Architecture Overview

Shannon AI

Shannon is TurboPentest's autonomous AI pentesting agent, built by Keygraph. It goes beyond correlating tool outputs - Shannon runs its own security tools, navigates applications with a built-in browser, and executes real exploits to validate findings with reproducible proof-of-concepts.

XBOW Benchmark

Shannon scores 96.15% on the XBOW benchmark (100/104 exploits, hint-free, source-aware). This is a standardized evaluation of autonomous vulnerability exploitation - not just detection, but confirmed exploitability.

How Shannon Works

Shannon runs as a containerized agent after all 14 Phase 1 tools complete. It executes a four-phase pipeline autonomously:

1. Phase 1 Output Ingestion

Shannon reads the raw output from all 14 Phase 1 tools via Azure Blob Storage:

  • Port and service enumeration (Nmap)
  • Web vulnerability findings (ZAP, Nikto, Nuclei)
  • TLS/SSL configuration issues (TestSSL)
  • Subdomain and HTTP endpoint discovery (Subfinder, HTTPX)
  • Directory and file exposure (FFUF)
  • WAF detection results (Wafw00f)
  • Vulnerability assessment results (OpenVAS)
  • Business logic and API analysis (PentestTools)
  • Secret detection in source code (Gitleaks) - white box only
  • Static analysis findings (Semgrep) - white box only
  • Dependency vulnerabilities (Trivy) - white box only

2. Autonomous Reconnaissance

Shannon runs its own built-in tools to supplement Phase 1 data:

  • Nmap - Additional targeted port/service probing based on Phase 1 findings
  • Subfinder - Extended subdomain discovery
  • WhatWeb - Technology fingerprinting
  • Schemathesis - API schema-based testing (OpenAPI/Swagger)

3. Parallel Vulnerability Analysis and Exploitation

Shannon spawns dedicated agents for different vulnerability categories, running concurrently:

  • Injection agent - SQL injection, command injection, LDAP injection
  • XSS agent - Reflected, stored, and DOM-based cross-site scripting
  • SSRF agent - Server-side request forgery and internal service access
  • Auth agent - Broken authentication, authorization bypasses, privilege escalation

Each agent uses Shannon's built-in browser to interact with the target application. The browser handles complex authentication flows including form login, TOTP/2FA, and OAuth/Google sign-in. Agents execute real exploits - both browser-based and command-line - to validate that findings are genuinely exploitable.

When source code is provided (white box mode), Shannon analyzes the code to guide its attack strategy, targeting specific code-level weaknesses identified by static analysis.

4. Cross-Tool Correlation and Reporting

Shannon correlates findings across Phase 1 tools and its own exploitation results:

  • An open port found by Nmap + a vulnerability on that service confirmed by Shannon's exploit = validated critical finding
  • A weak TLS configuration from TestSSL + an exposed admin panel from FFUF = elevated risk assessment
  • A hardcoded secret from Gitleaks + an exposed endpoint confirmed exploitable by Shannon = critical credential exposure

False positives are eliminated through actual exploit validation - if Shannon can't reproduce it, it doesn't report it.

Structured Output

Shannon produces a JSON report containing:

  • Findings - Each with severity (Critical/High/Medium/Low/Info), description, proof-of-concept, CWE ID, CVSS score, and remediation steps
  • Attack surface map - Categorized inventory of endpoints, ports, technologies, authentication mechanisms, and input vectors
  • Threat model - STRIDE-based risk assessment with prioritized recommendations
  • Retest commands - Docker one-liners for each finding to verify fixes

Model

Shannon is powered by Claude Sonnet 4.5 via the Anthropic API. The LLM drives Shannon's multi-agent decision-making, tool orchestration, and report generation.

What Shannon Can and Cannot Do

Shannon excels at:

  • Autonomously exploiting web vulnerabilities with real proof-of-concepts
  • Navigating complex auth flows (2FA, OAuth, session management)
  • Correlating findings across 14 Phase 1 tools + its own exploitation results
  • Code-aware attack targeting when source code is provided
  • Prioritizing vulnerabilities by confirmed exploitability and business impact
  • Generating compliance-ready documentation with reproducible evidence

Shannon does not replace:

  • Manual penetration testing for complex business logic flaws requiring domain expertise
  • Social engineering or physical security assessments
  • Zero-day vulnerability research
  • Network-internal lateral movement testing

For comprehensive assessments that go beyond automated tooling, IntegSec offers PTaaS (Penetration Testing as a Service).

Previous

Infrastructure

Next

Security

On this page