I Let An AI Pentester: Shannon, On My Vulnerable Go App — Here’s What Happened

Bhavishya Aggarwal — Sat, 27 Dec 2025 05:27:27 +0000

I Let An AI Pentester: Shannon, On My Vulnerable Go App — Here’s What Happened

Monday, 9 AM.

I’m shipping code. My team is shipping code. Claude Code makes it stupidly easy — we’re deploying new features multiple times a day. Security? That’s happening once a year with an external pentester who charges $10K and takes three weeks.

Then I get an email: “Hey, want to test Shannon? It’s an AI pentester that finds actual exploits, not just alerts.”

I’ve seen a lot of security tools. Most of them are noise machines. Flags thousands of issues, 90% false positives, zero actionable insight.

But I’m curious. And I have a purposefully broken Go app sitting around (Vulnerability-goapp — basically OWASP Top 10: The App). Perfect test subject.

So I thought: Why not actually try this?

I set up Shannon on Thursday night. Gave it one job: break my vulnerable app. I wasn’t expecting much. Grabbed coffee and walked away.

90 minutes later, I came back to find complete account takeovers, SQL injection bypasses, XSS vectors stealing session cookies, and authorization flaws that let attackers modify any user’s profile.

Not theories. Not “potential issues.” Actual exploits. Copy-and-paste proof-of-concepts, showing exactly how to break the app.

That’s when I realized something: This isn’t just another security scanner.

The Problem: Why I Even Looked For This

Here’s the reality of modern software development: We’ve optimized the hell out of shipping code. CI/CD pipelines are tight. GitHub Copilot and Claude Code make it trivial to pump out features. Some teams deploy multiple times a day.

But security testing? It’s stuck in 2010.

Once a year, maybe twice. You call a pentesting firm, they come in for a week, charge you thousands, find issues three months later, and by then you’ve shipped 10 different versions of the vulnerable code.

364 days of no security testing.

That gap is real. And it’s dangerous.

Traditional pentesting doesn’t scale with continuous deployment. It’s async. It’s expensive. It’s slow. And by the time you get the report, the vulnerabilities have already landed in production (maybe).

I started looking for something that could give me on-demand security testing. Something that doesn’t require a retainer or a waiting list. Something that actually works with the way modern teams build.

That’s when I found Shannon.

What I Did: Setting Up Shannon

Shannon is built by Keygraph HQ and positioned as an “autonomous AI pentester.” It’s open-source (AGPL-3.0), free to use, and runs in Docker.

The setup was straightforward:

Step 1: Clone and Build

git clone https://github.com/KeygraphHQ/shannon.git
cd shannon
docker build -t shannon:latest .

Took about 15 minutes on my machine. Nothing fancy.

Step 2: Prepare Your App

I had a vulnerable Go app already running locally on port 9090. Shannon needs:

Your application running and accessible
Your source code available for analysis
An API token from Anthropic (Claude’s API)

Step 3: Run The Pentest

export CLAUDE_CODE_OAUTH_TOKEN="your_token_here"

docker run --rm -it \
 --network host \
 --cap-add=NET_RAW \
 --cap-add=NET_ADMIN \
 -e CLAUDE_CODE_OAUTH_TOKEN="$CLAUDE_CODE_OAUTH_TOKEN" \
 -e CLAUDE_CODE_MAX_OUTPUT_TOKENS=64000 \
 -v "$(pwd)/repos:/app/repos" \
 -v "$(pwd)/configs:/app/configs" \
 shannon:latest \
 "http://localhost:9090" \
 "/app/repos/Vulnerability-goapp"

Hit enter and wait for all the agents to run and get tested against your code

The Target App: Vulnerability-goapp

Let me be clear about what I was testing. This isn’t some random project. Vulnerability-goapp is a Go-based web application intentionally built with OWASP Top 10 vulnerabilities. It includes:

User authentication and profiles
Posts and timeline features
File uploads
Admin panel
Search functionality
Database interactions

It’s written in Go, uses MySQL for storage, and serves HTML pages with session-based authentication.

