IoTSentinel logo

IoTSentinel

Open-source Raspberry Pi security project

Solo open-source project // Raspberry Pi home network security

Autonomous Network Security for Every Home.

IoTSentinel explores a local-first alternative to closed home-network tools, with plain-English AI explanations, guided investigation, and Raspberry Pi deployment that stays inspectable rather than black-boxed.

Solo-builtOpen sourceRuns on Pi 4/5AI-assisted alerts
Current buildSolo project
IoTSentinel dashboard overview
Passive monitoring works todayGateway hardening in progress

Works today

Passive mode

Discovery, CVE-on-join checks, dashboard, and AI alert rewrites are already in the public image.

Runs where

Pi 4 / Pi 5

Built around Raspberry Pi deployment rather than a hosted SaaS control plane.

Privacy path

Local-first

AI falls back from cloud models to on-device and offline-safe explanation modes.

Technical readers usually look for

What can be tested now
What is still maturing
How local-first the AI path really is
Whether the architecture is credible on Pi hardware

Project status

This is a serious build in progress, not a polished commercial appliance

The site is intentionally honest about scope: what exists now, what is credible already, and what still needs hardening.

Project

What this is

A solo open-source project exploring how much useful home-network security can fit onto a Raspberry Pi without turning the system into a black box.

Audience

Who it is for

Curious homeowners, makers, students, and technical evaluators who want to understand their network instead of outsourcing all visibility to a closed vendor.

Working now

What works today

Passive monitoring, device discovery, CVE-on-join checks, AI alert rewrites, dashboard access, and guided setup for the current public image.

In progress

What is still maturing

Gateway-mode hardening, broader hardware validation, documentation depth, and the support/operational polish you would expect from a commercial appliance.

Best way to read the site: as an honest walkthrough of an open-source alternative that adds local-first and AI-assisted ideas to a category commercial tools already validated.

What you can test today

A project visitors can evaluate, not just read about

The site should make it obvious what is already real in the public image, so expectations stay grounded and technical trust stays high.

Open the setup guide
Try now

Flash the image

Use Raspberry Pi Imager, boot the public build, and start evaluating without touching terminal setup.

Try now

Open the dashboard

See the same frosted-glass interface shown throughout the site, with device inventory and posture views.

Try now

Inspect devices and scores

Validate the passive monitoring story by checking discovery, fingerprints, and security posture outputs.

Try now

Read AI alert explanations

Trigger or review alert flows and compare the technical detection with the plain-English layer.

See it in action

Watch the current build

A short walkthrough of the current public build, from sign-in to monitoring views.

What the video is showing

00:00

Sign in and orient yourself

The demo opens on the current auth flow, then moves into the dashboard so new visitors can see the project from first login through active monitoring.

00:03

Inspect devices and score

You can see the network inventory, security posture, and the device-level view that turns a busy LAN into something understandable.

00:06

See plain-English alerts

The AI layer rewrites technical detections into straightforward language and anchors the explanation to the device and event context.

00:09

Follow the project direction

The rest of the flow hints at where the project is going next: deeper investigation, gateway inspection, and more autonomous response paths.

AI in practice

A real example of what the explanation layer adds

The project becomes easier to trust when the site shows exactly how raw detections are translated into something a normal operator can understand.

Raw detection

Anomaly score spike detected for 192.168.1.42. Device initiated repeated outbound DNS requests to an unfamiliar domain pattern after midnight.

Plain-English explanation

Your living-room camera started making unusual late-night DNS requests to a destination it does not normally contact. This may be harmless telemetry, but it is unusual enough to review and block if the device was not recently updated.
Grounded in that device's learned baseline, not just a generic signature
Written for a homeowner first, while still preserving the technical meaning
Available even when cloud models are unreachable because the fallback stack stays local-first

Start here

Choose the path that matches why you arrived

The site needs to explain the idea, support evaluation, and still give technical visitors enough depth to take the project seriously.

