← All repositories

KeygraphHQshannon

40,572
0
View on GitHub
40,572 stars4,534 forksTypeScriptAGPL-3.0Updated 14h ago2viewskeygraph.io
penetration-testingpentestingsecurity-auditsecurity-automationsecurity-tools

Shannon

Shannon is an autonomous, white-box AI penetration tester for web applications and APIs, developed by Keygraph. Given a GitHub repository and a target URL, it analyzes the source code to map the attack surface, then dispatches 13 specialized agents across five sequential and parallel phases — pre-reconnaissance, reconnaissance, vulnerability analysis, exploitation, and reporting — to confirm vulnerabilities with live proof-of-concept attacks. Shannon's "no exploit, no report" policy means the final deliverable contains only proven findings with copy-and-paste PoCs, not a list of theoretical alerts.

The open-source edition (Shannon Lite, AGPL-3.0) covers SQL injection, command injection, XSS, SSRF, and broken authentication / authorization. Shannon scored 96.15% (100/104 exploits) on a hint-free, source-aware variant of the XBOW security benchmark. The commercial Shannon Pro edition adds Code Property Graph-based SAST, SCA with reachability analysis, secrets detection, business logic security testing, and a black-box pentesting mode that requires no source code access.

Showcase

GitHub Banner
Shannon — AI Pentester for Web Applications and APIsOpen
Shannon Screen
Shannon Product DemoOpen

Features

  • Fully autonomous operation — A single npx @keygraph/shannon start command launches the full pentest; Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation.
  • Reproducible PoC exploits — Only vulnerabilities with a working proof-of-concept reach the final report; unconfirmed hypotheses are discarded.
  • OWASP vulnerability coverage — Broken Authentication & Authorization, SQL injection, command injection, XSS, and SSRF; additional categories in development.
  • Parallel execution — Vulnerability analysis and exploitation phases run concurrently across five OWASP attack domains.
  • Code-aware dynamic testing — Source code analysis guides which attack paths to prioritize before live exploitation begins.
  • Integrated security tooling — Leverages Nmap, Subfinder, WhatWeb, and Schemathesis during reconnaissance phases.
  • Workspace checkpointing — Runs are checkpointed via git commits; interrupted scans resume from the last completed agent without re-running earlier phases.
  • Multi-provider AI backend — Supports Anthropic direct API, AWS Bedrock, and Google Vertex AI; three model tiers (Haiku / Sonnet / Opus) configurable per stage.
  • Configuration file — Optional YAML config sets credentials, TOTP secrets, focus paths, avoid paths, and pipeline concurrency limits.
  • Shannon Pro: agentic SAST — Transforms codebase into a Code Property Graph; traces data flow from sources to sinks with LLM reasoning at every node.
  • Shannon Pro: SCA with reachability — Checks whether vulnerable library functions are actually reachable via the CPG, eliminating 70–90% of conventional SCA noise.
  • Shannon Pro: business logic testing — Discovers application-specific invariants, generates targeted fuzzers, and synthesizes PoC exploits for logic errors no pattern scanner can detect.
  • Shannon Pro: secrets detection — Regex tier plus LLM tier for non-obvious exposures (string concatenation, environment indirection, serialized data structures).
  • Shannon Pro: black-box mode — Agents navigate via a real browser with no source code access; accepts up to four login credential sets for IDOR and privilege-escalation cross-role testing.
  • Self-hosted deployment — Data plane (code access, LLM API calls) runs entirely within customer infrastructure; source code never leaves the customer's network.

