WinSentinel v1.16.0

A feature-heavy release expanding MITRE ATT&CK coverage and polishing the agentic analysis layer. 25 commits since v1.15.1.

New: ATT&CK Detector Suite

Five new autonomous detectors stitched into the analysis pipeline:

Credential Access Detector (TA0006) — LSASS dumping, Kerberoasting, brute-force, password spraying, keylogging, NTLM relay, and more. Builds harvest chains and recommends containment.
Initial Access Detector (TA0001) — phishing, exploit-public-facing, supply-chain, valid-account abuse.
Discovery Detector (TA0007) — host/network/account reconnaissance signal extraction.
Execution Detector (TA0002) — script interpreter abuse, scheduled-task / WMI execution, LOLBin patterns.
Command & Control Detector (TA0011) — beaconing, encrypted-channel and proxy abuse heuristics.

SecurityNerveCenter now sorts audit history once and threads the result through BuildSignals / BuildAlerts instead of re-sorting per call.
InsiderThreatProfiler.DetectDeviations collapsed 6+ separate Where().Count() passes into a single-pass event bucketing loop.

InsiderThreatProfiler risk-tier classification cleanup: removed an unreachable Critical arm in the first ternary that was immediately shadowed by a corrective if/else ladder; collapsed both into a single highest-first ClassifyInsiderRiskLevel helper with a named CriticalRiskThreshold = 85 constant.
NuGet publish workflow fix.
Preview package CI for pre-release builds.

nuget.yml triggers on published releases and packs both WinSentinel.Core and WinSentinel.Cli against the release tag version.
Version-sync workflow keeps csproj <Version> aligned with MinVer-derived tags.

dotnet tool install --global WinSentinel.Cli --version 1.16.0

Tag-driven release; NuGet publish workflow will run automatically on publish.