What it does

Shannon Lite is an open-source (AGPL-3.0) autonomous pentesting tool for web applications and APIs. You point it at your source code and a running instance; it analyzes the code to find attack vectors, then uses browser automation and CLI tools to execute actual exploits—SQL injection, XSS, SSRF, auth bypass—against the live app. Only vulnerabilities with working proof-of-concept exploits make it into the final report.

The interesting bit

Most security scanners either statically analyze code or fuzz endpoints. Shannon does both in sequence: source code analysis guides the attack strategy, and dynamic exploitation validates whether a theoretical flaw is actually exploitable. The “Lite” version here is essentially the dynamic exploitation engine; the Pro version adds a full static analysis pipeline with Code Property Graphs and cross-correlation between findings.

Key highlights

• Single-command launch via npx; handles 2FA/TOTP, SSO login, and report generation without manual intervention
• Mounts target repository as read-only inside a ~1 GB Docker worker to prevent accidental modification
• Supports Anthropic, AWS Bedrock, Google Vertex AI, and custom base URLs for LLM inference
• Parallel vulnerability analysis and exploitation across attack categories
• Published sample report against OWASP Juice Shop showing 20+ confirmed vulnerabilities including auth bypass and database exfiltration

Caveats

• Not a passive scanner: actively executes exploits; requires explicit written authorization from the system owner
• White-box only: requires source code access; won’t work on black-box or third-party targets you don’t own
• Router mode (“claude-code-router”) is being sunsetted per a project discussion

Verdict

Worth a look if you run a web app or API, own the codebase, and want continuous validation that your security fixes actually work. Skip it if you’re looking for black-box scanning, compliance checkboxing, or a tool that runs without LLM API costs.