Skip to content

Editions

Shannon ships in two ways: Shannon Open Source, the pentester you run yourself, and the Keygraph platform, the commercial pentesting product that runs Shannon continuously and covers the full AppSec lifecycle around it.

Shannon Open Source is the standalone pentester: a CLI agent for white-box, proof-by-exploitation testing of web applications and APIs you own or are authorized to test. It reads your source, plans attacks, executes real exploits, and reports only what it can prove. It runs on demand and does that one job end to end. You point it at a target, it pentests, it reports.

The Keygraph platform is the enterprise-ready, continuous pentesting product powered by Shannon. An enhanced build of Shannon runs continuously, fed by Keygraph’s code-analysis stack. Around that engine, the platform closes the entire vulnerability lifecycle, from analysis to a verified fix:

  • Analyze: Code Property Graph SAST, SCA with reachability, secrets, IaC, and container scanning. First-class detections in their own right, and context that sharpens Shannon’s attacks.
  • Prove: autonomous black-box and source-aware white-box pentests turn candidate findings into proven, exploited vulnerabilities rather than speculative alerts.
  • Manage: one canonical record per vulnerability per repository, deduplicated across every source, with ownership, status, SLA tracking, dashboards, and bidirectional Jira sync.
  • Remediate and verify: patches written automatically and re-tested against the patched code before delivery, landing in your existing review workflow rather than auto-applied.
  • Deploy: self-hosted and air-gapped environments, strict bring-your-own-key model access, and customer-controlled LLM gateway patterns, so source, results, and model traffic stay inside your perimeter.
AppSec lifecycle stageShannon Open SourceKeygraph platform
AnalyzeBasic LLM pass-through of source to plan attacksFull code parsing, plus Code Property Graph, SAST, SCA with reachability, secrets, IaC, and containers
Pentest and proveWhite-box only, proof by exploitationEnhanced white-box, plus black-box and grey-box modes, run continuously
Manage findingsLocal Markdown reportCanonical findings system: deduplication across sources, ownership, SLA, dashboards, Jira sync, and professional pentest-grade PDF reports
Remediate and verifyFix manually from the report, then re-run the full scan to verifyAutomated remediation: opens a PR with the fix, verified by point re-test without re-running the full scan
Deploy and operateLocal CLI and Docker workerSelf-hosted, air-gapped, BYOK, continuous, enterprise integrations
License and supportAGPL-3.0, communityCommercial, supported

Shannon is the proof engine at the center of the Keygraph platform. Shannon Open Source gives you that engine to run yourself. The Keygraph platform surrounds Shannon with continuous analysis, finding management, remediation, verification, and enterprise deployment.

Read the Keygraph platform overview, visit the Keygraph website, book a demo, or contact shannon@keygraph.io.