SentinelClaw is our self-hosted pentest platform. This post explains the two building blocks that set SentinelClaw apart from tools like Nessus, OpenVAS, or commercial SaaS alternatives: NemoClaw as the AI planning engine and Landlock LSM as a kernel-level sandbox. Why another pentest tool? The commercial pentest landscape has fragmented since 2020: SaaS platforms like Intruder.io or Pentera that store scan results on third-party servers — and legacy tools like OpenVAS whose vulnerability databases have barely been maintained. For GDPR-critical environments (healthcare, government, fintech), a tool that is modern , self-hosted , and isolated has been missing. SentinelClaw closes that gap. NemoClaw — the AI planning engine NemoClaw is SentinelClaw's AI core. Instead of rigid scan profiles, NemoClaw plans a pentest step by step: reconnaissance (what services are running, which versions?), hypothesis (which vulnerabilities are plausible for this service combination?), prioritization (which tests give the best signal-to-noise ratio?), and execution (only validated tests, every step logged). The critical difference from OpenClaw and other AI pentest tools: NemoClaw uses local LLMs by default (via Ollama or vLLM). No data leakage to OpenAI, Anthropic, or Azure. Cloud LLMs can be explicitly enabled per scan — default-off, not default-on. Why local LLMs? Raw pentest data contains server names, subdomain structures, internal IP ranges, software versions, and sometimes sensitive paths. Sending that data to a cloud API means: an attacker who compromises OpenAI logs has complete reconnaissance for the next real attack. Our default configuration runs llama-3.1-70b or mistral-small locally. That's plenty for the planning phase — we're reasoning about known CVEs, not doing creative generation. Landlock LSM — the kernel-level cage NemoClaw generates plan steps, but actual execution happens in subprocesses (nmap, nuclei, custom scripts). The problem: if one of these subprocesses escapes or an exploit chain goes too far, it could attack the host system. Enter Landlock — a Linux Security Module (LSM) since kernel 5.13 (2021). Landlock lets a process voluntarily reduce its own permissions before spawning child processes. For SentinelClaw, that means: even if an exploit script escapes or gets manipulated, it can at most operate within the scan working directory. The rest of the system is unreachable — enforced by the Linux kernel itself, not user-space code. Why not just Docker? Docker containers are a good first line of defense, but container escapes exist (CVE-2019-5736, CVE-2022-0185, CVE-2024-21626 "leaky vessels"), every container needs root-equivalent privileges for netcap operations, and Landlock runs inside the container as a second line of defense. We use both: Docker for resource isolation and Landlock for filesystem access. Defense in depth. Audit trail Every action — from the first NemoClaw hypothesis to the last executed subprocess — lands in a structured JSON log. This matters for compliance (ISO 27001 Annex A.12.4.1 requires event logging; our JSON format is directly SIEM-compatible) and for traceability (when NemoClaw makes a surprising recommendation, operators can trace the reasoning chain step by step). Status Currently in closed beta, MIT-licensed release planned for Q3 2026. Code lives on GitHub . Early-access requests welcome at kontakt@techlogia.de .
