Shannon — Autonomous AI Pentester
Shannon is an AI-driven, white-box penetration testing system designed to "break your web app before anyone else does." It analyzes application source code to guide targeted testing, then runs automated, real-world exploits (via a built-in browser and command-line tools) to confirm whether findings are actually exploitable. Shannon focuses on producing low-false-positive, pentester-grade reports that include copy-and-paste proof-of-concepts.
Key capabilities
- Source-aware dynamic testing: Shannon reads the target repository to discover attack surfaces and prioritize likely exploitable paths.
- Proof-by-exploitation: Hypotheses about vulnerabilities are validated by executing real exploits (e.g., injection, XSS, SSRF, auth bypass) rather than only reporting possible issues.
- Multi-agent, parallel workflow: Reconnaissance, vulnerability analysis, exploitation, and reporting run in parallel agents to shorten total test time.
- Integration with common security tools: Enhances discovery using tools like nmap, subfinder, WhatWeb and Schemathesis for deeper reconnaissance.
- Reproducible reporting: Final reports emphasize confirmed findings and include copy-and-paste PoCs and audit-ready deliverables.
Editions & licensing
- Shannon Lite (AGPL-3.0): Open-source edition intended for white-box testing of applications you own. Contains the core autonomous pentesting framework and is the content of this repository.
- Shannon Pro (Commercial): Enterprise product with advanced LLM-powered data-flow analysis, deeper code coverage, CI/CD integration, and dedicated support.
Notable results & benchmarks
- Claimed benchmark: Shannon Lite reportedly achieved a 96.15% success rate on a hint-free, source-aware XBOW benchmark (reported in repository benchmark results).
- Example findings: The project demonstrates automated discovery of 20+ high-impact vulnerabilities on OWASP Juice Shop in a single run (sample reports included in repo).
Typical usage & requirements
- Intended for white-box testing: Shannon expects access to source code and repository layout (monorepos or consolidated repo directories).
- LLM dependency: Requires an LLM/account token (the README references Claude/Anthropic integration) for analysis and agent reasoning.
- Deployment: Distributed as a Docker image for local/staging testing; tests should only be run against non-production, authorized targets.
Architecture overview
Shannon uses a four-phase, multi-agent architecture:
- Reconnaissance — build a map of endpoints, auth flows and tech stack using both code analysis and external tools.
- Vulnerability analysis — agents hunt for candidate exploitable paths (parallelized across vulnerability classes).
- Exploitation — dedicated exploit agents attempt to execute attacks to produce real-world proof; only validated exploits are reported.
- Reporting — consolidates confirmed findings into professional reports with reproducible PoCs and audit artifacts.
Safety, scope & disclaimers
- Do not run against production systems; exploitation can be mutative (create/modify/delete data).
- Legal & ethical requirement: You must have explicit written authorization from the system owner before testing.
- Shannon Lite focuses on classes it can actively exploit (Broken Auth, Injection, XSS, SSRF); it may not find issues that require deeper static analysis—those are a focus for Shannon Pro.
Who should consider Shannon?
Security teams wanting continuous, on-demand white-box pentesting; dev teams that want automated, reproducible exploit evidence; researchers comparing autonomous offensive capabilities.
Files & supporting resources
The repository contains quick-start Docker instructions, configuration examples for authentication (including TOTP), sample reports and benchmark data, and a coverage/roadmap document describing current and planned vulnerability coverage.
License
Shannon Lite is released under the GNU AGPL v3.0. The README highlights usage constraints, disclaimers, and that modifications are subject to AGPL obligations when offering Shannon as a public/managed service.
