SentinelClaw is our self-hosted pentest platform. This post explains the two building blocks that set SentinelClaw apart from tools like Nessus, OpenVAS, or commercial SaaS alternatives: NemoClaw as the AI planning engine and Landlock LSM as a kernel-level sandbox.
Why another pentest tool?
The commercial pentest landscape has fragmented since 2020: SaaS platforms like Intruder.io or Pentera that store scan results on third-party servers — and legacy tools like OpenVAS whose vulnerability databases have barely been maintained. For GDPR-critical environments (healthcare, government, fintech), a tool that is modern, self-hosted, and isolated has been missing.
SentinelClaw closes that gap.
NemoClaw — the AI planning engine
NemoClaw is SentinelClaw's AI core. Instead of rigid scan profiles, NemoClaw plans a pentest step by step: reconnaissance (what services are running, which versions?), hypothesis (which vulnerabilities are plausible for this service combination?), prioritization (which tests give the best signal-to-noise ratio?), and execution (only validated tests, every step logged).
The critical difference from OpenClaw and other AI pentest tools: NemoClaw uses local LLMs by default (via Ollama or vLLM). No data leakage to OpenAI, Anthropic, or Azure. Cloud LLMs can be explicitly enabled per scan — default-off, not default-on.
Why local LLMs?
Raw pentest data contains server names, subdomain structures, internal IP ranges, software versions, and sometimes sensitive paths. Sending that data to a cloud API means: an attacker who compromises OpenAI logs has complete reconnaissance for the next real attack.
Our default configuration runs llama-3.1-70b or mistral-small
locally. That's plenty for the planning phase — we're reasoning about known CVEs, not
doing creative generation.
Landlock LSM — the kernel-level cage
NemoClaw generates plan steps, but actual execution happens in subprocesses (nmap, nuclei, custom scripts). The problem: if one of these subprocesses escapes or an exploit chain goes too far, it could attack the host system.
Enter Landlock — a Linux Security Module (LSM) since kernel 5.13 (2021). Landlock lets a process voluntarily reduce its own permissions before spawning child processes. For SentinelClaw, that means: even if an exploit script escapes or gets manipulated, it can at most operate within the scan working directory. The rest of the system is unreachable — enforced by the Linux kernel itself, not user-space code.
Why not just Docker?
Docker containers are a good first line of defense, but container escapes exist (CVE-2019-5736, CVE-2022-0185, CVE-2024-21626 "leaky vessels"), every container needs root-equivalent privileges for netcap operations, and Landlock runs inside the container as a second line of defense. We use both: Docker for resource isolation and Landlock for filesystem access. Defense in depth.
Audit trail
Every action — from the first NemoClaw hypothesis to the last executed subprocess — lands in a structured JSON log. This matters for compliance (ISO 27001 Annex A.12.4.1 requires event logging; our JSON format is directly SIEM-compatible) and for traceability (when NemoClaw makes a surprising recommendation, operators can trace the reasoning chain step by step).
Status
Currently in closed beta, MIT-licensed release planned for Q3 2026. Code lives on GitHub. Early-access requests welcome at kontakt@techlogia.de.