The goal: See if Shannon could find exploitable vulnerabilities in real code.

What Shannon Found: The Real Story

Here’s what came back in the 90-minute report:

Authentication Vulnerabilities: Shannon discovered that session IDs are generated by base64-encoding email addresses. Meaning, if you know someone’s email, you can forge their session cookie without any password — complete account takeover. Sessions never expire. Session cookies lack security flags (no HttpOnly, Secure, or SameSite). The default admin credentials (admin@admin.com/Qwerty1234) are hardcoded. Login endpoints have zero rate limiting (30,000+ attempts per hour possible). Everything runs over HTTP—credentials transmitted in plaintext.

Authorization Failures: The app trusts a client-controlled UserID cookie for all access decisions. No ownership validation. An attacker can change any user’s password, modify their profile, view their private data, upload files to their account, and read their posts. All by manipulating a cookie. Seven different authorization flaws, all exploitable.

Cross-Site Scripting (XSS): Shannon found and successfully exploited all 10 XSS vulnerabilities across the app. Reflected XSS at the root endpoint that steals session cookies. Stored XSS in timeline posts affecting all users. XSS in profile fields, usernames, search results, file uploads. Root cause: the app uses Go’s text/template instead of html/template and never HTML-encodes user input. No CSP headers, no HttpOnly flags. Session hijacking via JavaScript was demonstrated—attacker gets victim's cookies and can impersonate them.

SQL Injection: Admin authentication endpoint constructs SQL queries by string concatenation. A simple SQL injection payload bypasses login and grants instant admin access. The search endpoint has the same issue — SQL injection bypasses filters and exposes all posts including “private” ones. Database root credentials are exposed in the vulnerable code.

Infrastructure Issues: HTTP-only transport. MySQL database exposed to host network. No HTTPS. No security headers. MySQL 5.6 (end-of-life since 2021). Hardcoded database credentials throughout the code.

The Numbers

Total Vulnerabilities Found: 40+
Critical Severity: 15+
Successfully Exploited: 100% of tested categories
False Positives: Zero
Time to Complete Assessment: 90 minutes
Authentication Bypass: 10 seconds
Admin Access: 5 seconds
XSS Vectors: All 10 working

This wasn’t theoretical. Shannon provided actual working exploits for each vulnerability. No maybes. No “could be.” Real impact, reproducible steps, working PoCs.

My Honest Take: What Impressed Me

What I Loved:

Shannon actually works. I didn’t expect this many vulnerabilities found, and the quality was professional-grade. Every finding came with reproducible exploit code — no fluff, no false positives. The speed is insane: 90 minutes for a complete assessment, versus 3–4 weeks for traditional pentesting. It’s code-aware (analyzes source AND runs dynamic tests, not just black-box scanning). And the setup is easy — Docker, one command, it runs.

Who Should Actually Use This?

DevOps Engineers: Automate security testing in your pipeline. Catch vulnerabilities before production. Generate compliance reports (SOC 2, HIPAA-ready). Reduce manual pentesting overhead.

Backend Developers: Test your Go, Python, Node, Java apps. Understand security from the developer’s perspective. Real PoCs you can actually fix. Fast feedback loop (90 minutes vs 3 weeks).

Security Teams: Support multiple teams without hiring more pentesters. Consistent, comparable assessments across projects. Evidence collection for compliance. Efficient use of limited security resources.

Startups: Can’t afford $10K pentests. Need continuous security testing. Deploy frequently, need to validate each deployment. Shannon Lite is free and open-source.

Anyone shipping code frequently who realizes their once-a-year pentest schedule doesn’t match their deployment frequency.

Final Thoughts

I went into this skeptical. “Another security scanner, probably overhyped,” I thought.

I came out genuinely impressed.

Shannon solves a real problem: the gap between continuous deployment and continuous security testing. You can’t wait a year between pentests if you’re shipping daily. Shannon gives you on-demand, autonomous penetration testing that actually works.

Is it perfect? No. But does it work? Absolutely.

