Technical Details

System requirements, scanning capabilities, architecture, and license details.

Prerequisites Architecture Scanning CLI Compliance Windows License TLS AI Setup Updating Export
What you pay for: SEAMUS is built on world-class open-source security tools that are free to use individually. What you pay for is the evaluation and selection of the best tools, their installation and configuration, the orchestration that makes them work together, the SEAMUS Console, AI-powered analysis, multi-format reporting, multi-channel notifications, compliance tooling, and ongoing updates and support. The underlying tools remain free and open source.

Prerequisites

SEAMUS runs entirely in containers. You need a container runtime — that's it. No Python, Ruby, Go, or other language runtimes to install on the host.

Container Runtime (required)

One of the following:

  • Docker Engine (Docker CE) — Linux
  • Docker Desktop — Windows (WSL2 backend)
  • Podman 4.0+ with podman-compose — Linux (RHEL, Fedora, etc.)

The seamus CLI auto-detects Docker vs Podman.

Hardware

  • CPU: 2+ cores recommended
  • RAM: 4 GB minimum, 8 GB recommended
  • Disk: 10 GB free (images ~2 GB, scan data grows over time)
  • Network: Outbound internet access for scanning targets
No Python required. The SEAMUS Console runs inside a container (Flask + Python are bundled in the image). The host machine only needs Docker or Podman. The seamus CLI is a plain bash script.

Supported Platforms

Platform Container Runtime Status
Ubuntu 22.04 / 24.04 Docker CE or Podman Fully tested
RHEL 9 / 10, Fedora, Rocky, Alma Podman (default) or Docker CE Fully tested
Debian 12 Docker CE or Podman Supported
Windows 10/11 Docker Desktop (WSL2 backend) Supported — see setup guide

Architecture

SEAMUS deploys as three containers managed by Docker Compose (or podman-compose):

Container What It Does Port
easm-scanner Runs all scanning tools (Amass, naabu, Nuclei, ZAP), scheduled scans, notifications, reports, and the seamus CLI
seamus-console SEAMUS Console web UI — configuration viewer, documentation browser, AI chat assistant, compliance dashboard 3002
uptime-kuma Uptime monitoring dashboard with status pages and alerting 3001

All scan data, configuration, reports, and audit logs are stored in a data/ directory on the host, mounted as Docker volumes. Your data stays on your machine.

Scanning Capabilities

Automated Scans

Scan Type Tool Default Schedule What It Finds
Subdomain discovery Amass Daily New subdomains, DNS records, related infrastructure
Port scanning naabu Daily Open ports, running services, version detection
Vulnerability scanning Nuclei Weekly CVEs, misconfigurations, exposed panels, default credentials
Web app scanning (DAST) ZAP Weekly XSS, SQLi, CSRF, security headers, OWASP Top 10
SSL certificate monitoring Built-in Weekly + 7-day alert Expiring certificates (30-day warning in reports, 7-day standalone alert)
Uptime monitoring Uptime Kuma Continuous HTTP/HTTPS/TCP/Ping availability, response time, status pages

AI Analysis

After each scan cycle, SEAMUS sends scan results to an AI model for analysis. The AI:

AI requires an API key. You provide your own API key during setup. AI features are optional — all scanning, reporting, and notifications work without them. The AI never sees your raw scan data outside of the API call; nothing is stored by the AI provider.
AI analysis is advisory and may contain errors. Always verify critical findings with qualified security professionals. AI-generated explanations, false positive assessments, and remediation suggestions are automated guidance, not professional security assessments.
AI API costs are separate. The AI features use the Anthropic API, which is billed separately by Anthropic to your account. These costs (~$1–2/month for typical usage) are not included in the SEAMUS license fee. See AI Setup for details.

Notifications

SEAMUS supports 7 notification channels, each with topic-tagged alerts:

Channel Topics
Google Chat, Slack, Microsoft Teams, Discord [WEEKLY] [DISCOVERY] [CRITICAL] [CERT-EXPIRY] [DAST]
Email (SMTP)
Generic webhook, Custom script

Reports

Generated automatically after every scan cycle:

The seamus CLI

A single command-line interface manages the entire platform:

seamus setup          # Interactive first-run wizard
seamus up             # Start all containers
seamus down           # Stop all containers
seamus update         # Pull latest images and restart
seamus scan           # Run a scan now
seamus findings       # View latest findings
seamus report         # Generate reports
seamus validate       # Run tool validation tests (auditor-ready)
seamus audit          # View audit log
seamus audit --verify # Verify hash chain integrity
seamus audit export   # Export audit log for auditors
seamus proxy test     # Test proxy configuration
seamus license        # View license status
seamus uninstall      # Remove SEAMUS

Compliance & Audit

SEAMUS is designed to produce evidence that auditors accept:

Windows 10/11 Setup Guide

SEAMUS runs on Windows via WSL2 (Windows Subsystem for Linux) and Docker Desktop. All SEAMUS commands run inside a WSL2 terminal, not in Windows CMD or PowerShell.

Prerequisites

  1. Enable WSL2 — open PowerShell as Administrator: 
    wsl --install
    Restart when prompted. This installs Ubuntu by default.
  2. Install Docker Desktop — download from docker.com
    • During install, ensure "Use WSL2 based engine" is checked
    • In Docker Desktop settings → Resources → WSL Integration, enable your Ubuntu distro

Installation

  1. Open a WSL2 terminal (search "Ubuntu" in Start Menu)
  2. From this point, all commands are identical to Linux: 
    # Copy the distribution zip into WSL (or download directly)
cp /mnt/c/Users/YourName/Downloads/seamus-dist-1.0.3.zip ~
cd ~
unzip seamus-dist-1.0.3.zip
cd seamus
./seamus setup
./seamus up

Accessing the Console

The Console and Uptime Kuma are accessible from your Windows browser at the same URLs shown by ./seamus up. Docker Desktop forwards the ports from WSL2 to Windows automatically.