Documentation

Quick start

# One-time credential setup (interactive wizard)
npx @keygraph/shannon setup

# Run a pentest
npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo

# Monitor progress
npx @keygraph/shannon logs <workspace>
open http://localhost:8233  # Temporal Web UI

Tags

Maturity
BetaBetaActively developed but pre-1.0 — no stable release tagged yet.View all repositories tagged
Release pattern
TightTightFrequent releases with short gaps — max release gap under 30 days.View all repositories tagged
Persona
DevOps EngineerDevOps EngineerEngineers deploying containerized services and managing infrastructure.View all repositories taggedBackend EngineerBackend EngineerEngineers building server-side services, APIs, and infrastructure components.View all repositories taggedSecurity ResearcherSecurity ResearcherSecurity engineers, penetration testers, and AppSec practitioners validating vulnerabilities.View all repositories tagged
License Category
CopyleftCopyleftCopyleft license requiring source sharing when the software is offered as a service.View all repositories tagged
Built With
TemporalTemporalDurable workflow orchestration engine used to manage and checkpoint multi-agent scan pipelines.View all repositories taggedClaude Agent SDKClaude Agent SDKAnthropic's Claude Agent SDK provides the AI reasoning engine powering all 13 Shannon agents.View all repositories tagged
Security Posture
UnratedUnratedOSSF Scorecard has not yet scanned this repository — security posture is unknown.View all repositories tagged
Maintainer Model
Company-backedCompany-backedDeveloped and funded by a commercial company.View all repositories tagged
Form Factor
CLI ToolCLI ToolDistributed as a CLI tool invokable via npx or local build, with a Docker-based worker backend.View all repositories tagged
Platform
CLICLICommand-line interface as the primary interaction surface.View all repositories taggedServerServerRuns on server or bare-metal hardware, not a hosted cloud service.View all repositories tagged
Issue load
Well-resourcedWell-resourcedVery low ratio of open issues to stars, indicating active issue management.View all repositories tagged
Use case
AppSec Platform ConsolidationAppSec Platform ConsolidationWhen I manage a growing engineering team using four separate security tools that produce duplicate alerts in different formats, I want to consolidate into a single platform covering SAST, SCA, secrets, and dynamic pentesting, so I can reduce integration overhead and get correlated findings.View all repositories taggedIDOR and Privilege Escalation TestingIDOR and Privilege Escalation TestingWhen my application has role-based access control and I need to verify that users can't access each other's data or escalate privileges, I want Shannon to run multi-credential testing across different roles, so I can find IDOR and authorization failures before they reach production.View all repositories taggedOWASP API Security TestingOWASP API Security TestingWhen I build APIs and need to validate them against the OWASP API Security Top 10, I want Shannon to run automated authenticated testing against the live endpoints, so I can ship APIs without unknown injection or authorization flaws.View all repositories taggedSCA with Reachability AnalysisSCA with Reachability AnalysisWhen my SCA tool flags 200 CVEs in dependencies but I can't tell which ones are actually exploitable in my application, I want reachability analysis that traces execution paths from entry points through the CPG, so I can focus remediation on the vulnerabilities that can actually be reached.View all repositories taggedAuthenticated Pentest with 2FA/TOTPAuthenticated Pentest with 2FA/TOTPWhen my application requires two-factor authentication and existing scanners can't get past the login page, I want Shannon to handle TOTP generation and SSO login automatically, so I can get full coverage of authenticated routes and protected API endpoints.View all repositories taggedAI Pentest on Every BuildAI Pentest on Every BuildWhen my team ships code continuously but penetration tests happen only once a year, I want Shannon to run an automated pentest on every build, so I can close the security gap without waiting for the next scheduled engagement.View all repositories taggedZero-False-Positive Vulnerability ScanZero-False-Positive Vulnerability ScanWhen I receive hundreds of vulnerability alerts from my SAST tool with no way to know which are real, I want a scanner that only reports findings it has actively exploited, so I can fix the vulnerabilities that actually matter without triaging noise.View all repositories taggedPentest toolkitPentest toolkitWhen I need to run a penetration test against a web application, I want an autonomous AI agent that executes real exploits against the live target, so I can get a pentest-grade report with reproducible PoCs instead of scheduling a manual engagement.View all repositories taggedBlack-Box URL PentestBlack-Box URL PentestWhen I need to security test a third-party or proprietary application where I have no source code access, I want to point Shannon at the URL and let it navigate and attack like a human pentester, so I can discover real vulnerabilities without requiring code access.View all repositories taggedWhite-Box Source Code PentestWhite-Box Source Code PentestWhen I have access to my application's source code and want more thorough penetration testing than black-box tools provide, I want an AI agent that reads the code to identify vulnerable data flows before attempting live exploitation, so I get deeper coverage with fewer missed vulnerabilities.View all repositories tagged
Ecosystem
Node.jsNode.jsJavaScript runtime built on V8 for building server-side and CLI applications.View all repositories taggedJavaScriptJavaScriptBuilt with JavaScript, runs in the browser or any JS runtime.View all repositories taggedDockerDockerRuns and manages Docker container workloads.View all repositories tagged
Stack
Docker ComposeDocker ComposeLocal development and runtime are orchestrated with docker-compose.View all repositories tagged
Status
ActiveActiveReceives recent commits and releases, issues are being addressed.View all repositories tagged
Features
Workspace Resume CheckpointingWorkspace Resume CheckpointingScan state is checkpointed so interrupted runs can resume from the last completed agent phase.View all repositories taggedNo Exploit, No Report PolicyNo Exploit, No Report PolicyOnly confirmed, exploitable vulnerabilities appear in the final report; unconfirmed hypotheses are discarded.View all repositories taggedAgent SandboxAgent SandboxRun agent tool execution inside isolated Docker containers for a hard security boundary around untrusted code.View all repositories taggedGatewayGatewayCentral long-running process that owns all channel connections, agent routing, and session state.View all repositories taggedAutonomous Pentest EngineAutonomous Pentest EngineMulti-agent pipeline that autonomously executes reconnaissance, vulnerability analysis, exploitation, and report generation without manual intervention.View all repositories taggedMulti-agent routingMulti-agent routingRoute channels, groups, or senders to different isolated agents each with their own workspace, model, and tools.View all repositories taggedExec approvalsExec approvalsInteractive button-based approval flow that pauses agent shell commands pending human sign-off in chat.View all repositories taggedDockerized dev workflowDockerized dev workflowProvides a Makefile + docker-compose flow for setup, migrations, and superuser creation.View all repositories taggedTemporal Workflow EngineTemporal Workflow EngineUses Temporal for durable, resumable scan workflow orchestration across multi-agent phases.View all repositories taggedCPG Data Flow AnalysisCPG Data Flow AnalysisCode Property Graph-based taint analysis that traces user inputs to dangerous sinks with LLM reasoning at each node.View all repositories taggedBusiness Logic Invariant TestingBusiness Logic Invariant TestingDiscovers application-specific security invariants, generates fuzzers to violate them, and synthesizes proof-of-concept exploits for logic bugs.View all repositories tagged
License
AGPL-3.0AGPL-3.0GNU Affero General Public License v3.0 — copyleft, sharing requirements apply to SaaS providers.View all repositories tagged

