The first time I let an LLM run nmap unsupervised, it found a misconfigured SMB share I’d missed during manual enumeration. It also ran rm -rf /tmp/seval_* to “clean up after itself” without asking. Both of these things happened in the same session.
This is the core tension in agentic offensive tooling: the model is simultaneously better and worse than you at the job. Better because it doesn’t get bored scanning 500 ports. Worse because it has no intuition for when it’s about to do something irreversible.
Most agent frameworks solve this with allowlists. You pre-approve commands, the agent picks from the menu. This is safe and also useless for offensive work — half the value is the model improvising a one-liner you wouldn’t have thought of.
seval takes a different approach: block the shapes of dangerous commands (shell metachar injection, filesystem destruction, shutdown sequences) but leave the offensive surface wide open. If sqlmap wants to dump a database, that’s the point. If it wants to rm -rf /, that’s not.
# blocked patterns (regex)
rm\s+(-[rRf]+\s+)?/
shutdown|reboot|halt|poweroff
;\s*rm|&&\s*rm|\|\|\s*rmAfter a few hundred hours of seval sessions, the patterns that produce good results:
hydra hangs for 60 seconds, kill it and let the model try something else.eugene takes this further — fully autonomous, no human in the loop at all. Run it on a Pi, point it at a network, come back later. That’s a different post.