Autonomous white-box pentest · powered by Shannon

Shane hacks your app before someone else does.

Point Shane at your repo and deployment. It runs a full autonomous white-box pentest — reading your source, mapping the attack surface, and proving each vulnerability with a real, non-destructive exploit. No speculative scanner noise. Every finding comes back with a copy-paste fix prompt built for your coding agent.

Proof, not guesses Bring your own repo + deploy Fixes, not just findings
scanning · 7 findings validated
Live demo

Run a scan. Watch it prove real bugs.

This is a real fixture result from a sample Next.js app — the exact flow the Studio runs against your code. Press run: phases light up, findings count up, then every finding opens to its exploit and a copy-paste fix. No signup.

shane scan · acme-dashboard
0
findings
01
Pre-Recon
02
Recon
03
Vulnerability Analysis
04
Exploitation
05
Reporting
> Press “Run sample scan” to watch Shane assess a sample Next.js app. Fully client-side — no signup, no live scan spent.
How it works

Five phases, from source to proof to fix.

Shane orchestrates the Shannon engine through a disciplined pipeline — the right model on the right job at every step.

  1. 01

    Pre-Recon

    Claude Opus

    Reads the whole codebase like a senior engineer — frameworks, routes, auth boundaries, and where untrusted input enters.

  2. 02

    Recon

    Claude Sonnet

    Maps the live attack surface and correlates runtime behavior against the code paths it just learned.

  3. 03

    Vulnerability Analysis

    5 parallel agents

    Specialist agents hunt in parallel — injection, XSS, SSRF, auth, and authz — each an expert in its own class.

  4. 04

    Exploitation

    Claude Opus

    Every candidate is validated with a real, non-destructive proof-of-concept. If it can't be exploited, it isn't reported.

  5. 05

    Reporting

    Claude Haiku

    Compiles an executive report and generates an optimized, context-loaded fix prompt for each proven finding.

From finding to fix

Most tools stop at the finding. Shane hands you the fix.

Every proven vulnerability comes back with an optimized, context-loaded prompt built for your coding agent — the actual deliverable, not a homework assignment.

criticalCWE-89

SQL injection in report export endpoint

src/app/api/reports/export/route.ts:34

The `/api/reports/export` handler concatenates the `range` query parameter directly into a raw SQL string. An attacker can break out of the intended query and read or modify arbitrary tables, including the users table.

Proven with
GET /api/reports/export?range=2024' UNION SELECT email, password_hash FROM users --  returns the full credentials table in the CSV response.
Validated with a real, non-destructive exploit
optimized fix prompt
You are fixing a **CRITICAL** security vulnerability found by an autonomous pentest.

## Vulnerability
- **Type:** SQL injection in report export endpoint (CWE-89)
- **Category:** injection
- **Location:** src/app/api/reports/export/route.ts:34

## What's wrong
The `/api/reports/export` handler concatenates the `range` query parameter directly into a raw SQL string. An attacker can break out of the intended query and read or modify arbitrary tables, including the users table.

## How it's exploited (proof of concept)
GET /api/reports/export?range=2024' UNION SELECT email, password_hash FROM users --  returns the full credentials table in the CSV response.

## Your task
1. Open `src/app/api/reports/export/route.ts` and locate the vulnerable code around line 34.
2. Apply the remediation below. Do NOT just suppress the symptom — fix the root cause so the exploit above no longer works.

### Recommended remediation
Use parameterized queries / a query builder. Never interpolate request input into SQL. Validate `range` against an allow-list of known values before it reaches the database layer.

3. Check the ENTIRE codebase for the same anti-pattern — this vulnerability class usually appears in more than one place. Fix every instance.
4. Add a regression test that reproduces the exploit and asserts it now fails.
5. Do not introduce new dependencies unless strictly required, and never weaken existing auth, validation, or escaping elsewhere.

## Definition of done
- The proof-of-concept above no longer succeeds against a local run.
- A test exists that would catch this regression.
- No other instance of this pattern remains in the repo.

Return the diff and a one-line summary of the fix.
Paste into Claude Code, Cursor, or any coding agent → root-cause fixed, tested, tracked.
Track it to zero

Every finding, from Identified to Resolved.

The Studio turns a scan into a board. Move each finding across the pipeline and watch your open-risk count fall — with a re-scan to prove the fix held.

Identified3

Proven and waiting to be worked

SQL injection in report export endpoint
Broken object-level authorization (IDOR) on invoices
Password reset tokens are predictable and never expire
Identified
In Progress2

Fix prompt copied, remediation underway

Server-side request forgery in avatar import
Stored XSS in comment rendering
In Progress
Resolved2

Verified fixed — exploit no longer works

Stripe secret key exposed to the client bundle
Missing security headers (HSTS, CSP, X-Frame-Options)
Resolved
Trust & authorization

Serious testing, run responsibly.

Shane is built to be pointed at what you own, with your explicit sign-off, and to prove its findings without ever putting your app at risk.

White-box by design

Shane reads your actual source. It reasons about real code paths and auth boundaries — not black-box guesses bolted onto a crawler.

You bring your own repo + deployment

Connect a repository and a running target you control. Nothing is scanned until you point Shane at what's yours.

Signed authorization attestation

Before any scan runs, you attest that you own or are authorized to test the target. Pentesting without authorization is illegal — Shane won't run without it.

Non-destructive proof

Exploitation is validated safely. Shane proves a vulnerability is real without dropping tables, deleting data, or disrupting your users.

Powered by Shannon (Keygraph), an open-source autonomous pentest engine, licensed under AGPL-3.0.

Find it before they do.

Connect your app and let Shane run the pentest an attacker would — then hand you the fixes first.