shannon
Shannon is an autonomous AI pentester that analyzes your application source code and executes real exploits against running web apps and APIs to identify vulnerabilities before production. It combines static code analysis with dynamic exploitation to produce proof-of-concept reports rather than theoretical warnings.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | KeygraphHQ/shannon |
| Owner | KeygraphHQ |
| Primary language | TypeScript |
| License | AGPL-3.0 — OSI-approved |
| Stars | 45.5k |
| Forks | 5.3k |
| Open issues | 23 |
| Latest release | v1.9.0 (2026-07-04) |
| Last updated | 2026-07-04 |
| Source | https://github.com/KeygraphHQ/shannon |
What shannon is
Shannon is a TypeScript-based CLI agent that performs white-box security testing by parsing source code, planning attack vectors via LLM reasoning, and executing exploits using browser automation and command-line tools. It runs in a Docker worker container, requires an AI provider (Anthropic recommended), and produces Markdown reports with reproducible proof-of-concept steps.
Get the shannon source
Clone the repository and explore it locally.
git clone https://github.com/KeygraphHQ/shannon.gitcd shannon# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires explicit written authorization to test. Shannon executes real exploits—only run against systems you own or have permission to test; production use requires careful environment isolation and approval.
- AI provider dependency: Anthropic is recommended; AWS Bedrock and Google Vertex AI are documented alternatives. Model cost and response latency will impact scan duration; larger codebases may require multiple LLM calls.
- Docker and Node.js 18+ are mandatory. Worker image is pulled from Docker Hub; network and registry access must be available. Ephemeral container isolation means no persistent state between runs.
- Configuration via files or interactive setup: login flows, credentials, TOTP, and rules of engagement are specified declaratively. Teams must version-control and maintain these configurations alongside their test targets.
- Resumable workspaces allow interrupted scans to continue, but state management across retries and long-running tests should be monitored. Plan for LLM rate limits and provider quota constraints.
When to avoid it — and what to weigh
- You need black-box testing without source code — Shannon is explicitly white-box and requires source code access. For unauthenticated or external black-box pentesting, alternatives like Burp Suite Pro or commercial pentesting services are better suited.
- You require commercial support and SLAs — Shannon Open Source is community-supported (AGPL-3.0 licensed). For enterprise support, continuous scanning, and managed remediation workflows, Keygraph's commercial platform is the intended offering.
- Your application uses uncommon languages or frameworks — Shannon is LLM-driven and source-aware, but effective exploitation depends on the model's understanding of your tech stack. Highly specialized or niche frameworks may yield false negatives.
- You cannot run Docker or provide LLM credentials — Shannon requires Docker for the worker container and API credentials (Anthropic, AWS Bedrock, or Google Vertex AI). Air-gapped or restricted environments without these will not function.
License & commercial use
Shannon Open Source is licensed under AGPL-3.0 (GNU Affero General Public License v3.0). This is a strong copyleft license: any modifications or networked use trigger derivative work obligations. Commercial use is permissible only under the terms of the AGPL-3.0 (requires source disclosure if distributed).
AGPL-3.0 is not a permissive license. Commercial use of Shannon Open Source is possible but requires compliance with AGPL-3.0 terms, including source code disclosure if you modify or distribute it. For proprietary commercial deployment without copyleft obligations, Keygraph's commercial platform (with a different license) is the intended product. Requires legal review before commercial adoption.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
Shannon executes real exploits against live targets. Operator must ensure explicit written authorization before running; misuse against unauthorized systems is illegal. Run only on test/staging environments you control. Docker worker is ephemeral and read-only to source, reducing persistent compromise risk. AI model reasoning is opaque—no guarantee all exploits are legitimate or safe; operator oversight required. No details on data retention, logging, or credential handling beyond environment variables provided. Review Keygraph's security posture documentation for details on encryption, audit trails, and data egress.
Alternatives to consider
Keygraph (commercial platform)
Same Shannon engine, but with continuous scanning, automated remediation, finding deduplication, SAST/SCA/Code Property Graph analysis, and enterprise support. No AGPL copyleft obligations. Intended for organizations needing managed AppSec.
Burp Suite Pro with automated scanning
Industry-standard web pentesting tool with GUI, active scanning, authenticated flows, and professional reporting. Black-box and grey-box capable; no source code analysis. Suitable for teams preferring UI workflows and vendor support.
Custom CI/CD security scanning (SAST + DAST)
Combination of tools like SonarQube, Snyk, or Veracode for SAST; OWASP ZAP or Nuclei for DAST. More modular, lower LLM dependency, but requires manual orchestration and lacks autonomous agent reasoning.
Build on shannon with DEV.co software developers
Run Shannon on your codebase with a single command. Combine source analysis with proof-by-exploitation to catch vulnerabilities early. Start with the quick-start guide.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
shannon FAQ
Can Shannon test production systems?
What if I don't have source code access?
Can I use Shannon commercially without AGPL obligations?
Does Shannon work with my tech stack?
Custom software development services
Need help beyond evaluating shannon? DEV.co is a software development agency offering software development services and web development for teams of every size. Our software developers and web developers build custom software, web applications, APIs, and open-source security integrations — and maintain them long-term.
Automate your penetration testing today
Run Shannon on your codebase with a single command. Combine source analysis with proof-by-exploitation to catch vulnerabilities early. Start with the quick-start guide.