Exercise 06: Pentesting with an Agent — The Agentic Crew Hands-On Guide

Overview

Your app is live. It's on a server, behind HTTPS, with a domain name and a systemd service. It works. But does it hold up? Every application on the internet gets probed. Bots scan for open ports within minutes of a server going live.

You're going to attack your own application before anyone else does — using an AI agent as your pentester. A real, autonomous security scan that probes your application for vulnerabilities, attempts to exploit them, and produces a professional report with findings, severity scores, and remediation guidance.

Shannon actively executes attacks against its target. It sends real payloads. It attempts real exploits. You must only run it against applications you own or have explicit written permission to test. Running it against someone else's system is illegal in most jurisdictions.
— from the exercise

What you'll build

By the end of this exercise

✓ OWASP Juice Shop running as a practice target (Docker)

✓ Shannon AI pentesting platform configured and operational

✓ A full 5-phase autonomous security scan completed

✓ A professional-grade security report with CVSS severity scores

✓ Understanding of SQL injection, XSS, and authentication bypass attacks

✓ Optional: continuous monitoring with Sentinel dashboard

Key concepts

Terms you'll learn

Term What it means

SQL injection Attacker sends database commands through input fields to extract or modify data

XSS Cross-site scripting — injecting JavaScript that runs in other users' browsers

Authentication bypass Exploiting flaws to log in without valid credentials

CVSS score Common Vulnerability Scoring System — rates severity from 0 (none) to 10 (critical)

IDOR Insecure Direct Object Reference — accessing another user's data by changing an ID

False positive A reported vulnerability that doesn't actually exist — always verify findings

Temporal A workflow engine that tracks long-running jobs and retries failed steps automatically

What's covered

Sections in this exercise

01 What You'll Build

02 What You'll Need

03 Why Pentest Your Own App?

04 Set Up a Practice Target

05 Clone and Configure Shannon

06 Start the Infrastructure

07 Run Your First Scan

08 Read the Report

09 Understanding the Findings

10 The Exploitation Feedback Loop

11 Scan Your Own App

12 Continuous Monitoring with Sentinel

13 The Dashboard

What just happened

You flipped the script — attacking your own application before anyone else could. Five AI agents worked in parallel across injection, XSS, authentication, authorisation, and SSRF, producing a professional security report. You now understand the attack surface of every web app you build.