Documentation

16 pages indexed · 1,798 words
  • READMEShannon — AI Pentester by Keygraphgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Shannon is an autonomous, white-box AI pentester for web applications and APIs. It analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities before they reach production.

    Shannon analyzes your web application's source code to identify potential attack vectors, then uses browser automation and command-line tools to execute real exploits (injection attacks, authentication bypass, SSRF, XSS) against the running application and its APIs. Only vulnerabilities with a working proof-of-concept are included in the final report.

    Why Shannon Exists: Thanks to tools like Claude Code and Cursor, your team ships code non-stop. But your penetration test happens once a year. Shannon closes that gap by providing on-demand, automated penetration testing that can run against every build or release.

  • READMEShannon Featuresgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Features

    • Fully Autonomous Operation: A single command launches the full pentest. Shannon handles 2FA/TOTP logins (including SSO), browser navigation, exploitation, and report generation without manual intervention.
    • Reproducible Proof-of-Concept Exploits: The final report contains only proven, exploitable findings with copy-and-paste PoCs. Vulnerabilities that cannot be exploited are not reported.
    • OWASP Vulnerability Coverage: Identifies and validates Injection, XSS, SSRF, and Broken Authentication/Authorization, with additional categories in development.
    • Code-Aware Dynamic Testing: Analyzes source code to guide attack strategy, then validates findings with live browser and CLI-based exploits against the running application.
    • Integrated Security Tooling: Leverages Nmap, Subfinder, WhatWeb, and Schemathesis during reconnaissance and discovery phases.
    • Parallel Processing: Vulnerability analysis and exploitation phases run concurrently across all attack categories.
  • READMEShannon Product Line — Lite vs Progithub.com/KeygraphHQ/shannon/blob/main/README.md

    Shannon is available in two editions:

    Edition License Best For
    Shannon Lite AGPL-3.0 Local testing of your own applications.
    Shannon Pro Commercial Organizations needing a single AppSec platform (SAST, SCA, secrets, business logic testing, autonomous pentesting) with CI/CD integration and self-hosted deployment.

