Open-source autonomous AI pentester for web apps and APIs, analyzes your source code and runs real exploits, for developers and security engineers.
What it does
Shannon is an autonomous, open-source AI pentester for web applications and APIs, built by Keygraph. It analyzes source code, plans attack paths, and executes real exploits, reporting only vulnerabilities it can prove with a working proof-of-concept.
Your pen test runs once a year. Your team ships code every day. Shannon closes that 364-day gap by running autonomous, proof-by-exploitation security tests on demand, against every build if you want.
Shannon is the open-source agent at the center of Keygraph's AppSec platform. Per the README, it combines source-code analysis with live browser automation and CLI tooling to find and confirm real vulnerabilities, not just flag theoretical ones. Only a finding with a working proof-of-concept makes it into the report.
Shannon runs a multi-agent pipeline: pre-reconnaissance reads your repo to map frameworks and entry points, reconnaissance explores the live app, then specialized agents for Injection, XSS, SSRF, Authentication, and Authorization run in parallel. Each exploit agent either proves the vulnerability or discards the hypothesis. A reporting agent compiles the validated set into a Markdown report with reproduction steps.
The open-source edition runs locally via npx @keygraph/shannon setup then npx @keygraph/shannon start. Docker handles the ephemeral worker container; Anthropic is the recommended AI provider, but AWS Bedrock, Google Vertex AI, and compatible proxy setups are documented.
Shannon supports authenticated testing out of the box: you describe login flows, test credentials, TOTP, and rules of engagement in a config file. The docs also cover custom tool extensibility via MCP endpoints, OpenAPI specs, or built-in Python tools, with dynamic registration, rate limiting, domain allowlisting, and per-tool cost tracking.
Shannon Open Source is white-box only and runs on demand. The commercial Keygraph platform adds continuous black-box and grey-box modes, Code Property Graph SAST, SCA with reachability, secrets and container scanning, a canonical findings system with Jira sync, automated patch PRs, and self-hosted/air-gapped deployment. If you need the full AppSec lifecycle rather than just the exploit engine, the platform is the right tool.
Shannon gives any developer team a self-hosted, proof-driven pentester they can wire into their release pipeline today. The AGPL-3.0 license means the full agent is free to run; the Keygraph platform wraps it for enterprises that need continuous scanning and managed remediation.
Features
Field notes
Reviewed Jun 26, 2026
Best for
Builder outcomes
Watch out
Tested with
Cost
Shannon Open Source is free to run under AGPL-3.0, but AI provider inference costs apply. The commercial Keygraph platform is required for continuous scanning, SAST, SCA, secrets scanning, and enterprise features; pricing is not detailed in the entry.
Go deeper
HN thread directly on Shannon's #1 GitHub debut as a Claude-powered AI pentester, with practitioner debate on abuse potential, white-hat scope, and script-kiddie democratisation.
Independent technical analysis of Shannon's proof-by-exploitation methodology—how it differs from SAST by only surfacing vulnerabilities with working PoC exploits.
Candid independent blog post clarifying Shannon's architecture at the intersection of AI, security, and CI/CD, with honest corrections of common misunderstandings about the tool.
Shannon is an autonomous AI pentester that combines source-code analysis with live exploit execution against web applications and APIs. Unlike static scanners that flag potential issues, Shannon only reports a finding when it can produce a working proof-of-concept, making every item in the report a confirmed, exploitable vulnerability. It covers OWASP-focused classes including SQL injection, XSS, SSRF, broken authentication, IDOR, and authorization bypasses.
Shannon runs via npx on Node.js 18+ with Docker providing the ephemeral worker container. Start with `npx @keygraph/shannon setup` to configure your AI provider credentials through an interactive wizard, then run `npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo` to kick off a pentest. Anthropic is the recommended AI provider, but AWS Bedrock and Google Vertex AI are also documented. Never run Shannon against a system you don't own or have explicit written authorization to test.
Shannon Open Source is released under the AGPL-3.0 license and is free to run yourself. You will incur AI provider costs (Anthropic, AWS Bedrock, or Google Vertex AI) per scan, as Shannon does not include an LLM. The commercial Keygraph platform, which wraps Shannon with continuous scanning, managed findings, and automated remediation, has separate enterprise pricing; the Keygraph site notes that early-stage startups and non-profits get free access to the full platform.
Shannon is best for development teams that ship code continuously and want more than an annual pen test. It is particularly strong for white-box, source-aware testing where having the repository enables Shannon to plan realistic attack paths rather than blind fuzzing. Teams validating OWASP vuln classes (injection, XSS, SSRF, auth, authorization) with reproducible PoCs, before a release or as part of a CI pipeline, get the most value from it.
Shannon Open Source is white-box only and runs on demand from the CLI, producing a local Markdown report. The Keygraph platform adds continuous black-box and grey-box pentest modes, Code Property Graph SAST, SCA with reachability analysis, secrets and container scanning, a canonical findings system with deduplication across sources, SLA tracking, Jira sync, automated fix PRs verified by point re-test, and self-hosted or air-gapped deployment. Per the README comparison table, the open-source edition is complete for proof-by-exploitation testing; the platform closes the full AppSec lifecycle around that engine.
Shannon executes real exploits, so it must only be run against applications and environments you own or have explicit written authorization to test; the README warns explicitly against running it against production systems. The open-source edition supports white-box mode only, black-box and grey-box require the Keygraph platform. Automated remediation (an auto-opened PR with a fix) is also a platform-only feature; in the open-source edition you fix manually from the report. Docker and Node.js 18+ are hard requirements.
Crashland@crashlandenx
“Security testing that's actually auditable. Shannon changes the game: • White-box AI pentesting—you see the reasoning, not just results • Hunts vulnerabilities across code and infrastructure • Transparent threat detection beats black-box co…”
AI's Nest@ainesthub1
“1/ Developed by Keygraph, Shannon is an open-source AI pentester for web apps and APIs. It analyzes your source code, maps attack paths, and executes real exploits—not just alerts. Unlike traditional scanners, Shannon follows a simple rule:…”
NVIDIA's open-source security scanner for AI agent skills, detects prompt injection, supply chain attacks, and 66 other vulnerability patterns before you install.
Best for Teams auditing AI agent skills before installation in Claude Code, Codex CLI, or Gemini CLI environmentsAnatomia, CLI harness that gives AI coding agents a verifiable pipeline and proof chain, not just prompts. MIT-licensed, works with Claude Code, Codex, and more.
Free repo scanner that checks GitHub and Bitbucket projects for malware, credential stealers, and crypto scams before you run their code.
Best for Developers vetting unfamiliar GitHub or Bitbucket repos before cloning or running them locallyOpenAI's open-source agent orchestrator that converts project tasks into autonomous, isolated coding runs, so teams manage work, not coding agents.
Best for Engineering teams with mature test and lint harnesses who want autonomous task-to-PR pipelinesOpen-source AI code reviewer with bring-your-own-model, custom rule enforcement, and zero LLM markup for engineering teams.
Best for Teams with custom coding standards, domain rules, or naming conventions that generic AI reviewers missOpen-source toolkit for Spec-Driven Development with AI coding agents, structured specs, plans, and tasks instead of vibe coding.
Best for Teams using AI coding agents on projects where correctness and reliability matter more than speed of first output