Skip to content

sw30labs/pentest-regulatory-intel

Repository files navigation

RegIntel

Built with Claude LangGraph LangChain OpenAI MLX ChromaDB SQLite Tavily Python Tests License

Penetration Testing Regulatory Intelligence System

RegIntel is an AI-powered CLI tool that automatically researches, stores, and manages a global inventory of penetration testing regulations for financial services. It uses agentic LLM workflows to discover regulations, validate findings through reflection loops, and maintain an always-current regulatory landscape across 20+ jurisdictions.

RegIntel CLI output

RegIntel scanning jurisdictions and discovering pentest regulations

Screenshots

Batch scan across jurisdictions
Batch scan isolating each jurisdiction with per-region error handling
Local MLX model running reflection
Local Qwen 3.5 122B (MLX) running the reflection quality gate
Duplicate detection results
Semantic duplicate detection across the regulation database
ChromaDB embedding pipeline
Populating ChromaDB vector store with regulation embeddings
Jurisdiction coverage chart
Coverage across 20 jurisdictions grouped by research priority
Requirement types breakdown
Distribution of pentest requirement types (TLPT, vulnerability scan, red team, etc.)

Architecture

RegIntel has three layers: a CLI built with Click + Rich, a LangGraph agent pipeline for research, and a dual storage backend (SQLite for structured data, ChromaDB for semantic search).

flowchart TB
    CLI["CLI<br/>(Click + Rich)"] --> Orchestrator["Batch Orchestrator<br/>(LangGraph)"]
    Orchestrator --> Pipeline["Research Pipeline<br/>(LangGraph)"]

    Pipeline --> Cloud["Cloud LLM<br/>(OpenAI GPT-5.4-mini)"]
    Pipeline --> Local["Local LLM<br/>(MLX Qwen 3.5 122B)"]
    Pipeline --> Tavily["Tavily Web Search"]

    Pipeline --> SQLite[("SQLite")]
    Pipeline --> ChromaDB[("ChromaDB")]

    CLI --> SQLite
    CLI --> ChromaDB
Loading

The Batch Orchestrator iterates through jurisdictions with full isolation — each jurisdiction gets its own pipeline invocation, so failures in one region never contaminate another. The Research Pipeline runs a multi-step workflow with a mandatory reflection quality gate on all new discoveries.

Research Pipeline

The core research workflow is a LangGraph StateGraph with four agents. Every new regulation must pass through reflection before reaching the database, even if validation succeeds on the first pass.

stateDiagram-v2
    [*] --> Plan: jurisdiction + seed profiles

    Plan --> Research: 6-10 search queries
    Research --> Validate: structured findings

    Validate --> Reflect: new findings (quality gate)
    Validate --> Reflect: validation failed
    Validate --> Persist: validated + already reflected

    Reflect --> Research: new search queries
    Reflect --> Validate: corrections only

    Persist --> [*]: DB upsert + changelog
Loading

Agents and their models:

Agent Model Role
Research Cloud (GPT-5.4-mini) Web search + LLM extraction
Validator Cloud (GPT-5.4-mini) Rule-based pre-checks + LLM validation
Reflection Local (Qwen 3.5 122B) Quality gate, grounding checks, hallucination detection
Persister Local (Qwen 3.5 122B) DB writes + change-detection diffing

Each agent's model can be independently configured in regitel.yaml under agent_models.

Data Model

RegIntel stores regulations, pentest requirements, TLPT frameworks, source documents, and change history across 6 related tables.

erDiagram
    JURISDICTION ||--o{ REGULATION : contains
    REGULATION ||--o{ PENTEST_REQUIREMENT : mandates
    REGULATION ||--o{ TLPT_FRAMEWORK : implements
    REGULATION ||--o{ SOURCE_DOCUMENT : documented_by
    REGULATION ||--o{ CHANGE_LOG : tracked_by
Loading

Key entities: Jurisdiction (region, regulatory bodies, research priority), Regulation (name, issuing body, status, effective date, confidence score), Pentest Requirement (type, frequency, scope, mandatory flag, certifications), TLPT Framework (phases, duration, provider requirements), Source Document (URL, file hash, vector collection), Change Log (change type, summary, detection timestamp).