    White-box only. Shannon Lite is designed for white-box (source-available) application security testing. It expects access to your application's source code and repository layout.

    Shannon Pro is an all-in-one AppSec platform that replaces the need to stitch together separate SAST, SCA, secrets scanning, and pentesting tools. It operates as a two-stage pipeline: agentic static analysis of the codebase, followed by autonomous AI penetration testing.

  • READMEShannon Quick Startgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Quick Start (Recommended: npx)

    # 1. Configure credentials (interactive wizard — one-time setup)
npx @keygraph/shannon setup

# Or export env vars directly
export ANTHROPIC_API_KEY=your-api-key

# 2. Run a pentest
npx @keygraph/shannon start -u https://your-app.com -r /path/to/your-repo

    Shannon will pull the worker image from Docker Hub, start the infrastructure, and launch an ephemeral worker container for the scan.

    Docker is still required. Under the hood, the CLI pulls and runs a prebuilt Shannon worker image (~1 GB) from Docker Hub, which contains Shannon plus all required dependencies. Shannon mounts the target repository as read-only inside the worker container.

  • READMEShannon Architecture — 5-Phase Multi-Agent Pipelinegithub.com/KeygraphHQ/shannon/blob/main/README.md

    Architecture

    Shannon uses a multi-agent architecture that combines white-box source code analysis with dynamic exploitation across five phases:

    • Phase 1: Pre-Reconnaissance — External scanning using nmap, subfinder, and whatweb to fingerprint the target's infrastructure and tech stack. Simultaneously performs source code analysis.
    • Phase 2: Reconnaissance — Builds a comprehensive attack surface map. Browser automation correlates code-level insights with real-world behavior.
    • Phase 3: Vulnerability Analysis — 5 concurrent agents for each OWASP category (injection, XSS, auth, authz, SSRF) hunt for potential flaws in parallel. Produces a list of hypothesized exploitable paths.
    • Phase 4: Exploitation — Dedicated exploit agents attempt real-world attacks using browser automation, command-line tools, and custom scripts. Strict 'No Exploit, No Report' policy.
    • Phase 5: Reporting — Compiles all validated findings into a professional, actionable report with reproducible, copy-and-paste Proof-of-Concepts.

    Shannon uses Anthropic's Claude Agent SDK as its reasoning engine. Each scan runs in its own ephemeral Docker container with a per-invocation Temporal task queue.

  • READMEShannon Benchmark — XBOW Security Scoregithub.com/KeygraphHQ/shannon/blob/main/README.md

    Benchmark

    Shannon Lite scored 96.15% (100/104 exploits) on a hint-free, source-aware variant of the XBOW security benchmark.

    Full results with detailed agent logs and per-challenge pentest reports →

  • READMEShannon Sample Reports — OWASP Juice Shop, c{api}tal, crAPIgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Sample Reports

    OWASP Juice Shop — Identified over 20 vulnerabilities across targeted OWASP categories in a single automated run. Notable findings: authentication bypass and full user database exfiltration via SQL injection, privilege escalation to administrator through registration workflow bypass, IDOR vulnerabilities enabling access to other users' data, SSRF enabling internal network reconnaissance.

    c{api}tal API (Checkmarx) — Approximately 15 critical and high-severity vulnerabilities. Notable: root-level command injection via denylist bypass, authentication bypass through a legacy v1 API endpoint, privilege escalation via Mass Assignment, zero false positives for XSS.

