Sentinel
Compromised-admin detection that learns how your staff normally behave and steps in when an account starts acting like it's been hijacked.
Sentinel watches your trusted staff for the signs of a takeover. It builds a quiet baseline of how each admin normally acts — the hours they're active, the channels they touch, how fast they hand out roles or delete things — and when an account suddenly breaks that pattern in a dangerous direction, Sentinel reacts before a nuke can finish. It's the layer that assumes even a real admin's account can be stolen.
What it watches
Sudden bursts of role grants, mass deletes, webhook creation, permission changes, and out-of-character activity from someone who has never behaved that way. A hijacked account usually moves fast and from a cold start — that's exactly what Sentinel is tuned to catch.
Commands
These need View Audit Log-tier trust, since Sentinel acts on your most privileged members:
,sentinel on|off enable or disable Sentinel
,sentinel action <mode> alert, quarantine, or restore on a hit
,sentinel channel <#channel> where alerts are posted
,sentinel restore <@user> clear a quarantine and hand roles back
action alert only pings your team; quarantine strips the account's dangerous roles the moment it trips, then waits for a human to confirm or clear it with ,sentinel restore.
Setup
Give Sentinel a few days to learn before you lean on quarantine mode — early on, run it in alert so it can calibrate against real staff behaviour. Point channel at a private, staff-only log.
Tune baselines, review incidents, and lift quarantines from the Sentinel dashboard page.