Shannon analyzes your source code, identifies attack vectors, and executes real exploits to prove vulnerabilities, not flag theoretical risks. It combines static code review with dynamic exploitation across four phases: reconnaissance, parallel vulnerability analysis, parallel exploitation, and reporting.
It targets injection, XSS, SSRF, and broken authentication/authorization, validating every finding with a reproducible proof-of-concept. If it can't exploit it, it doesn't report it.
- Report bugs: GitHub Issues
- Ask questions & share feedback: GitHub Discussions · Discord
- Office hours: Free 1:1 sessions every Thursday for setup help and questions. Book a slot
Keygraph is the company behind Shannon. Shannon is our open source core: the standalone AI pentester in this org, free to run yourself.
Keygraph Platform is our commercial, enterprise-ready pentesting platform. It runs an enhanced Shannon continuously across your whole estate and closes the full AppSec lifecycle, extending the open source core with agentic SAST, SCA with reachability, secrets detection, business logic testing, CI/CD integration, finding management, and automated remediation.