Jurisdiction Coverage

RegIntel tracks 20 jurisdictions across 5 regions, organized by research priority. Jurisdictions are defined in jurisdictions.yaml (user-editable) with a built-in Python fallback.

Priority Jurisdictions
1 (Critical) EU, UK, USA, Singapore, Hong Kong, PCI DSS
3 (Important) Australia, Switzerland, Brazil, India, UAE
4 (Monitoring) WEF
5 (Secondary) Austria, Luxembourg
6 (Low) Cayman Islands, Jersey, Taiwan, South Korea
7 (Minimal) Monaco, Bahamas

To add or modify jurisdictions, edit jurisdictions.yaml in the project root and run regitel db init --seed.

CLI Commands

Batch Scan (recommended)

regitel scan --all                       # Scan ALL jurisdictions (isolated per-region)
regitel scan --all --dry-run             # Test run with mock search (no API calls)
regitel scan -p 1                        # Priority-1 jurisdictions only
regitel scan -p 3                        # Priority 1-3
regitel scan -j eu,uk,singapore          # Specific jurisdictions

Single-Jurisdiction Research

regitel research -j singapore            # Scan one jurisdiction
regitel research --full                  # Legacy: all jurisdictions in one graph run
regitel research --dry-run               # Mock search (no API calls)

Query

regitel query search -t "DORA"                          # Free-text search
regitel query search -j eu --mandatory --tlpt           # Structured filters
regitel query compare singapore hong_kong eu            # Side-by-side comparison
regitel query tlpt                                      # All TLPT frameworks
regitel query frequency --region apac                   # Frequency matrix
regitel query semantic "red team testing for banks"     # Natural language (ChromaDB)

Export

regitel export --format json -o landscape.json          # Full JSON export
regitel export --format csv --mandatory -o reqs.csv     # CSV of mandatory requirements
regitel export --format summary -j uk                   # Human-readable summary

Database Management

regitel db init --seed           # Initialize DB + seed jurisdictions from YAML
regitel db stats                 # Show entity counts + vector store stats
regitel db dedup                 # Detect duplicate regulations (dry run)
regitel db dedup --apply         # Merge and remove duplicates
regitel db embed                 # Populate ChromaDB with embeddings
regitel db embed --force         # Re-embed all (refresh)
regitel db rescore               # Re-calibrate low-confidence scores (dry run)
regitel db rescore --apply       # Apply re-scored confidence values

Analysis & Health

regitel gaps                     # Coverage gap analysis across jurisdictions
regitel gaps --region eu         # Gap analysis for a specific region
regitel doctor                   # System health checks (DB, APIs, dupes, coverage)
regitel status                   # Regulatory landscape overview
regitel status --stale           # Show only unscanned jurisdictions
regitel changelog --since 2026-01-01   # Recent changes

Periodic Monitoring

regitel monitor run                       # Scan due jurisdictions, email digest
regitel monitor run --dry-run --no-email  # Test cycle (mock search)
regitel monitor run -j eu,uk              # Force-check specific jurisdictions
regitel monitor run --watchlist-only      # Deadline/draft check, no scanning
regitel monitor status                    # Re-scan schedule: who is due, when
regitel monitor watchlist                 # Draft/proposed regs + upcoming effective dates
regitel monitor history                   # Past monitor cycles

The monitor re-scans jurisdictions on a priority-weighted staleness policy (P1 weekly, P3 biweekly, low priority monthly+), tracks draft/proposed regulations through their lifecycle (draft → active = "came into force" alert), raises deadline alerts for effective dates within 90 days, and delivers an SMTP digest. Designed to run from cron/launchd — see docs/DESIGN-regulation-monitoring.md for the schedule templates and architecture.