Overview

I just want to understand what this project does

Start with the demo and the about page. This path is for curious homeowners or non-specialists trying to understand the value without getting buried in implementation detail.

Read the project note
Hands-on

I want to try the current image on a Pi

Go straight to setup if you want to evaluate the current public build, understand the hardware assumptions, and see how the browser-based flow works today.

Open setup guide
Technical

I want the technical and architectural picture

Use the deeper explainer pages if you are comparing this project to other tools, reviewing the architecture, or deciding whether the AI and gateway ideas are credible.

Read the walkthrough

Metrics and graphs

Numbers that make the project easier to size up

These visuals are not vanity charts. They are here to make the project’s scope, hardware cost, and engineering emphasis easier to assess at a glance.

Cost context

Entry-cost comparison

directional, not a pricing page

IoTSentinel

Pi hardware

$75

Firewalla

Entry hardware price

$179

Fing

Annual subscription

$99

Pi-hole

Software only

$0

At a glance

0

Automated tests

0

Test files

0-tier

AI fallback stack

0

Security scan layers

0%

On-device processing

$0

Hardware cost

Build profile

Project scope bars

Automated tests1272
Test files54
AI fallback stack6-tier
Security scan layers4
On-device processing100%
Hardware cost$75$

Reading the graphs

What these visuals are meant to say

Affordable entry

The site should immediately communicate that trying the project does not require enterprise hardware.

Serious engineering

Tests, scan layers, and the fallback stack help technical visitors distinguish a real project from a concept page.

Honest comparison

The graphs support the “open-source alternative” story without pretending to be a complete pricing or feature matrix.

The problem

Most home networks are invisible to the people who own them.

Smart TVs, thermostats, cameras, and plugs talk to external servers constantly. There is no way to know when something goes wrong until a breach has already happened. The kind of intrusion detection that catches this used to need an enterprise appliance and a security team.

Invisible by default

The average home has dozens of connected devices and no single place to see what they are doing.

Silent until it is too late

Compromised cameras and plugs are quietly recruited into botnets, exfiltrating data with no warning.

Enterprise tools, enterprise prices

Real intrusion detection has historically been locked behind expensive appliances and expert operators.

What it does

One appliance, three layers of defence

From plug-and-play visibility to autonomous response, IoTSentinel scales with how much protection you want.

v1.0.0 // Passive-first

Working now

See every device the moment it joins

Plug-and-play monitoring with no extra hardware. IoTSentinel discovers and fingerprints every device on your network and scores your overall security posture in real time.

  • Discovery via ARP, nmap, mDNS and UPnP
  • CVE scanning on device join, matched against the NVD database with CVSS scores
  • DNS-level threat intelligence and instant new-device alerts
  • A frosted-glass dashboard, dark mode, mobile, installable as a PWA
IoTSentinel dashboard overview with device cards and security score

Flagship // On-device AI

Working now

Threats explained in plain English

A background worker rewrites every alert into language anyone can understand. A per-alert AI analyst answers why it happened, grounded in the specific device and its learned baseline.

  • Proactive plain-English rewrites of every alert
  • An Ask Why analyst grounded in your actual network data
  • Auto-narrated weekly security story and per-device profiles
  • Natural-language questions answered with validated read-only SQL
Plain-English alert with an Ask Why AI analyst card

Advanced // Gateway IDS/IPS

In progress

Autonomous detection and response

In optional Gateway mode, device traffic passes through the Pi for full inspection. Built and selectable today, hardened into a first-class path in v1.1.

  • Real-time unsupervised ML anomaly detection with the River library
  • An autonomous agent with a transparent 5-step investigation
  • Attack paths mapped to the MITRE ATT&CK kill chain
  • Inline firewall blocking with self-lockout guard and circuit breaker
Autonomous 5-step investigation timeline
Global destination map

Global destination map

Every external destination your devices reach, geolocated over the last 24 hours.

