitrum · oracle support: Chainlink (Pyth and others scoped on request).
Each alert names the rule that fired and the on-chain event that triggered it. Open the rule in source, read the predicate, explain it to your auditor.
You list the contracts to watch, the roles that matter, and the thresholds. Multi-tenant Postgres keeps each customer's configuration isolated.
HMAC-SHA256 signatures with replay protection, Stripe/GitHub-style. Webhook secrets are AES-256-GCM encrypted at rest. Telegram and console outputs available alongside.
Open core on GitHub. Run it inside your own infrastructure — your keys, your nodes, your data — or let us host it. Prometheus metrics and a backtest/replay framework either way.
We'd rather lose a deal in week one than lose your trust in week six. Risk Sentinel is a deterministic, explainable engine for customer-scoped on-chain risk — not a black-box exploit predictor, and there are well-known attack classes it cannot see ahead of time.
Risk Sentinel is early-stage: the rules are implemented and tested, but not yet proven in customer production — which is why the first engagement is a scoped pilot.
Where it's strongest
Risks that begin with an on-chain admin action — ownership transfer, role change, proxy upgrade, governance execution — which leave a detectable signal before funds move.
Where it does not help, before the fact
// these classes need audits, formal verification, and key-management controls — not on-chain monitoring
Today
No dashboard or UI yet, and no RBAC — rules are configured via database/CLI rather than a console, and alerts flow through the signed webhook. Worth knowing up front so the pilot fits how your team already works.
Defender's hosted platform retires July 1, 2026; new sign-ups closed in mid-2025. The OSS successors — Monitor and Relayer — ship as Docker images and config: capable, but assembly, not a running detection stack, and no drop-in replacement for Defender's Actions.
Risk Sentinel is a deterministic, self-hostable alternative for scoped alerting. We map your existing Sentinels to our rules and run both in parallel until you're confident to cut over.
Discuss a migration// migration pack — typical starting scopes
Typical starting point: core rules, single chain, guided cutover. Sized for a handful of Sentinels.
Typical starting point: full rule set, Ethereum + Arbitrum, signed webhooks, parallel-run validation against your existing Sentinels.
Typical starting point: custom rule mapping, SLA, hands-on migration support. Scoped together before kickoff.
// pricing is a starting point; final scope agreed in writing before any work begins
There's no self-serve plan. The first engagement is a scoped pilot: we configure rules to your contracts, tune thresholds against real traffic, and prove the alerts are useful before you commit to anything ongoing.
We sit down with your team and configure the six rules against your contracts, roles, treasury addresses, and thresholds.
Self-hosted in your infrastructure or managed by us. We do the setup either way.
Signed webhooks to any HTTPS endpoint — your own, or Slack / PagerDuty via their incoming webhooks. Telegram and console available too.
We replay history and tune thresholds together, so alerts are useful from day one rather than after weeks of paging.
A standing weekly review with your security or ops lead: which alerts fired, which were noise, what to tighten, what to add. The pilot ends with a written summary either way.
// engagement
60 days. No long-term commitment. Credited toward an annual engagement if you continue.
Book a pilot call Request a pilot scope// 60-day pilot from $2,500, credited toward an annual engagement. Ongoing managed or self-hosted plans are scoped during the pilot. Open-source core is available on GitHub at no cost.
A 30-minute call to walk through your monitoring setup, the gaps you see, and whether a scoped pilot makes sense. No deck, no pressure.