keygraphhq/shannon

Shannon is an AI-powered penetration testing tool designed to automatically find and prove security vulnerabilities in web applications and APIs. The core problem it addresses is the growing gap between how fast modern teams ship code and how infrequently they perform security audits. Traditional penetration tests happen once or twice a year, meaning new vulnerabilities introduced through daily deployments go undetected for months. Shannon works by combining two phases: static source code analysis and live exploitation. It reads your application's source code to map out potential attack paths, then uses browser automation and command-line tools to actually attempt those attacks against the running application. The key design principle is that Shannon only reports vulnerabilities it has successfully exploited with a working proof-of-concept, so you get zero theoretical findings and only real, confirmed security issues. It covers common vulnerability categories from the OWASP Top 10, including SQL injection, cross-site scripting, server-side request forgery, and broken authentication. You would use Shannon when you want continuous or on-demand security testing baked into your development cycle rather than relying on expensive annual penetration tests. It is particularly valuable for teams using AI coding assistants like Cursor or Claude Code that ship features at high velocity, because the attack surface can change daily. The open-source edition, Shannon Lite, is licensed under AGPL and runs locally against your own application with access to its source code. A commercial Shannon Pro edition extends this with a full static analysis pipeline, dependency vulnerability scanning, secrets detection, and CI/CD integration that keeps your data entirely within your own infrastructure. The project is written in TypeScript and uses browser automation alongside large language models to reason about code and guide the exploitation process.