Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.neo.projectdiscovery.io/llms.txt

Use this file to discover all available pages before exploring further.

Neo is a system of specialized agents coordinated by a central orchestrator that understands your request, determines which capabilities are needed, and delegates work to the right specialist. When you ask Neo to test a web application, it does not try to handle reconnaissance, scanning, browser-based exploitation, and reporting all within one monolithic reasoning loop. Instead, it breaks the work across purpose-built agents, each with their own tools, domain expertise, and execution boundaries. The orchestrator is the agent you interact with directly. It receives your message, evaluates what needs to happen, and triggers one or more subagents to carry out the work. When a subagent finishes, it hands control back to the orchestrator with a structured result: what it accomplished, what files it produced, and optionally a recommendation for which agent should handle the next step. The orchestrator then decides whether to present the results, trigger another subagent, or continue the task itself. Neo ships with over 20 built-in subagents, each designed for a specific class of security work.
AgentWhat it does
SandboxPrimary execution specialist. Full access to the sandbox with the complete security toolchain. Runs commands, writes scripts, executes scans, and produces files. Most hands-on testing flows through this agent.
BrowserReal browser interaction for DOM-based XSS, CSRF, UI logic abuse, screenshots, and Playwright PoCs. Two modes: cloud browser with stealth and CAPTCHA solving for public targets, or local sandbox browser for internal and VPN-only targets.
ReconPassive intelligence gathering. DNS enumeration, subdomain discovery, domain association mapping, leaked credential lookups, and certificate transparency searches via ProjectDiscovery cloud APIs.
Red team operatorAuthorized adversary simulation and internal penetration testing. Scope-aware, designed for assumed-breach workflows, network enumeration, credential attacks with lockout guardrails, and controlled exploitation.
API securityAPI discovery and testing using OpenAPI specifications. Ingests API specs, enumerates endpoints, and tests for authentication bypasses, injection flaws, and business logic issues.
Android securityMobile application testing on Genymotion cloud devices. Adaptive methodology: static analysis, dynamic instrumentation, network interception, and runtime exploitation.
iOS securityiOS penetration testing on cloud-streamed devices and jailbroken physical hardware. Deep runtime inspection with Frida for both standard and advanced assessments.
CVE intelligenceVulnerability research. Pulls CVE details, analyzes exploitability, and correlates findings against known vulnerability databases.
ResearchLive web search for security advisories, exploit disclosures, and technical documentation. Complements CVE intelligence with real-time open-source intelligence.
XSSDedicated cross-site scripting specialist. Context analysis to identify where and how input is reflected in responses, then crafts context-appropriate payloads.
VerifierIndependent vulnerability reproduction. Receives a claimed finding and proves or disproves it through its own testing. Returns a structured verdict: confirmed, false positive, or needs retry.
GhidraBinary reverse engineering. Decompiles functions, finds buffer overflows, searches for dangerous API calls, and documents binary internals.
Vulnerability triageReviews and validates findings from any source, including HackerOne reports. Assesses severity based on real-world impact and exploitability.
ExploreDeep target analysis and codebase exploration. Used when the task requires understanding the target’s architecture before active testing begins.
DeployContainer orchestration for spinning up target applications, test environments, or vulnerable lab setups inside Kata VM-isolated containers.
GitHub reviewAutomated PR security reviews with a full scanner pipeline. Analyzes code changes for vulnerabilities and posts findings as review comments.
LinearIssue tracking integration. Creates, updates, and manages Linear issues from within Neo tasks.
SlackHandles all interactions originating from Slack channels, DMs, or assistant panels. Owns result posting back to Slack.
Subagent managerCreates, edits, and manages your custom subagents. Handles tool configuration, system instructions, and lifecycle management.
ConnectorManages third-party integrations. Connects and disconnects services like GitHub, Jira, Linear, and Slack.
ValidationRuntime validation of security findings against live target URLs. Tests endpoints for auth bypass, IDOR, SSRF, XSS, and path traversal after code reviews.
All of these agents share the same memory and sandbox. When the recon agent discovers subdomains and the orchestrator hands off to the sandbox agent for scanning, the sandbox agent can see the recon results in working memory and access any files the recon agent produced. Tracked files, insights, facts, and todos persist across agent transitions within the same task. This is what makes multi-agent coordination feel seamless rather than fragmented. Each subagent also has access to skills, which are domain-specific knowledge guides loaded on demand. There are 25 built-in skills covering areas like Nuclei template writing, red team tactics, variant analysis, SQLMap usage, Semgrep rules, mobile security methodologies, HackerOne triage workflows, VPN configuration, and more. When an agent activates a skill, it loads the full reference guide into its context so it can follow established best practices for that specific domain. Beyond the built-in agents, you can create your own custom subagents. These are stored in your account and dynamically loaded whenever the orchestrator evaluates a task. You define the agent’s purpose, system instructions, which tools it has access to, and when it should be triggered. Custom subagents are useful for encoding your team’s specific testing methodologies, internal tooling workflows, or target-specific procedures that the built-in agents do not cover. Once created, they appear alongside the built-in agents and the orchestrator can route to them automatically. You can also share custom subagents with your team, so a methodology one person builds becomes available to everyone across the organization. The orchestrator does not blindly trust subagent output. Neo includes a verification phase where findings can be independently validated. After a subagent reports a vulnerability, the orchestrator can trigger the verifier agent to reproduce the issue through its own testing, ensuring that what gets reported is confirmed rather than assumed. This reduces false positives and gives you higher confidence in the results before they reach your issue tracker or reports. The practical effect of this architecture is that Neo can run complex, multi-phase security assessments autonomously. A single task might flow through recon for target mapping, the sandbox agent for active scanning, the browser agent for client-side testing, the API security agent for endpoint analysis, the verifier for confirmation, and back to the orchestrator for report generation. Each phase uses the right specialist with the right tools, and the orchestrator keeps the overall engagement coherent from start to finish.