Skip to content

Introduction to Shannon

Shannon is an autonomous AI pentester developed by Keygraph. It performs white-box security testing of web applications and their underlying APIs by combining source-code analysis with live exploitation.

Shannon analyzes your web application’s source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.

One name covers two things: Shannon Open Source, documented here, is the standalone pentester you run yourself; the same agent also powers the Keygraph platform, Keygraph’s commercial pentesting product. See Editions for how the two compare.

Thanks to tools like Claude Code and Cursor, your team ships code non-stop. Most teams still pentest once a year. Between tests, vulnerabilities can ship to production and sit there unnoticed.

Shannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.

Shannon uses a multi-agent workflow that combines source-code analysis with live exploitation. Each scan flows through five phases:

  1. Pre-reconnaissance identifies frameworks, entry points, data flows, and likely attack surfaces from the repository.
  2. Reconnaissance explores the live application and correlates runtime behavior with code-level context.
  3. Vulnerability analysis runs specialized agents for Injection, XSS, SSRF, Authentication, and Authorization.
  4. Exploitation attempts real proof-of-concept attacks and discards hypotheses that cannot be proven.
  5. Reporting compiles validated findings, evidence, and remediation guidance into a final Markdown report.
flowchart TD
A["1 · Pre-Reconnaissance<br/><small>source-code scan</small>"] --> B["2 · Reconnaissance<br/><small>attack-surface mapping</small>"]

B --> V1["Analysis · Injection"]
B --> V2["Analysis · XSS"]
B --> V3["Analysis · SSRF"]
B --> V4["Analysis · Auth"]

V1 --> X1["Exploit · Injection"]
V2 --> X2["Exploit · XSS"]
V3 --> X3["Exploit · SSRF"]
V4 --> X4["Exploit · Auth"]

X1 --> R["5 · Reporting<br/><small>validated findings</small>"]
X2 --> R
X3 --> R
X4 --> R

subgraph P3 ["3 · Vulnerability analysis"]
  V1
  V2
  V3
  V4
end
subgraph P4 ["4 · Exploitation"]
  X1
  X2
  X3
  X4
end
Shannon's five-phase scan workflow

Each scan runs in an ephemeral Docker container with its own isolated workspace, so runs never share state.

  • Proof-by-exploitation reports: validated findings with reproducible proof-of-concept steps instead of speculative warnings.
  • White-box attack planning: source-code analysis guides dynamic testing toward realistic attack paths.
  • Autonomous execution: reconnaissance, vulnerability analysis, exploitation, and report generation launch from a single command.
  • Authenticated testing: configuration files can describe login flows (including TOTP and email-based login), test credentials, focus areas, and rules of engagement.
  • OWASP-focused coverage: targets exploitable Injection, XSS, SSRF, Broken Authentication, and Broken Authorization issues.
  • Resumable workspaces: resume interrupted runs without re-running completed agents.

These sample penetration test reports were produced by Shannon Open Source against intentionally vulnerable applications:

TargetSummary
OWASP Juice Shop20+ vulnerabilities, including authentication bypass, SQL injection, IDOR, and SSRF.
c{api}tal API~15 critical and high-severity API findings, including command injection, auth bypass, and mass assignment.
OWASP crAPI15+ critical and high-severity findings across JWT, injection, SSRF, and API authorization paths.

Shannon actively executes exploits. Run it only against applications and environments you own or have explicit written authorization to test, and never against production systems. Read Safety & Limitations before your first run.

Continue to the Quick Start to run your first pentest.