All Resources
Builds·12 min read·May 1, 2026

Shannon: AI Pentester for Claude Code Apps

Open-source white-hat pentesting, powered by the Claude Agent SDK. 96% on the XBOW benchmark. $50 a run. Tests apps you build with Claude Code so you stop shipping holes into production.

A practical setup guide for Shannon, the open-source white-hat AI pentester from Keygraph. Point it at your staging URL and your repo. It reads your code, runs real exploits, and writes the report. AGPL licensed, about $50 per run on Claude Sonnet, 90 minutes per full scan.

The Problem Nobody Talks About

Most builders shipping with Claude Code never run security testing. The reasons are obvious. Annual pentests cost $5K to $50K, take 2 to 6 weeks, and don't fit a daily-ship cadence. By the time you book one, the codebase has changed three times.

So you ship without testing. Then you find the SQL injection in production from a customer report. Or the broken auth from a security researcher's email. Or the SSRF from a postmortem after an incident.

Shannon collapses the cycle. $50 per scan, 90 minutes per run, code-aware, runs on every push to staging if you want it. The annual pentest becomes a daily habit.

Why This Changes Everything

Real exploits, not theoretical scans.The "no exploit, no report" policy means every finding has a working proof of concept. Zero false positives. If it's in the report, it's exploitable.

Code-aware. Shannon reads your source code as part of the test. It uses the code to plan smarter attacks instead of just probing the surface like a black-box scanner.

Autonomous. Handles 2FA logins, navigation, exploitation, and reporting. No manual intervention. Once you start the scan, it runs to completion.

Built on the Claude Agent SDK. Powered by Anthropic Claude. Not a wrapper around an old vulnerability scanner. A true AI agent making decisions about where to attack and how.

Step 1: Install Prerequisites

Three things on your machine first:

  • Docker (Shannon runs scanners in containers)
  • Node.js 18+
  • pnpm (only if you're building from source, npx-based install skips this)

Plus one of:

  • Anthropic API key, or
  • AWS Bedrock credentials, or
  • Google Vertex AI credentials

You also need a staging or sandbox URL to test against. Never production. Never apps you don't own.

Step 2: Run Your First Scan (npx, recommended)

The fastest path is via npx. Two commands.

Setup:

npx @keygraph/shannon setup

This pulls the Docker images, sets up the scanning environment, and validates your API credentials.

Run a scan:

npx @keygraph/shannon start -u https://your-app.com -r /path/to/repo

Replace the URL with your staging app. Replace the path with your local clone of the repo. Shannon takes it from here.

This is a preview. The full guide continues inside.

The complete version includes everything above plus:

Plus 12 other full guides on agent builds, MCP setups, and Claude workflows. All free inside.

  • Step 3: Build from source (clone, install, full control)
  • Step 4: How Shannon actually works (5-phase pipeline breakdown)
  • Step 5: What Shannon tests (SQLi, XSS, SSRF, broken auth)
  • Step 6: Reading the report (reproduction scripts, suggested fixes)
  • Step 7: Wire Shannon into your CI/CD workflow
  • Honest limitations: scope, cost, and legal disclaimers
Join My Skool (Free)