The most-starred open-source pentester on GitHub.
Shannon is an open-source whitebox pentester for web applications and APIs. It reads your source code, identifies attack vectors, and runs working exploits to prove vulnerabilities before they reach production.
Docker, Node 18+, and an Anthropic API key. No signup, no account. Shannon runs locally on your machine.
# 1. Configure credentials (interactive wizard, one-time setup) $ npx @keygraph/shannon setup # Or export env vars directly $ export ANTHROPIC_API_KEY=your-api-key # 2. Run a pentest $ npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo
Prerequisites: Docker · Node.js 18+ · Anthropic API key (or Bedrock / Vertex AI)
OWASP-class vulnerabilities validated with working exploits, not theoretical warnings.
Traces input from sources to dangerous sinks and fires real payloads.
Finds sanitization gaps and validates with real browser payloads.
Targets internal endpoints, cloud metadata APIs, and private services.
Tests auth bypass, session handling, and object-level authorization.
Authentication bypass, database exfiltration, and broken access controls, all with working proof-of-concept exploits.
See the full report →Four stages, from recon to report.
Nmap, Subfinder, WhatWeb, and Schemathesis map hosts, endpoints, and the stack.
Traces candidate attack vectors across five vulnerability domains.
Parallel agents fire working PoCs via browser and CLI.
Only exploitable vulnerabilities. Reproducible PoCs, source paths included.
Full architecture: Code Property Graph, multi-agent orchestration, static-dynamic correlation. See the Whitebox Pentester page →
Shannon is free to self-host. Your first pentest is one command away.