DEV.co
Open-Source Security · KeygraphHQ

shannon

Shannon is an autonomous AI pentester that analyzes your application source code and executes real exploits against running web apps and APIs to identify vulnerabilities before production. It combines static code analysis with dynamic exploitation to produce proof-of-concept reports rather than theoretical warnings.

Source: GitHub — github.com/KeygraphHQ/shannon
45.5k
GitHub stars
5.3k
Forks
TypeScript
Primary language
AGPL-3.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
RepositoryKeygraphHQ/shannon
OwnerKeygraphHQ
Primary languageTypeScript
LicenseAGPL-3.0 — OSI-approved
Stars45.5k
Forks5.3k
Open issues23
Latest releasev1.9.0 (2026-07-04)
Last updated2026-07-04
Sourcehttps://github.com/KeygraphHQ/shannon

What shannon is

Shannon is a TypeScript-based CLI agent that performs white-box security testing by parsing source code, planning attack vectors via LLM reasoning, and executing exploits using browser automation and command-line tools. It runs in a Docker worker container, requires an AI provider (Anthropic recommended), and produces Markdown reports with reproducible proof-of-concept steps.

Quickstart

Get the shannon source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/KeygraphHQ/shannon.gitcd shannon# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Pre-production security gates in CI/CD

Integrate Shannon into build pipelines to run automated pentesting on every release candidate, closing the gap between continuous deployment and annual penetration tests.

White-box testing of in-house web applications

For teams with source code access to their own applications, Shannon provides on-demand proof-by-exploitation testing focused on OWASP Top 10 vectors (injection, XSS, SSRF, auth bypass, IDOR).

API security validation with authentication flows

Shannon supports authenticated scans with configurable login flows, TOTP, and email-based authentication, making it suitable for testing secured APIs and multi-tenant applications.

Implementation considerations

  • Requires explicit written authorization to test. Shannon executes real exploits—only run against systems you own or have permission to test; production use requires careful environment isolation and approval.
  • AI provider dependency: Anthropic is recommended; AWS Bedrock and Google Vertex AI are documented alternatives. Model cost and response latency will impact scan duration; larger codebases may require multiple LLM calls.
  • Docker and Node.js 18+ are mandatory. Worker image is pulled from Docker Hub; network and registry access must be available. Ephemeral container isolation means no persistent state between runs.
  • Configuration via files or interactive setup: login flows, credentials, TOTP, and rules of engagement are specified declaratively. Teams must version-control and maintain these configurations alongside their test targets.
  • Resumable workspaces allow interrupted scans to continue, but state management across retries and long-running tests should be monitored. Plan for LLM rate limits and provider quota constraints.

When to avoid it — and what to weigh

  • You need black-box testing without source code — Shannon is explicitly white-box and requires source code access. For unauthenticated or external black-box pentesting, alternatives like Burp Suite Pro or commercial pentesting services are better suited.
  • You require commercial support and SLAs — Shannon Open Source is community-supported (AGPL-3.0 licensed). For enterprise support, continuous scanning, and managed remediation workflows, Keygraph's commercial platform is the intended offering.
  • Your application uses uncommon languages or frameworks — Shannon is LLM-driven and source-aware, but effective exploitation depends on the model's understanding of your tech stack. Highly specialized or niche frameworks may yield false negatives.
  • You cannot run Docker or provide LLM credentials — Shannon requires Docker for the worker container and API credentials (Anthropic, AWS Bedrock, or Google Vertex AI). Air-gapped or restricted environments without these will not function.

License & commercial use

Shannon Open Source is licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license: any modifications or networked use trigger derivative work obligations. Commercial use is permissible only under the terms of the AGPL-3.0 (requires source disclosure if distributed).

AGPL-3.0 is not a permissive license. Commercial use of Shannon Open Source is possible but requires compliance with AGPL-3.0 terms, including source code disclosure if you modify or distribute it. For proprietary commercial deployment without copyleft obligations, Keygraph's commercial platform (with a different license) is the intended product. Requires legal review before commercial adoption.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Shannon executes real exploits against live targets. Operator must ensure explicit written authorization before running; misuse against unauthorized systems is illegal. Run only on test/staging environments you control. Docker worker is ephemeral and read-only to source, reducing persistent compromise risk. AI model reasoning is opaque—no guarantee all exploits are legitimate or safe; operator oversight required. No details on data retention, logging, or credential handling beyond environment variables provided. Review Keygraph's security posture documentation for details on encryption, audit trails, and data egress.

Alternatives to consider

Keygraph (commercial platform)

Same Shannon engine, but with continuous scanning, automated remediation, finding deduplication, SAST/SCA/Code Property Graph analysis, and enterprise support. No AGPL copyleft obligations. Intended for organizations needing managed AppSec.

Burp Suite Pro with automated scanning

Industry-standard web pentesting tool with GUI, active scanning, authenticated flows, and professional reporting. Black-box and grey-box capable; no source code analysis. Suitable for teams preferring UI workflows and vendor support.

Custom CI/CD security scanning (SAST + DAST)

Combination of tools like SonarQube, Snyk, or Veracode for SAST; OWASP ZAP or Nuclei for DAST. More modular, lower LLM dependency, but requires manual orchestration and lacks autonomous agent reasoning.

Software development agency

Build on shannon with DEV.co software developers

Run Shannon on your codebase with a single command. Combine source analysis with proof-by-exploitation to catch vulnerabilities early. Start with the quick-start guide.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

shannon FAQ

Can Shannon test production systems?
Shannon executes real exploits. The README explicitly warns against running against production. Only test systems you own or have written authorization to test. Unauthorized access is illegal.
What if I don't have source code access?
Shannon is white-box; source code is required. For black-box testing, use Burp Suite Pro, OWASP ZAP, or commercial penetration testing services.
Can I use Shannon commercially without AGPL obligations?
AGPL-3.0 requires source disclosure if you distribute or use it in a network service. For proprietary commercial use without copyleft, Keygraph's commercial platform has a different license. Requires legal review.
Does Shannon work with my tech stack?
Shannon is LLM-driven and source-aware. Effectiveness depends on the model's familiarity with your language and framework. TypeScript and common web stacks (Node.js, Python, Java) are well-supported; niche or proprietary stacks may underperform.

Custom software development services

Need help beyond evaluating shannon? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.

Automate your penetration testing today

Run Shannon on your codebase with a single command. Combine source analysis with proof-by-exploitation to catch vulnerabilities early. Start with the quick-start guide.