# Shannon

By **keygraphhq** · Software & Tools

Open-source autonomous AI pentester for web apps and APIs, analyzes your source code and runs real exploits, for developers and security engineers.

- Source: https://keygraph.io/
- Repository: https://github.com/KeygraphHQ/shannon
- Install: `npm i shannon`
- Tags: open-source, security, pentesting, cli, agent, docker, appsec, self-hosted
- Pricing: free
- Upvotes: 0

## Features

- Autonomous multi-agent pentest pipeline: recon, vuln analysis, exploitation, reporting
- White-box attack planning using source-code analysis to guide live exploit attempts
- Proof-by-exploitation: only confirmed, working PoCs appear in the final report
- Covers SQL injection, XSS, SSRF, broken auth, IDOR, and authorization bypass classes
- Authenticated testing with configurable login flows, TOTP, and rules of engagement
- Resumable workspaces so interrupted scans can continue without restarting from scratch
- Custom tool extensibility via MCP endpoints, OpenAPI specs, or built-in Python tools
- Ephemeral Docker worker container with isolated per-scan workspace

---

## Why it matters

Your pen test runs once a year. Your team ships code every day. Shannon closes that 364-day gap by running autonomous, proof-by-exploitation security tests on demand, against every build if you want.

## The big picture

Shannon is the open-source agent at the center of Keygraph's AppSec platform. Per the README, it combines source-code analysis with live browser automation and CLI tooling to find and confirm real vulnerabilities, not just flag theoretical ones. Only a finding with a working proof-of-concept makes it into the report.

## How it works

Shannon runs a multi-agent pipeline: pre-reconnaissance reads your repo to map frameworks and entry points, reconnaissance explores the live app, then specialized agents for Injection, XSS, SSRF, Authentication, and Authorization run in parallel. Each exploit agent either proves the vulnerability or discards the hypothesis. A reporting agent compiles the validated set into a Markdown report with reproduction steps.

The open-source edition runs locally via `npx @keygraph/shannon setup` then `npx @keygraph/shannon start`. Docker handles the ephemeral worker container; Anthropic is the recommended AI provider, but AWS Bedrock, Google Vertex AI, and compatible proxy setups are documented.

## Zoom in

Shannon supports authenticated testing out of the box: you describe login flows, test credentials, TOTP, and rules of engagement in a config file. The docs also cover custom tool extensibility via MCP endpoints, OpenAPI specs, or built-in Python tools, with dynamic registration, rate limiting, domain allowlisting, and per-tool cost tracking.

## Yes, but

Shannon Open Source is white-box only and runs on demand. The commercial Keygraph platform adds continuous black-box and grey-box modes, Code Property Graph SAST, SCA with reachability, secrets and container scanning, a canonical findings system with Jira sync, automated patch PRs, and self-hosted/air-gapped deployment. If you need the full AppSec lifecycle rather than just the exploit engine, the platform is the right tool.

## The bottom line

Shannon gives any developer team a self-hosted, proof-driven pentester they can wire into their release pipeline today. The AGPL-3.0 license means the full agent is free to run; the Keygraph platform wraps it for enterprises that need continuous scanning and managed remediation.

## FAQ

### What is Shannon and how is it different from a regular vulnerability scanner?

Shannon is an autonomous AI pentester that combines source-code analysis with live exploit execution against web applications and APIs. Unlike static scanners that flag potential issues, Shannon only reports a finding when it can produce a working proof-of-concept, making every item in the report a confirmed, exploitable vulnerability. It covers OWASP-focused classes including SQL injection, XSS, SSRF, broken authentication, IDOR, and authorization bypasses.

### How do I install and run Shannon?

Shannon runs via npx on Node.js 18+ with Docker providing the ephemeral worker container. Start with `npx @keygraph/shannon setup` to configure your AI provider credentials through an interactive wizard, then run `npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo` to kick off a pentest. Anthropic is the recommended AI provider, but AWS Bedrock and Google Vertex AI are also documented. Never run Shannon against a system you don't own or have explicit written authorization to test.

### Is Shannon free and open source?

Shannon Open Source is released under the AGPL-3.0 license and is free to run yourself. You will incur AI provider costs (Anthropic, AWS Bedrock, or Google Vertex AI) per scan, as Shannon does not include an LLM. The commercial Keygraph platform, which wraps Shannon with continuous scanning, managed findings, and automated remediation, has separate enterprise pricing; the Keygraph site notes that early-stage startups and non-profits get free access to the full platform.

### What is Shannon best for?

Shannon is best for development teams that ship code continuously and want more than an annual pen test. It is particularly strong for white-box, source-aware testing where having the repository enables Shannon to plan realistic attack paths rather than blind fuzzing. Teams validating OWASP vuln classes (injection, XSS, SSRF, auth, authorization) with reproducible PoCs, before a release or as part of a CI pipeline, get the most value from it.

### How does the open-source edition compare to the Keygraph platform?

Shannon Open Source is white-box only and runs on demand from the CLI, producing a local Markdown report. The Keygraph platform adds continuous black-box and grey-box pentest modes, Code Property Graph SAST, SCA with reachability analysis, secrets and container scanning, a canonical findings system with deduplication across sources, SLA tracking, Jira sync, automated fix PRs verified by point re-test, and self-hosted or air-gapped deployment. Per the README comparison table, the open-source edition is complete for proof-by-exploitation testing; the platform closes the full AppSec lifecycle around that engine.

### What are Shannon's key limitations and safety requirements?

Shannon executes real exploits, so it must only be run against applications and environments you own or have explicit written authorization to test; the README warns explicitly against running it against production systems. The open-source edition supports white-box mode only, black-box and grey-box require the Keygraph platform. Automated remediation (an auto-opened PR with a fix) is also a platform-only feature; in the open-source edition you fix manually from the report. Docker and Node.js 18+ are hard requirements.

---
[View on Analog](https://analoghq.ai/keygraphhq/software-tools/shannon)