Penetration Testing Regulatory Intelligence System
RegIntel is an AI-powered CLI tool that automatically researches, stores, and manages a global inventory of penetration testing regulations for financial services. It uses agentic LLM workflows to discover regulations, validate findings through reflection loops, and maintain an always-current regulatory landscape across 20+ jurisdictions.
RegIntel scanning jurisdictions and discovering pentest regulations
![]() Batch scan isolating each jurisdiction with per-region error handling |
![]() Local Qwen 3.5 122B (MLX) running the reflection quality gate |
![]() Semantic duplicate detection across the regulation database |
![]() Populating ChromaDB vector store with regulation embeddings |
![]() Coverage across 20 jurisdictions grouped by research priority |
![]() Distribution of pentest requirement types (TLPT, vulnerability scan, red team, etc.) |
RegIntel has three layers: a CLI built with Click + Rich, a LangGraph agent pipeline for research, and a dual storage backend (SQLite for structured data, ChromaDB for semantic search).
flowchart TB
CLI["CLI<br/>(Click + Rich)"] --> Orchestrator["Batch Orchestrator<br/>(LangGraph)"]
Orchestrator --> Pipeline["Research Pipeline<br/>(LangGraph)"]
Pipeline --> Cloud["Cloud LLM<br/>(OpenAI GPT-5.4-mini)"]
Pipeline --> Local["Local LLM<br/>(MLX Qwen 3.5 122B)"]
Pipeline --> Tavily["Tavily Web Search"]
Pipeline --> SQLite[("SQLite")]
Pipeline --> ChromaDB[("ChromaDB")]
CLI --> SQLite
CLI --> ChromaDB
The Batch Orchestrator iterates through jurisdictions with full isolation — each jurisdiction gets its own pipeline invocation, so failures in one region never contaminate another. The Research Pipeline runs a multi-step workflow with a mandatory reflection quality gate on all new discoveries.
The core research workflow is a LangGraph StateGraph with four agents. Every new regulation must pass through reflection before reaching the database, even if validation succeeds on the first pass.
stateDiagram-v2
[*] --> Plan: jurisdiction + seed profiles
Plan --> Research: 6-10 search queries
Research --> Validate: structured findings
Validate --> Reflect: new findings (quality gate)
Validate --> Reflect: validation failed
Validate --> Persist: validated + already reflected
Reflect --> Research: new search queries
Reflect --> Validate: corrections only
Persist --> [*]: DB upsert + changelog
Agents and their models:
| Agent | Model | Role |
|---|---|---|
| Research | Cloud (GPT-5.4-mini) | Web search + LLM extraction |
| Validator | Cloud (GPT-5.4-mini) | Rule-based pre-checks + LLM validation |
| Reflection | Local (Qwen 3.5 122B) | Quality gate, grounding checks, hallucination detection |
| Persister | Local (Qwen 3.5 122B) | DB writes + change-detection diffing |
Each agent's model can be independently configured in regitel.yaml under agent_models.
RegIntel stores regulations, pentest requirements, TLPT frameworks, source documents, and change history across 6 related tables.
erDiagram
JURISDICTION ||--o{ REGULATION : contains
REGULATION ||--o{ PENTEST_REQUIREMENT : mandates
REGULATION ||--o{ TLPT_FRAMEWORK : implements
REGULATION ||--o{ SOURCE_DOCUMENT : documented_by
REGULATION ||--o{ CHANGE_LOG : tracked_by
Key entities: Jurisdiction (region, regulatory bodies, research priority), Regulation (name, issuing body, status, effective date, confidence score), Pentest Requirement (type, frequency, scope, mandatory flag, certifications), TLPT Framework (phases, duration, provider requirements), Source Document (URL, file hash, vector collection), Change Log (change type, summary, detection timestamp).
RegIntel tracks 20 jurisdictions across 5 regions, organized by research priority. Jurisdictions are defined in jurisdictions.yaml (user-editable) with a built-in Python fallback.
| Priority | Jurisdictions |
|---|---|
| 1 (Critical) | EU, UK, USA, Singapore, Hong Kong, PCI DSS |
| 3 (Important) | Australia, Switzerland, Brazil, India, UAE |
| 4 (Monitoring) | WEF |
| 5 (Secondary) | Austria, Luxembourg |
| 6 (Low) | Cayman Islands, Jersey, Taiwan, South Korea |
| 7 (Minimal) | Monaco, Bahamas |
To add or modify jurisdictions, edit jurisdictions.yaml in the project root and run regitel db init --seed.