For developers and DevOps engineers tired of the “we’ll do security later” cycle, or businesses that can’t afford traditional pentesting, Shannon is worth a serious look. “Test your code. Break it yourself before someone else does.”

Why Learning to Code Doesn’t Have to Take Years (And How to Start Today)

Bhavishya Aggarwal — Sat, 01 Mar 2025 16:48:05 +0000

If you’ve ever dreamed of building apps, landing a tech job, or simply understanding how the digital world works, you’ve probably considered learning to code. But here’s the catch—most people assume it takes years of grinding through dense textbooks or expensive degrees to get there. What if I told you that you could master coding basics in just weeks, not months or years?
In 2025, the demand for coding skills is sky-high, and the tools to learn them have evolved. Whether you’re a complete beginner or someone looking to level up fast, there’s a smarter way to dive in. Let’s explore why coding doesn’t have to be a long slog—and how you can get started today.
The Myth of “Years to Learn Coding”
Traditional paths like computer science degrees or lengthy boot camps can take years and cost a fortune. But coding isn’t about memorizing every line of syntax—it’s about problem-solving and building things. The truth? You can learn enough to create your first project or impress an employer in a fraction of that time if you focus on the right skills and resources.
Why Speed Matters in 2025
Tech moves fast. Companies need people who can adapt quickly, and individuals want skills they can use now—not five years down the road. Whether it’s for a side hustle, a career switch, or personal growth, learning to code efficiently gives you an edge. Imagine going from zero to coding your own website or app in just a few weeks. That’s not a pipe dream—it’s possible with the right approach.
How to Learn Coding Fast
Here’s a simple roadmap to get you started:

Pick One Language: Start with something beginner-friendly like Python (great for data, AI, and web) or JavaScript (perfect for websites and apps).

Focus on Projects: Skip the endless theory. Build something small—like a calculator or a to-do list app—to see how code works in action.

Use the Right Tools: Platforms like Codefast cut through the noise, offering streamlined lessons that get you coding from day one—no fluff, just results.

If you’re serious about learning to code fast, I’ve found a gem worth checking out: Codefast. Unlike traditional courses that drag on forever, Codefast is designed to teach you practical coding skills in weeks, not months. It’s perfect for beginners who want clear, actionable lessons without the overwhelm—or for anyone tired of slow progress.
What I love about it is the focus on real-world results. You’re not just watching videos; you’re building skills you can use immediately. Plus, it’s affordable and cuts out the unnecessary jargon that bogs down most programs. Curious? Try Codefast here and see how fast you can go from zero to coder.
My First Coding Win
Here’s a quick story: A friend of mine started with no coding experience, used a program like Codefast, and built a simple portfolio site in just three weeks. She’s now freelancing on the side. That’s the power of skipping the fluff and focusing on what matters. You don’t need years—you need the right system.
Start Today, Not Tomorrow
The best time to learn coding was yesterday. The next best time? Right now. Grab a coffee, pick a language, and dive in. If you want a guided path that won’t waste your time, I’d recommend starting with Codefast. It’s the kind of resource I wish I’d had when I first explored tech.
Free Resources to Kickstart Your Journey
If you’re on a budget, here are some free resources to learn programming—just stay consistent and don’t get distracted:

Roadmap.sh (Website) – A structured guide for learners.

freeCodeCamp (YouTube Channel) – Free tutorials for all levels.

Build Your Own X (GitHub Repository) – Hands-on projects to practice.

Web Dev Simplified (YouTube Channel) – Full-stack learning through project-building, including deployment.

These are fantastic starting points (though they might take 5–6 months if you’re consistent). But if you want to fast-track your journey and learn in weeks, not months, check out Codefast. It’s a game-changer for anyone serious about coding.
What’s Your First Project?
So, what’s it going to be? A game? A website? Whatever you choose, you’re closer than you think. Take the leap today—your future self will thank you.

DEV Community: Bhavishya Aggarwal

I Let An AI Pentester: Shannon, On My Vulnerable Go App — Here’s What Happened