Attack-path kill chain

Attack-path kill chain

Related events chained and mapped to MITRE ATT&CK stages.

In everyday use

What it looks like on a real home network

IoTSentinel is not a dashboard you check once and forget. Here is how it earns its place day to day.

Catch a compromised camera

A smart camera starts beaconing to an unknown server. IoTSentinel flags it, checks the destination reputation, and tells you in plain English what to do.

Vet every new gadget

The moment a new plug or bulb joins, it is fingerprinted and scanned for known CVEs so you can trust or block it before it does anything.

Read your week at a glance

A narrated weekly story summarises what every device did, what was blocked, and what needs your attention, delivered to your phone.

Ask questions in plain English

Type a question like which devices talked to the internet last night and get an answer built from a validated read-only query on your own data.

Check in from anywhere

Enable remote access and reach the dashboard over a permanent HTTPS link while you travel, with no port forwarding or VPN to configure.

Keep the whole home covered

Role-based access lets you share a read-only view with the household while you keep admin control, all from one appliance.

On-device intelligence

A 6-tier AI engine that never goes dark

Every alert gets a plain-English explanation, online or completely offline. If one provider fails, the next takes over automatically, all the way down to rule-based templates that need no network at all.

  1. 1OpenAIgpt-4o-miniCloud
  2. 2Anthropic Claudeclaude-haiku-4-5Cloud
  3. 3Groqllama-3.1-8b-instantCloud
  4. 4Google Geminigemini-2.5-flashCloud
  5. 5Ollamagemma2:2bLocal
  6. 6Smart templatesrule-basedOffline

System design

How the whole system fits together

A local-first pipeline: collect signals from the network, analyze them on-device, then deliver understandable alerts and dashboards back to the operator.

Network signals
Detection pipeline
Explanation layer
Dashboard delivery

Stage 01

Collect

See everything on the network

collect

Home network

joins as a client

Discovery

ARP, mDNS, nmap

Traffic capture

Zeek, Gateway

Threat intel

NVD, AbuseIPDB

Stage 02

Analyse and explain

Score, investigate, translate

analyse

Feature pipeline

per-flow vectors

Anomaly engine

River online ML

Security agent

5-step probe

AI explainer

6-tier, offline-safe

Stage 03

Store and deliver

Keep it private, put it in your hands

deliver

On-device store

resilient SQLite

Secure dashboard

PWA, WebAuthn

Notifications

email, ntfy, chat

Remote access

Tailscale Funnel

Input

Network discovery, packet telemetry, device fingerprints, and threat intelligence.

Processing

Incremental ML, agent reasoning, and local AI explanation happen on the Pi.

Output

Dashboard views, alerts, and remote access options surface the result back to the user.

Setup

Flashed and protecting in minutes

No terminal, no config files, no networking knowledge required. Everything happens in a browser wizard.

01

Flash the image

Download the .img.xz and write it to an SD card with Raspberry Pi Imager. No terminal, no config files.

02

Connect to the setup hotspot

On first boot the Pi opens an IoTSentinel-Setup Wi-Fi hotspot. Join it from your phone or laptop.

03

Run the browser wizard

A browser opens the setup wizard. Enter your Wi-Fi, create an admin account, and set a strong password.

04

Choose your monitoring mode

Pick Passive for plug-and-play visibility, or Gateway for full IDS/IPS. Toggle optional AI, email and threat-intel features.

05

You are protected

The Pi reboots onto your network and the dashboard comes up. Install it as an app and enable remote access if you want it.

Setup wizard monitoring-mode choice between Passive and Gateway

Known limitations

Honest boundaries that make the project easier to trust

A technical audience expects clarity on what is still rough. This section exists to set those expectations explicitly instead of hiding them.

Gateway mode is still being hardened

In progress

The deeper IDS/IPS path exists, but it still needs broader testing, clearer safety rails, and stronger install guidance before it should be treated as the default path.

This is not a managed appliance

By design

There is no commercial support desk, hosted control plane, or remote operations layer behind the project.

