Keygraph

Overview

Keygraph is KeygraphHQ's commercial application security platform built on Shannon. It combines Code Property Graph static analysis, continuous pentest workers, finding deduplication, and automated remediation pull requests with re-test verification.

Deployment options include SaaS and self-hosted/air-gapped for regulated environments. Findings tie to source locations and validated exploit traces rather than scanner-only pattern matches.

Suited for teams wanting Shannon-style validation at org scale with ticketing integrations and fix workflows—not a replacement for manual red team engagements on non-web attack surfaces.

Primary use cases

• Continuous AppSec on monorepos with high PR velocity
• Prioritized fix queues with PoC-backed severity
• Air-gapped enterprise code scanning + pentest

Related tools

• Shannon — White-box web pentester from Keygraph. Reads source repos, maps attack surfaces, runs browser and CLI exploits in Docker workers. Reports only validated PoCs. AGPL CLI; targets Injection, XSS, SSRF, auth, and authorization flaws.
• Burp Suite — HTTP/S intercepting proxy. Repeater, Intruder, scanner, and extension API for web app testing.