Orphan Detection

regitel orphans                              # Regs with no source document on file
regitel orphans -j eu                        # EU orphans only
regitel orphans --pentest-only               # Only regs that have pentest requirements
regitel orphans --against-kb /path/to/KB     # Regs with no matching PDF in your library
regitel orphans -o orphans.json              # Export orphan list as JSON

Validation

regitel validate --against-kb /path/to/KB    # Full benchmark against existing PDF library

Project Structure

regitel/
  agents/
    research.py          # Plan + web search + LLM extraction
    validator.py         # Rule-based pre-checks + LLM validation
    reflection.py        # Quality gate + failure analysis + re-research
    persister.py         # DB writes + change-detection diffing
  graphs/
    research_graph.py    # LangGraph StateGraph: research pipeline
    batch_orchestrator.py # LangGraph StateGraph: per-jurisdiction batch scan
  monitor/
    policy.py            # Staleness policy: which jurisdictions are due
    watchlist.py         # Draft tracking, status transitions, deadline alerts
    digest.py            # Digest assembly + text/HTML rendering
    notifier.py          # SMTP delivery
    runner.py            # One full monitor cycle
  models/
    state.py             # TypedDict state definitions
    domain.py            # Domain enums and types
  storage/
    database.py          # SQLAlchemy ORM (8 tables)
    vectorstore.py       # ChromaDB wrapper (3 collections)
    embeddings.py        # Embedding pipeline (SQLite -> ChromaDB)
    dedup.py             # Duplicate detection + merge
  query/
    engine.py            # Structured search, compare, frequency matrix
    export.py            # JSON, CSV, summary exporters
  validate/
    benchmark.py         # PDF knowledge base comparison
    pdf_extract.py       # PyMuPDF text extraction
  tools/
    search.py            # Tavily + Mock search tools
  utils/
    prompts.py           # All agent prompt templates
    llm.py               # LLM factory (cloud/local routing)
    logging.py           # Rich console setup
    mock_llm.py          # Mock LLM for dry-run testing
  cli/
    main.py              # Root Click group + command registration
    context.py           # Shared AppContext (config, db, vectorstore)
    db_cmds.py           # db init/stats/seed/dedup/embed/rescore
    research_cmds.py     # research, scan
    query_cmds.py        # query search/compare/tlpt/frequency/semantic
    export_cmds.py       # export
    analysis_cmds.py     # status, changelog, gaps, doctor, orphans, validate
    monitor_cmds.py      # monitor run/status/watchlist/history
  config.py              # YAML config loader
  seeds.py               # Jurisdiction loader (YAML with Python fallback)
docs/
  DESIGN-document-acquisition.md   # Phase 7 architecture: download + ingest pipeline
  DESIGN-regulation-monitoring.md  # Periodic monitoring: policy, watchlist, alerts
tests/
  test_models.py         # Domain model tests
  test_storage.py        # DB + dedup tests
  test_query.py          # Query engine + export tests
  test_config.py         # Configuration tests
  test_monitor.py        # Staleness policy, watchlist, digest, notifier, runner
  test_cli/              # CLI package structure tests
regitel.yaml             # System configuration
jurisdictions.yaml       # Jurisdiction seed data (user-editable)
pyproject.toml           # Dependencies + build config

Requirements

  • Python 3.10+
  • OpenAI API key (for research + validation agents)
  • Tavily API key (for web search)
  • Optional: local MLX vLLM server (for reflection/persister/query agents)

License

Licensed under the Apache License, Version 2.0. Copyright 2026 Nicolas Cravino.

About

AI-powered penetration testing regulatory intelligence system — LangGraph agents, dual LLM (OpenAI + local MLX), 20+ financial services jurisdictions

Topics

Resources

License

Stars

7 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors

Languages