You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Shannon is an autonomous AI penetration testing agent by Keygraph that achieved 96.15% on the XBOW benchmark. Its defining philosophy is "No Exploit, No Report" — it only reports vulnerabilities it can actually exploit and reproduce against a running application, eliminating false positives entirely. It uses a 13-agent, 5-phase pipeline (pre-recon → recon → vulnerability analysis → exploitation → reporting) orchestrated via Temporal.io, with Claude Code as the AI engine and Playwright for browser automation.
The existing RAPTOR-inspired cybersecurity issues (#382 Code Security Audit, #383 Binary Security Analysis, #384 OSS Security Forensics) cover offline analysis — scanning source code, analyzing binaries, and investigating supply chain attacks. None of them address the critical capability of testing a running web application for exploitable vulnerabilities. Shannon fills this gap with active reconnaissance, live exploitation, and proof-based reporting.
This issue proposes a Web Application Penetration Testing skill that adapts Shannon's methodology and pipeline into Hermes Agent, using existing tools (terminal for nmap/whatweb/curl, Hermes browser tool or Playwright MCP for web interaction, delegate_task for parallel vulnerability agents) to perform structured penetration testing against web applications in sandboxed environments.
License note: Shannon is AGPL-3.0 — we cannot use its code directly. This proposal adapts Shannon's concepts, methodology, and pipeline structure as a fresh implementation. All code would be written from scratch.
Research Findings
How Shannon's Pentesting Pipeline Works
Phase 1: Pre-Recon (Source Code Analysis)
A single agent with source code access maps the application architecture:
Horizontal/vertical privilege escalation, IDOR, business logic
Role-based access matrix analysis
ssrf-vuln
Internal service access, cloud metadata, protocol smuggling
4 SSRF type classification with escalation paths
Each agent produces an exploitation_queue.json — a structured list of findings with: ID, vulnerability type, source location, path, sink, sanitization status, verdict, witness payload, and confidence level.
Phase 4: Exploitation (5 parallel agents, conditional)
Only runs for vulnerability classes where the analysis phase found actionable findings:
Attempts actual exploitation against the live application
Uses a Bypass Exhaustion Protocol: must attempt multiple distinct bypass techniques before classifying as false positive
Output: exploitation_evidence.md with full PoC payloads and reproduction steps
Phase 5: Reporting (1 agent)
Assembles all evidence into a comprehensive security assessment with executive summary, proven exploits only, CVSS scoring, and remediation recommendations.
Key Prompting Patterns
1. Progressive Context Chain: Each agent reads deliverables from ALL prior phases. Intelligence accumulates — the exploitation agent knows the architecture (pre-recon), attack surface (recon), and specific vulnerabilities (analysis) before attempting exploitation.
2. Backward Taint Analysis: Start at dangerous sinks, trace backward to sources. Early-terminate when proper sanitization found. More efficient than forward analysis for web app contexts.
3. Slot-Type Taxonomy: Each injection point has a specific "slot type" (SQL-val, SQL-ident, CMD-argument, PATH-segment, TEMPLATE-string, DESERIALIZE) with known required defenses. A mismatch between slot type and defense = vulnerability.
4. Todo-Driven Completeness: Every endpoint/input vector gets a todo item. Analysis is INCOMPLETE if any todos remain. Prevents early termination.
5. Scope Enforcement: Every prompt has explicit in-scope/out-of-scope definitions. External attacker perspective only. Network-reachable targets only.
6. Classification Rigor:
EXPLOITED = proven with evidence (Level 3-4)
POTENTIAL = blocked by external factors (WAF, rate limit), not by code-level security
FALSE POSITIVE = security controls verified to work after bypass exhaustion
Shannon's Results
Demonstrated against real vulnerable applications:
OWASP Juice Shop: 20+ critical flaws, full database exfiltration, admin access
Overlap with #382: Shannon's pre-recon (LLM-based code analysis) overlaps conceptually with #382's source scanning, but the methodology is different — Shannon reads code to understand architecture for exploitation, while #382 scans code for vulnerability patterns. Shannon's transferable patterns (backward taint, slot-type taxonomy, proof system, bypass exhaustion) have been proposed as enhancements to #382.