regitel scan --all # Scan ALL jurisdictions (isolated per-region)
regitel scan --all --dry-run # Test run with mock search (no API calls)
regitel scan -p 1 # Priority-1 jurisdictions only
regitel scan -p 3 # Priority 1-3
regitel scan -j eu,uk,singapore # Specific jurisdictionsregitel research -j singapore # Scan one jurisdiction
regitel research --full # Legacy: all jurisdictions in one graph run
regitel research --dry-run # Mock search (no API calls)regitel query search -t "DORA" # Free-text search
regitel query search -j eu --mandatory --tlpt # Structured filters
regitel query compare singapore hong_kong eu # Side-by-side comparison
regitel query tlpt # All TLPT frameworks
regitel query frequency --region apac # Frequency matrix
regitel query semantic "red team testing for banks" # Natural language (ChromaDB)regitel export --format json -o landscape.json # Full JSON export
regitel export --format csv --mandatory -o reqs.csv # CSV of mandatory requirements
regitel export --format summary -j uk # Human-readable summaryregitel db init --seed # Initialize DB + seed jurisdictions from YAML
regitel db stats # Show entity counts + vector store stats
regitel db dedup # Detect duplicate regulations (dry run)
regitel db dedup --apply # Merge and remove duplicates
regitel db embed # Populate ChromaDB with embeddings
regitel db embed --force # Re-embed all (refresh)
regitel db rescore # Re-calibrate low-confidence scores (dry run)
regitel db rescore --apply # Apply re-scored confidence valuesregitel gaps # Coverage gap analysis across jurisdictions
regitel gaps --region eu # Gap analysis for a specific region
regitel doctor # System health checks (DB, APIs, dupes, coverage)
regitel status # Regulatory landscape overview
regitel status --stale # Show only unscanned jurisdictions
regitel changelog --since 2026-01-01 # Recent changesregitel monitor run # Scan due jurisdictions, email digest
regitel monitor run --dry-run --no-email # Test cycle (mock search)
regitel monitor run -j eu,uk # Force-check specific jurisdictions
regitel monitor run --watchlist-only # Deadline/draft check, no scanning
regitel monitor status # Re-scan schedule: who is due, when
regitel monitor watchlist # Draft/proposed regs + upcoming effective dates
regitel monitor history # Past monitor cyclesThe monitor re-scans jurisdictions on a priority-weighted staleness policy
(P1 weekly, P3 biweekly, low priority monthly+), tracks draft/proposed
regulations through their lifecycle (draft → active = "came into force"
alert), raises deadline alerts for effective dates within 90 days, and
delivers an SMTP digest. Designed to run from cron/launchd — see
docs/DESIGN-regulation-monitoring.md for the schedule templates and
architecture.
regitel orphans # Regs with no source document on file
regitel orphans -j eu # EU orphans only
regitel orphans --pentest-only # Only regs that have pentest requirements
regitel orphans --against-kb /path/to/KB # Regs with no matching PDF in your library
regitel orphans -o orphans.json # Export orphan list as JSONregitel validate --against-kb /path/to/KB # Full benchmark against existing PDF libraryregitel/
agents/
research.py # Plan + web search + LLM extraction
validator.py # Rule-based pre-checks + LLM validation
reflection.py # Quality gate + failure analysis + re-research
persister.py # DB writes + change-detection diffing
graphs/
research_graph.py # LangGraph StateGraph: research pipeline
batch_orchestrator.py # LangGraph StateGraph: per-jurisdiction batch scan
monitor/
policy.py # Staleness policy: which jurisdictions are due
watchlist.py # Draft tracking, status transitions, deadline alerts
digest.py # Digest assembly + text/HTML rendering
notifier.py # SMTP delivery
runner.py # One full monitor cycle
models/
state.py # TypedDict state definitions
domain.py # Domain enums and types
storage/
database.py # SQLAlchemy ORM (8 tables)
vectorstore.py # ChromaDB wrapper (3 collections)
embeddings.py # Embedding pipeline (SQLite -> ChromaDB)
dedup.py # Duplicate detection + merge
query/
engine.py # Structured search, compare, frequency matrix
export.py # JSON, CSV, summary exporters
validate/
benchmark.py # PDF knowledge base comparison
pdf_extract.py # PyMuPDF text extraction
tools/
search.py # Tavily + Mock search tools
utils/
prompts.py # All agent prompt templates
llm.py # LLM factory (cloud/local routing)
logging.py # Rich console setup
mock_llm.py # Mock LLM for dry-run testing
cli/
main.py # Root Click group + command registration
context.py # Shared AppContext (config, db, vectorstore)
db_cmds.py # db init/stats/seed/dedup/embed/rescore
research_cmds.py # research, scan
query_cmds.py # query search/compare/tlpt/frequency/semantic
export_cmds.py # export
analysis_cmds.py # status, changelog, gaps, doctor, orphans, validate
monitor_cmds.py # monitor run/status/watchlist/history
config.py # YAML config loader
seeds.py # Jurisdiction loader (YAML with Python fallback)
docs/
DESIGN-document-acquisition.md # Phase 7 architecture: download + ingest pipeline
DESIGN-regulation-monitoring.md # Periodic monitoring: policy, watchlist, alerts
tests/
test_models.py # Domain model tests
test_storage.py # DB + dedup tests
test_query.py # Query engine + export tests
test_config.py # Configuration tests
test_monitor.py # Staleness policy, watchlist, digest, notifier, runner
test_cli/ # CLI package structure tests
regitel.yaml # System configuration
jurisdictions.yaml # Jurisdiction seed data (user-editable)
pyproject.toml # Dependencies + build config
- Python 3.10+
- OpenAI API key (for research + validation agents)
- Tavily API key (for web search)
- Optional: local MLX vLLM server (for reflection/persister/query agents)
Licensed under the Apache License, Version 2.0. Copyright 2026 Nicolas Cravino.






