Shannon AI

Shannon is TurboPentest's autonomous AI pentesting agent. Built by Keygraph, Shannon goes beyond analyzing tool outputs - it runs its own security tools, navigates applications with a built-in browser, and executes real exploits to validate findings with reproducible proof-of-concepts.

What Shannon does

Autonomous pentesting (Phase 2)

After the 14 Phase 1 tools complete, Shannon runs as a full autonomous agent:

  1. Ingests Phase 1 results - Reads output from all 14 tools and deduplicates findings
  2. Runs its own tools - Executes additional reconnaissance with built-in Nmap, Subfinder, WhatWeb, and Schemathesis
  3. Browser-based testing - Navigates the target application using a built-in browser, handling complex auth flows including form login, TOTP/2FA, and OAuth
  4. Exploit validation - Executes real browser-based and command-line exploits to confirm vulnerabilities are genuinely exploitable
  5. Code-aware analysis - When source code is provided, analyzes it to intelligently guide attack strategy and target code-level weaknesses
  6. Parallel vulnerability agents - Spawns dedicated agents for different vulnerability categories (injection, XSS, SSRF, broken auth/authz) that run concurrently

Report generation

  1. Finding enrichment - Adds CVSS scores, CWE IDs, OWASP categories, and remediation guidance
  2. Executive summary - Generates a human-readable overview of the security posture
  3. Attack surface mapping - Creates a categorized inventory of endpoints, ports, technologies, and input vectors
  4. Threat modeling - Produces a STRIDE-based threat model with prioritized recommendations
  5. Retest commands - Generates Docker one-liners for each finding so you can verify fixes

How it works

Shannon runs as a containerized agent on Azure Container Instances. It receives Phase 1 tool outputs via a system prompt, then runs its own four-phase pipeline:

  1. Reconnaissance - Additional recon using built-in tools beyond Phase 1
  2. Vulnerability analysis - Parallel agents analyze different vulnerability categories simultaneously
  3. Exploitation - Real attacks executed via browser and command line to validate findings
  4. Reporting - Structured JSON report with validated findings and reproducible PoCs

Shannon is powered by Claude and scores 96.15% on the XBOW autonomous hacking benchmark (100/104 exploits, hint-free, source-aware).

What Shannon does NOT do

  • Shannon does not store or persist your source code - all analysis happens in ephemeral containers
  • Shannon does not perform social engineering or physical security testing
  • Shannon does not test network-internal lateral movement
  • Shannon does not replace manual pentesting for complex business logic flaws requiring domain expertise

Previous

Code Analysis (White Box)

Next

GitHub Connection

On this page