No overlap with #383 or #384. Binary analysis and forensics are completely separate domains.
Current State in Hermes Agent
What we have:
terminal tool — can run nmap, whatweb, curl, subfinder if installed
Browser tool (if available) or Playwright MCP — can automate web interaction
web_extract — can fetch and parse web pages
delegate_task — can spawn parallel sub-agents (maps to Shannon's 5 parallel vuln agents)
execute_code — can run Python scripts for payload generation, response parsing
No network reconnaissance skill (nmap, subfinder, whatweb)
No browser-automated security testing
No pentest reporting framework
No proof-based vulnerability verification
Implementation Plan
Skill vs. Tool Classification
This should be a skill because:
All security tools (nmap, whatweb, subfinder, curl) are CLIs callable via terminal
Browser interaction uses existing Hermes tools (browser tool, MCP, or Playwright via terminal)
The pentesting methodology is LLM reasoning guided by skill instructions
Parallel vulnerability agents use existing delegate_task
No custom Python integration needed in the agent harness
No API key management for the harness (user provides target URL, the agent attacks it)
Bundled vs. Skills Hub: Recommend Skills Hub. Penetration testing is specialized (security professionals, developers auditing their own apps in sandboxed environments) and requires multiple external tools. Additionally, active exploitation requires clear safety guardrails and ethical use guidance.
Category:security (completing the cybersecurity skill suite alongside #382, #383, #384)
Safety Guardrails (CRITICAL)
Unlike #382-384 which analyze offline artifacts, this skill actively attacks running applications. Mandatory safeguards:
Explicit scope confirmation — Agent must confirm target URL and get user approval before any active testing
Sandboxed environments only — Skill instructions must emphasize: ONLY test applications you own/control in isolated environments (Docker, VMs, dedicated test instances)
No production systems — Explicit prohibition against testing production systems without written authorization
Dangerous command approval — Hermes' existing approval.py system will catch destructive commands, but the skill should add pentest-specific warnings
Ethical use header — Every pentest report should include authorization confirmation
Rate limiting — Built-in delays between requests to avoid overwhelming targets
Cost — If using powerful LLMs for multi-agent pentesting, token costs can be significant
Scope creep — Pentesting is a vast field; must stay focused on web applications
LLM reliability — Exploitation requires precise payloads; LLM-generated payloads may need iteration
Not a replacement for professionals — The skill should be clear that it complements, not replaces, professional pentesting
Network/infrastructure pentesting not included — Deliberately scoped to web apps only
Open Questions
Should Phase 1 require explicit user confirmation before EVERY test request (safest), or just before the first scan (more practical)?
How should the skill handle authentication? Shannon requires pre-configured credentials. Should we support automated login flows or require the user to provide session tokens?
Should we support source-code-aware testing (white-box, like Shannon) or black-box only? White-box is more powerful but requires code access.
Should the skill integrate with the browser tool (if available) or require Playwright MCP setup? The browser tool is simpler but less capable.
How should we handle the parallel vulnerability agents' cost? Should there be a "quick scan" mode that runs sequentially with a smaller model?
Overview
Shannon is an autonomous AI penetration testing agent by Keygraph that achieved 96.15% on the XBOW benchmark. Its defining philosophy is "No Exploit, No Report" — it only reports vulnerabilities it can actually exploit and reproduce against a running application, eliminating false positives entirely. It uses a 13-agent, 5-phase pipeline (pre-recon → recon → vulnerability analysis → exploitation → reporting) orchestrated via Temporal.io, with Claude Code as the AI engine and Playwright for browser automation.
The existing RAPTOR-inspired cybersecurity issues (#382 Code Security Audit, #383 Binary Security Analysis, #384 OSS Security Forensics) cover offline analysis — scanning source code, analyzing binaries, and investigating supply chain attacks. None of them address the critical capability of testing a running web application for exploitable vulnerabilities. Shannon fills this gap with active reconnaissance, live exploitation, and proof-based reporting.