    OWASP crAPI — Over 15 critical and high-severity vulnerabilities. Notable: authentication bypass via multiple JWT attacks (Algorithm Confusion, alg:none, weak key injection), full PostgreSQL database compromise via injection, SSRF attack forwarding internal authentication tokens to an external service, zero false positives for XSS.

  • READMEShannon Workspaces and Resume Supportgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Workspaces and Resuming

    Shannon supports workspaces that allow you to resume interrupted or failed runs without re-running completed agents.

    • Every run creates a workspace (auto-named by default)
    • Workspaces are stored in ./workspaces/ (local mode) or ~/.shannon/workspaces/ (npx mode)
    • Use -w <name> to give your run a custom name
    • To resume any run, pass its workspace name via -w — Shannon detects which agents completed successfully and picks up where it left off
    • Each agent's progress is checkpointed via git commits
    # Resume a workspace
npx @keygraph/shannon start -u https://example.com -r /path/to/repo -w my-audit
  • READMEShannon Configuration — Credentials, Authentication, Rulesgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Credentials and Configuration

    description: "Next.js e-commerce app on PostgreSQL."

authentication:
  login_type: form
  login_url: "https://your-app.com/login"
  credentials:
    username: "test@example.com"
    password: "yourpassword"
    totp_secret: "LB2E2RX7XFHSTGCK"  # Optional for 2FA

rules:
  avoid:
    - description: "AI should avoid testing logout functionality"
      type: path
      url_path: "/logout"

  focus:
    - description: "AI should emphasize testing API endpoints"
      type: path
      url_path: "/api"

    Supports AWS Bedrock and Google Vertex AI in addition to direct Anthropic API keys. Shannon uses three model tiers: small (claude-haiku) for summarization, medium (claude-sonnet) for security analysis, and large (claude-opus) for deep reasoning.

  • READMEShannon Pro — Two-Stage Pipeline with Static-Dynamic Correlationgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Shannon Pro Architecture

    Shannon Pro is an all-in-one AppSec platform replacing separate SAST, SCA, secrets scanning, and pentesting tools. Two-stage pipeline:

    Stage 1: Agentic Static Analysis — Transforms codebase into a Code Property Graph (CPG) combining AST, control flow graph, and program dependence graph. Five capabilities:

    • Data Flow Analysis (SAST): LLM evaluates whether specific sanitization is sufficient at each node
    • Point Issue Detection: Weak cryptography, hardcoded credentials, missing security headers, weak RNG
    • Business Logic Security Testing: Automated invariant discovery, fuzzer generation, exploit synthesis
    • SCA with Reachability Analysis: Traces whether vulnerable function is reachable via CPG (eliminates 70-90% of SCA noise)
    • Secrets Detection: Regex + LLM-based detection for non-obvious exposures

    Stage 2: Dynamic Penetration Testing — Same 13-agent pipeline as Shannon Lite with static findings injected into exploitation queue. Static-Dynamic Correlation: every data flow vulnerability fed to the exploit agent, which attempts to exploit it against the live application.

    Deployment: Self-hosted runner model. Data plane runs within customer's infrastructure using customer's own API keys. Source code never leaves customer's network.

  • READMEShannon Disclaimers and Usage Guidelinesgithub.com/KeygraphHQ/shannon/blob/main/README.md

    Disclaimers

    • Not a passive scanner. Exploitation agents actively execute attacks to confirm vulnerabilities. Can have mutative effects (creating users, modifying data).
    • DO NOT run on production environments. For sandboxed, staging, or local development environments only.
    • Authorized use only. You must have explicit, written authorization from the owner of the target system.
    • Coverage: Targets Broken Authentication & Authorization, Injection, XSS, SSRF. Not exhaustive.
    • Cost: Full test run typically takes 1 to 1.5 hours, approximately $50 USD using Claude 4.5 Sonnet.
    • Only Claude models officially supported. Smaller or alternative models may not reliably follow Shannon's instructions.
  • READMEShannon Coverage — OWASP WST Checklistgithub.com/KeygraphHQ/shannon/blob/main/COVERAGE.md

    Current Coverage

    Shannon currently targets the following classes of exploitable vulnerabilities:

    • Broken Authentication & Authorization
    • SQL Injection (SQLi)
    • Command Injection
    • Cross-Site Scripting (XSS)
    • Server-Side Request Forgery (SSRF)

    WST Testing Checklist (subset): WSTG-INFO-06 through INFO-10 (entry points, execution paths, framework fingerprinting), WSTG-CONF-10 (subdomain takeover), WSTG-IDNT-01 through 05 (identity management), WSTG-ATHN-01 through 11 (authentication testing including MFA), WSTG-ATHZ-01 through 05 (authorization testing including IDOR, privilege escalation, OAuth weaknesses).