Setting Up Automated Scanning

SEAMUS detects your platform and guides you to the right scheduling method:

# If cron is available (most WSL2 Ubuntu installs):
./seamus setup-cron

# If cron is not available, use Windows Task Scheduler:
./seamus setup-task

The setup-task command generates a PowerShell command you run in an Administrator PowerShell window. It creates two Windows Scheduled Tasks that call SEAMUS through WSL2 automatically.

To remove scheduled tasks:

./seamus remove-cron    # Linux cron
./seamus remove-task    # Windows Task Scheduler
Important: SEAMUS commands must always be run in a WSL2 terminal (Ubuntu), not in Windows CMD or PowerShell. The seamus CLI is a bash script that requires a Linux environment.

Proxy Support

SEAMUS supports rotating proxy IPs for scanning, useful for avoiding rate limits or IP-based blocking. Configure a proxy provider (e.g., WebShare) in seamus.env and all scan tools route through it automatically. Test with seamus proxy test.

License & What Happens at Expiry

SEAMUS uses a signed license file (HMAC-SHA256). There is no DRM and no kill switch. The Console sends a lightweight, non-blocking telemetry beacon (version, license ID, timestamp) on startup for usage analytics — see the Privacy Policy for details. SEAMUS does not contact our servers to validate your license or restrict functionality.

2-week free trial

Full functionality, no credit card required. A trial license is created automatically on first run.

Active license

Everything works: Console, AI analysis, reports, notifications, compliance tooling, and all scans.

Expired or cancelled

When your license expires or you stop renewing:

Component Licensed Expired
Subdomain enumeration (Amass) Runs Runs
Port scanning (naabu) Runs Runs
Vulnerability scanning (Nuclei) Runs Runs
Web app scanning (ZAP) Runs Runs
Uptime Kuma monitoring Runs Runs
Raw scan data on disk Yours Yours
Audit log Records Records
SEAMUS Console Full access Disabled
AI analysis Full Disabled
Reports (HTML/PDF/MD/CSV) Full Disabled
Notifications & alerts All channels Disabled
Updates 12 months None
You never lose your data. Scans continue running on schedule and writing raw results to disk. You can build your own alerting or reporting on top of the raw scan data. Renew anytime to restore full functionality.

Setting Up AI Features

SEAMUS AI features are optional and require an API key from Anthropic. All scanning, reporting, and notifications work without AI enabled.

Step 1: Create an Anthropic account

  1. Go to console.anthropic.com
  2. Sign up or log in
  3. Navigate to Settings → API Keys
  4. Click Create Key
  5. Copy the key (it starts with sk-ant-)

Step 2: Add the key to SEAMUS

Either re-run the setup wizard:

./seamus setup

Or edit data/config/notify.conf directly:

ANTHROPIC_API_KEY="sk-ant-your-key-here"

No restart is needed. The Console reads the key on each chat request, and scan scripts pick it up on the next run.

Cost

AI features use Anthropic's API with prompt caching enabled (~90% cost reduction on repeat queries). Typical cost:

What the AI can see

The AI receives your scan results, configuration, and documentation as context for each request. Data is sent to Anthropic's API for processing and is not stored by the AI provider beyond the duration of the request. No scan data is shared with other customers or used for training.

Other AI providers: SEAMUS currently supports Anthropic (Claude) for AI features. Support for additional providers (OpenAI, Google Gemini) is on the roadmap for a future release.

TLS Certificates

SEAMUS generates a self-signed TLS certificate on first startup. The Console serves over HTTPS automatically. Your browser will show a certificate warning — this is expected and the connection is still encrypted.

Using your own certificate

If your organization requires a trusted certificate (e.g., from Let's Encrypt or an internal CA), replace the self-signed files:

data/certs/console.pem       # Your certificate (PEM format)
data/certs/console-key.pem   # Your private key (PEM format)

Then restart the Console:

./seamus down && ./seamus up

The certificate files must be readable by the Console container. No other configuration is needed — the Console automatically uses whatever certificate is at that path.

Tip: If you use Let's Encrypt with certbot, you can symlink or copy the fullchain.pem and privkey.pem files into data/certs/ and set up a cron job to restart the Console after renewal.

Updating SEAMUS

To update SEAMUS to the latest version:

./seamus update

This pulls the latest container images and restarts services. Your data, configuration, and license are preserved — they live in data/ and are not part of the container images.

You can also update manually:

./seamus down
docker compose pull    # or: podman-compose pull
./seamus up

Exporting Data

All SEAMUS data lives in the data/ directory on your host. You own it and can export it at any time:

What Location Format
Scan results data/scans/ JSON, XML
Vulnerability findings data/scans/*_nuclei_*.json JSON Lines (one finding per line)
Subdomain inventory data/inventory/known_subdomains.txt Plain text (one per line)
Audit log data/audit/audit.jsonl Hash-chained JSON Lines
Scan logs data/logs/ Plain text logs
Reports data/scans/*_report.* HTML, PDF, Markdown, CSV
Configuration data/config/ Text files

To export the audit log for auditors:

./seamus audit export

To back up everything:

tar czf seamus-backup-$(date +%Y%m%d).tar.gz data/