This issue proposes a Web Application Penetration Testing skill that adapts Shannon's methodology and pipeline into Hermes Agent, using existing tools (terminal for nmap/whatweb/curl, Hermes browser tool or Playwright MCP for web interaction, delegate_task for parallel vulnerability agents) to perform structured penetration testing against web applications in sandboxed environments.
Research Findings
How Shannon's Pentesting Pipeline Works
Phase 1: Pre-Recon (Source Code Analysis)
A single agent with source code access maps the application architecture:
code_analysis_deliverable.mdconsumed by all downstream agentsPhase 2: Recon (Attack Surface Mapping)
A single agent interacts with the live application:
recon_deliverable.mdPhase 3: Vulnerability Analysis (5 parallel agents)
Each agent specializes in one vulnerability class:
Each agent produces an
exploitation_queue.json— a structured list of findings with: ID, vulnerability type, source location, path, sink, sanitization status, verdict, witness payload, and confidence level.Phase 4: Exploitation (5 parallel agents, conditional)
Only runs for vulnerability classes where the analysis phase found actionable findings:
exploitation_evidence.mdwith full PoC payloads and reproduction stepsPhase 5: Reporting (1 agent)
Assembles all evidence into a comprehensive security assessment with executive summary, proven exploits only, CVSS scoring, and remediation recommendations.
Key Prompting Patterns
1. Progressive Context Chain: Each agent reads deliverables from ALL prior phases. Intelligence accumulates — the exploitation agent knows the architecture (pre-recon), attack surface (recon), and specific vulnerabilities (analysis) before attempting exploitation.
2. Backward Taint Analysis: Start at dangerous sinks, trace backward to sources. Early-terminate when proper sanitization found. More efficient than forward analysis for web app contexts.
3. Slot-Type Taxonomy: Each injection point has a specific "slot type" (SQL-val, SQL-ident, CMD-argument, PATH-segment, TEMPLATE-string, DESERIALIZE) with known required defenses. A mismatch between slot type and defense = vulnerability.
4. Todo-Driven Completeness: Every endpoint/input vector gets a todo item. Analysis is INCOMPLETE if any todos remain. Prevents early termination.
5. Scope Enforcement: Every prompt has explicit in-scope/out-of-scope definitions. External attacker perspective only. Network-reachable targets only.
6. Classification Rigor:
Shannon's Results
Demonstrated against real vulnerable applications:
Comparison with Existing Issues
Overlap with #382: Shannon's pre-recon (LLM-based code analysis) overlaps conceptually with #382's source scanning, but the methodology is different — Shannon reads code to understand architecture for exploitation, while #382 scans code for vulnerability patterns. Shannon's transferable patterns (backward taint, slot-type taxonomy, proof system, bypass exhaustion) have been proposed as enhancements to #382.
No overlap with #383 or #384. Binary analysis and forensics are completely separate domains.
Current State in Hermes Agent
What we have:
terminaltool — can run nmap, whatweb, curl, subfinder if installedweb_extract— can fetch and parse web pagesdelegate_task— can spawn parallel sub-agents (maps to Shannon's 5 parallel vuln agents)execute_code— can run Python scripts for payload generation, response parsingWhat we don't have:
Implementation Plan
Skill vs. Tool Classification
This should be a skill because:
terminaldelegate_taskBundled vs. Skills Hub: Recommend Skills Hub. Penetration testing is specialized (security professionals, developers auditing their own apps in sandboxed environments) and requires multiple external tools. Additionally, active exploitation requires clear safety guardrails and ethical use guidance.
Category:
security(completing the cybersecurity skill suite alongside #382, #383, #384)Safety Guardrails (CRITICAL)
Unlike #382-384 which analyze offline artifacts, this skill actively attacks running applications. Mandatory safeguards:
approval.pysystem will catch destructive commands, but the skill should add pentest-specific warningsWhat We'd Need
Phased Rollout
Phase 1: Reconnaissance + Manual-Guided Testing
Phase 2: Semi-Autonomous Vulnerability Analysis
delegate_task:Phase 3: Full Autonomous Pipeline
Pros & Cons
Pros
Cons / Risks
Open Questions
References