  • Shannon by Keygraph — AI Pentester and Full AppSec Suitekeygraph.io/shannon

    Shannon operates as a two-stage pipeline: agentic static analysis of the codebase, followed by autonomous dynamic penetration testing against the running application. Findings from both stages are correlated to produce a unified, high-confidence result set with reproducible proof-of-concept exploits for every finding.

    Core principle: PoC or it didn't happen. Only proven exploits in report.

    Stage 1: Agentic Static Analysis — Data flow analysis, point issue detection, business logic security testing, SCA + reachability analysis, secrets detection.

    Stage 2: Shannon Pro (13 Agents) — Pre-recon, recon, 5 parallel vuln analysis agents, 5 parallel exploit agents, reporting.

    Black Box Mode: Point Shannon at a URL and let it attack. Agents autonomously navigate your application using a real browser and terminal. Test as often as you like. No source code access ever.

    Context configuration: credentials (up to 4 login credentials, Google OAuth, GitHub, custom auth), focus areas, avoid lists, OpenAPI spec for thorough endpoint coverage.

  • Shannon Plans — Lite (Free OSS), Base, Growth, Enterprisekeygraph.io/shannon

    Plans

    Shannon Lite — Always free and open-source (AGPL-3.0). For devs and curious minds. Unlimited developer seats. Agentic whitebox pentester, community Discord.

    Base — For small teams covering the basics. Agentic whitebox pentester + agentic SAST + unified security findings + RBAC + audit logs. Add-ons available: blackbox pentester, business logic testing, SCA, secrets scanning, IaC scanning, container scanning, CI/CD integrations, issue trackers.

    Growth — Everything bundled. All 9 add-ons bundled, dedicated Slack channel.

    Enterprise — SAML/SSO, compliance reports (SOC 2, PCI, ISO, HIPAA), custom SLAs, assigned support engineer.

    Bring Your Own Key (BYOK) — Connect your own Anthropic API key. Unlimited viewer seats on every tier.

  • About Keygraph — Building the Autonomous Security Engineerkeygraph.io/about

    Building the Autonomous Security Engineer. Long-term vision: build a system that can do the job of a security engineer — observe, reason, and act across your entire environment, autonomously.

    Shannon is the starting point. Shannon combines static analysis, dynamic testing, and LLM-powered reasoning to do work that used to require a senior security engineer and a handful of separate tools.

    Roadmap: AppSec now → Cloud Security next → Security Operations then.

    Founder: Varun Sivamani (former engineering lead for HRIS and Payroll divisions at Lattice). Investors: Authentic Ventures, Pear VC, Urban Innovation Fund. Angel investors: Stephen Poletto (Lattice CTO), Jeff Arnold (Pilot.com Founder).

  • Shannon Black Box Mode — No Source Code Requiredkeygraph.io/shannon

    Black Box Mode: True black box pentesting. We never see your code.

    Point Shannon at a URL and let it attack. Agents autonomously navigate your application using a real browser and terminal, just like a human pentester would.

    Input: Target URL + optional context (credentials, focus areas, OpenAPI spec, avoid list).

    Process: Agents navigate app in a real browser, log in, use flows, run terminal commands. Hypotheses formed against OWASP 2025 (A01, A05, A07) and exploited.

    Output: Pentest-grade report. Every validated exploit documented with reproducible PoC, impact analysis, OWASP ID, and severity rating. Only confirmed vulnerabilities.

    Deployment targets: localhost dev setups via ngrok, or staging/sandbox URLs after domain ownership verification via DNS TXT record.