Shane hacks your app before someone else does.
Point Shane at your repo and deployment. It runs a full autonomous white-box pentest — reading your source, mapping the attack surface, and proving each vulnerability with a real, non-destructive exploit. No speculative scanner noise. Every finding comes back with a copy-paste fix prompt built for your coding agent.
Run a scan. Watch it prove real bugs.
This is a real fixture result from a sample Next.js app — the exact flow the Studio runs against your code. Press run: phases light up, findings count up, then every finding opens to its exploit and a copy-paste fix. No signup.
Five phases, from source to proof to fix.
Shane orchestrates the Shannon engine through a disciplined pipeline — the right model on the right job at every step.
- 01
Pre-Recon
Claude OpusReads the whole codebase like a senior engineer — frameworks, routes, auth boundaries, and where untrusted input enters.
- 02
Recon
Claude SonnetMaps the live attack surface and correlates runtime behavior against the code paths it just learned.
- 03
Vulnerability Analysis
5 parallel agentsSpecialist agents hunt in parallel — injection, XSS, SSRF, auth, and authz — each an expert in its own class.
- 04
Exploitation
Claude OpusEvery candidate is validated with a real, non-destructive proof-of-concept. If it can't be exploited, it isn't reported.
- 05
Reporting
Claude HaikuCompiles an executive report and generates an optimized, context-loaded fix prompt for each proven finding.
Most tools stop at the finding. Shane hands you the fix.
Every proven vulnerability comes back with an optimized, context-loaded prompt built for your coding agent — the actual deliverable, not a homework assignment.
SQL injection in report export endpoint
The `/api/reports/export` handler concatenates the `range` query parameter directly into a raw SQL string. An attacker can break out of the intended query and read or modify arbitrary tables, including the users table.
GET /api/reports/export?range=2024' UNION SELECT email, password_hash FROM users -- returns the full credentials table in the CSV response.
You are fixing a **CRITICAL** security vulnerability found by an autonomous pentest. ## Vulnerability - **Type:** SQL injection in report export endpoint (CWE-89) - **Category:** injection - **Location:** src/app/api/reports/export/route.ts:34 ## What's wrong The `/api/reports/export` handler concatenates the `range` query parameter directly into a raw SQL string. An attacker can break out of the intended query and read or modify arbitrary tables, including the users table. ## How it's exploited (proof of concept) GET /api/reports/export?range=2024' UNION SELECT email, password_hash FROM users -- returns the full credentials table in the CSV response. ## Your task 1. Open `src/app/api/reports/export/route.ts` and locate the vulnerable code around line 34. 2. Apply the remediation below. Do NOT just suppress the symptom — fix the root cause so the exploit above no longer works. ### Recommended remediation Use parameterized queries / a query builder. Never interpolate request input into SQL. Validate `range` against an allow-list of known values before it reaches the database layer. 3. Check the ENTIRE codebase for the same anti-pattern — this vulnerability class usually appears in more than one place. Fix every instance. 4. Add a regression test that reproduces the exploit and asserts it now fails. 5. Do not introduce new dependencies unless strictly required, and never weaken existing auth, validation, or escaping elsewhere. ## Definition of done - The proof-of-concept above no longer succeeds against a local run. - A test exists that would catch this regression. - No other instance of this pattern remains in the repo. Return the diff and a one-line summary of the fix.
Every finding, from Identified to Resolved.
The Studio turns a scan into a board. Move each finding across the pipeline and watch your open-risk count fall — with a re-scan to prove the fix held.
Proven and waiting to be worked
Fix prompt copied, remediation underway
Verified fixed — exploit no longer works
Serious testing, run responsibly.
Shane is built to be pointed at what you own, with your explicit sign-off, and to prove its findings without ever putting your app at risk.
White-box by design
Shane reads your actual source. It reasons about real code paths and auth boundaries — not black-box guesses bolted onto a crawler.
You bring your own repo + deployment
Connect a repository and a running target you control. Nothing is scanned until you point Shane at what's yours.
Signed authorization attestation
Before any scan runs, you attest that you own or are authorized to test the target. Pentesting without authorization is illegal — Shane won't run without it.
Non-destructive proof
Exploitation is validated safely. Shane proves a vulnerability is real without dropping tables, deleting data, or disrupting your users.
Powered by Shannon (Keygraph), an open-source autonomous pentest engine, licensed under AGPL-3.0.
Find it before they do.
Connect your app and let Shane run the pentest an attacker would — then hand you the fixes first.