Hardware validation is still expanding

In progress

The public image is credible on current target hardware, but compatibility breadth still trails commercial competitors.

Documentation depth is improving

Ongoing

Core setup and architecture paths are covered, but contributor and edge-case docs still need more breadth.

Deployment footprint

What the current evaluation path actually needs

Recommended hardware

Raspberry Pi 4 or 5, 4 GB RAM

Storage

32 GB microSD minimum

Passive mode

No extra network hardware required

Gateway mode

AP-capable USB Wi-Fi adapter needed

Optional AI providers

OpenAI, Anthropic, Groq, Gemini, Ollama

Remote access

Optional via Tailscale Funnel

Engineering quality

Evidence from the build so far

These numbers are here to show seriousness and scope, not to pretend the project is already finished.

0

Automated tests

0

Test files

0-tier

AI fallback stack

0

Security scan layers

0%

On-device processing

$0

Hardware cost

Continuous integration on every change

  • Headless-Chrome render gate (Selenium)
  • Live app-boot smoke test
  • Python 3.11 and 3.12 CI matrix
  • Emulated ARM64 dependency check
  • Gated Raspberry Pi image build
  • Bandit, pip-audit, Dependabot, detect-secrets

Where it fits

An open-source alternative in progress

IoTSentinel is aimed at people who want more transparency, local-first behavior, and extra AI-assisted explanation than most closed consumer tools provide.

Commercial tools still win on hardware integration, support, and maturity. This table is here to show where the project already differs and where it is still catching up.

Comparison group

Visibility and ownership

What you can actually inspect and keep under your control.

CapabilityIoTSentinelFirewallaFingPi-hole
Price~$75$179-$349$99/yrFree
100% on-device / privatePartial
Open source
Runs on your own Pi

Comparison group

Detection and explanation

Where IoTSentinel tries to add technical depth plus readable output.

CapabilityIoTSentinelFirewallaFingPi-hole
CVE scan on device join
Plain-English AI alerts
On-device ML anomaly detectionCloud
Choose your AI provider

Comparison group

Response and deployment

What happens once something suspicious is found.

CapabilityIoTSentinelFirewallaFingPi-hole
Blocks threats (IDS/IPS)GatewayDNS only
Remote dashboard accessManual
Browser-first setup flow
Managed support surface

Directional comparison only. Prices and competitor capabilities change over time. Firewalla, Fing, and Pi-hole remain the source of truth for their own products.

Where it is going

A clear path from solo project to stronger open-source appliance

The current public image is passive-first today. More advanced gateway behavior exists, but the next job is hardening and documenting it honestly.

v1.0.0Shipped

Passive-first public release

Discovery, CVE-on-join scanning, the full on-device AI layer, multi-channel notifications, remote access and PWA install. Validated on real hardware.

v1.1Next

Gateway hardened

Turn Gateway mode into a better-tested, better-documented path. Lights up the River ML anomaly detection, autonomous IDS/IPS blocking and MITRE kill-chain dashboards with clearer installation and safety guidance.

v1.2Planned

Appliance and whole-network

A pre-built, pre-flashed unit and whole-network gateway mode so full protection reaches every device with no re-pairing.

AIRoadmap

Correlated intelligence

Incident stories that narrate an attack chain, one-tap AI action plans, and predictive deviation alerts that learn each device's daily rhythm.

Questions

Frequently asked

Why this exists

Why this project exists

IoTSentinel exists because home-network security tools are either too opaque, too limited, or too commercial to inspect properly. The goal here is not to pretend a solo open-source build has already matched appliance vendors on polish. The goal is to prove that a transparent, local-first alternative with useful AI explanation can be real, testable, and worth contributing to.

Open source // Solo-built

Follow the project, try the image, or inspect the code.

IoTSentinel is a solo open-source attempt to make home network security more understandable, more local-first, and more transparent, while using AI only where it genuinely helps.