Skip to main content
Answers to common questions about Shannon’s features, limitations, and usage.

General Questions

Shannon is an AI-powered penetration testing framework that automates white-box security testing for web applications. It combines source code analysis with active exploitation to identify and prove vulnerabilities before they reach production.
Shannon Lite (this open-source version) uses a multi-agent AI framework for autonomous pentesting with support for Injection, XSS, SSRF, and Auth/Authz vulnerabilities.Shannon Pro (commercial) adds:
  • Advanced LLM-powered data flow analysis engine
  • Enterprise-grade code analysis
  • CI/CD integration
  • Dedicated support
  • Enhanced vulnerability detection
See Shannon Pro comparison for details.
No. Shannon is designed to actively execute attacks to confirm vulnerabilities, which can have mutative effects on the target application and its data. Only use Shannon on sandboxed, staging, or local development environments.See Limitations for more details.
Yes. You must have explicit, written authorization from the owner of the target system before running Shannon. Unauthorized scanning is illegal under laws like the Computer Fraud and Abuse Act (CFAA).

Technical Questions

Shannon Lite currently targets:
  • Broken Authentication - Login bypass, session hijacking
  • Broken Authorization - Privilege escalation, IDOR
  • Injection - SQL, command, LDAP injection
  • Cross-Site Scripting (XSS) - Stored, reflected, DOM-based
  • Server-Side Request Forgery (SSRF) - Internal service access
See Coverage and Roadmap for the complete list.
A full test run typically takes 1 to 1.5 hours to complete. Actual runtime varies based on:
  • Application complexity
  • Number of endpoints
  • Authentication complexity
  • API rate limits
Running a full test using Anthropic’s Claude 4.5 Sonnet model costs approximately $50 USD. Costs vary based on:
  • Model pricing
  • Application complexity
  • Number of agents executed
You can reduce costs by:
  • Using PIPELINE_TESTING=true for faster test runs
  • Configuring max_concurrent_pipelines to reduce burst API usage
  • Using AWS Bedrock or Google Vertex AI for different pricing
No. Shannon Lite is designed for white-box testing and expects access to your application’s source code and repository layout. Black-box testing is not supported.
Shannon officially supports:
  • Anthropic Claude (recommended) via API key
  • AWS Bedrock (Claude models)
  • Google Vertex AI (Claude models)
Experimental support exists for:
  • OpenAI GPT models via Router Mode
  • Google Gemini via Router Mode
Note: Shannon is optimized for Anthropic Claude models. Alternative providers may produce inconsistent results.

Usage Questions

Shannon supports workspaces that allow resuming interrupted runs:
# Start with a named workspace
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=my-audit

# Resume the same workspace (skips completed agents)
./shannon start URL=https://example.com REPO=repo-name WORKSPACE=my-audit
Shannon detects completed agents and picks up where it left off. See Workspaces for details.
Docker containers cannot reach localhost on your host machine. Use host.docker.internal instead:
./shannon start URL=http://host.docker.internal:3000 REPO=repo-name
See Platform-Specific Instructions for more details.
Yes. Shannon supports form-based and SSO authentication, including 2FA/TOTP. Create a configuration file:
authentication:
  login_type: form
  login_url: "https://your-app.com/login"
  credentials:
    username: "[email protected]"
    password: "yourpassword"
    totp_secret: "LB2E2RX7XFHSTGCK"  # Optional for 2FA

  login_flow:
    - "Type $username into the email field"
    - "Type $password into the password field"
    - "Click the 'Sign In' button"

  success_condition:
    type: url_contains
    value: "/dashboard"
See Configuration for complete options.
All results are saved to ./audit-logs/{hostname}_{sessionId}/ by default:
audit-logs/{hostname}_{sessionId}/
├── session.json          # Metrics and session data
├── agents/               # Per-agent execution logs
├── prompts/              # Prompt snapshots
└── deliverables/
    └── comprehensive_security_assessment_report.md
Use OUTPUT=<path> to specify a custom directory.

Troubleshooting Questions

The REPO parameter must be a folder name inside ./repos/, not an absolute path. Clone or symlink your repository:
ln -s /path/to/repo ./repos/my-repo
See Troubleshooting for more solutions.
If using Anthropic subscription plans with rolling 5-hour windows, add this to your config file:
pipeline:
  retry_preset: subscription          # Extends max backoff to 6h
  max_concurrent_pipelines: 2         # Run 2 of 5 pipelines at a time
This reduces burst API usage at the cost of longer total runtime.
Windows Defender may flag files in deliverables/ as malware. These are false positives caused by exploit code in the reports.Solution: Add an exclusion for the Shannon directory in Windows Defender, or use WSL2 to isolate the files.See Platform-Specific Instructions for details.
Stop Shannon with full cleanup:
./shannon stop CLEAN=true
This deletes all workflow data, audit logs, and workspaces. Make sure to back up any reports you need first.

Development Questions

Yes. Shannon’s architecture is designed to be extensible. See Adding Agents for a complete guide on creating custom agents.
Yes. Prompts are stored in the prompts/ directory as .txt files with variable substitution. See Custom Prompts for details on customization.
Shannon uses Temporal for workflow orchestration, which provides a gRPC API for workflow management. However, there is no REST API for direct integration. The primary interface is the ./shannon CLI tool.

Support

If your question isn’t answered here:

Build docs developers (and LLMs) love

Get started for freeTalk to us