Skip to main content
Every task you run in Neo executes inside its own sandbox, a fully isolated container that gives the agent a complete Linux environment to work in. This is not a restricted shell or a limited API wrapper. It is a real machine with root access, persistent storage, networking, and a pre-loaded security toolchain. The agent can run commands, write scripts, install packages, manage files, and execute multi-step operations exactly as you would on your own workstation.

Isolation

Each sandbox runs inside a Kata Container, a lightweight microVM that provides hardware-level separation using VT-x/AMD-V virtualization. This is not just process isolation or namespace separation. Every sandbox gets its own dedicated kernel, fully independent from every other task in the system. When you test a web application for injection flaws, that work happens in a completely independent environment from a teammate running an internal network assessment on a different target. There is no cross-contamination between tasks, no shared state that could leak between users, and no risk of one test interfering with another. This is what makes it safe to run offensive security tools at scale without worrying about side effects.

Toolchain

The sandbox comes pre-loaded with the tools security teams actually use. The full ProjectDiscovery suite is built in: Nuclei for template-based scanning, Subfinder and DNSx for DNS enumeration, Httpx for HTTP probing, Naabu for port scanning, Katana for crawling, and the rest of the toolkit. Beyond that, the sandbox includes a full red team stack: Impacket for Windows protocol attacks (secretsdump, wmiexec, psexec, smbexec, ntlmrelayx), BloodHound for Active Directory path analysis, NetExec for network service exploitation, Responder for poisoning and relay attacks, Evil-WinRM for remote shell access, Hydra and John for credential testing, Kerbrute for Kerberos enumeration, and Chisel for tunneling. Web application testing tools like SQLMap, Semgrep, ffuf, Gitleaks, and TruffleHog are also pre-installed. The environment goes beyond security-specific tools. Every sandbox includes Python, Go, and Node.js runtimes so the agent can write and execute custom scripts on the fly. Docker runs inside the container, which means the agent can pull and run additional containers when a task requires it. Cloud CLIs for AWS, Azure, GCP, and GitHub are ready to use for cloud security assessments. And a full set of VPN clients (WireGuard, OpenVPN, Tailscale, Twingate, Cloudflare WARP, NetBird, OpenConnect) means the agent can connect to your internal network to test assets that are not publicly reachable. Sandboxes are different from SSH connections. A sandbox is Neo’s isolated workspace; an SSH connection is a remote host you provide. When Neo uses SSH, commands run on that remote host, not inside the sandbox. You do not need to configure any of this. When you start a task, the sandbox is already provisioned with everything the agent needs. If the agent decides mid-task that it needs a tool that is not pre-installed, it has root access and can install it. You can also bring your own tools and scripts. If you have custom scanners, internal exploit frameworks, proprietary wordlists, or automation scripts your team relies on, you can install them into your sandbox and they persist. The next time you start a task, everything you installed is already there, ready to execute alongside the built-in toolchain. The agent treats your custom tools the same way it treats the pre-loaded ones. It can discover them, invoke them, and chain their output into its workflow. Over time, your sandbox becomes a personalized security workstation that reflects exactly how your team operates.

Scoping

Sandboxes are designed to support the way security teams operate across an organization. A sandbox can be scoped to you personally, to a project, or to your team. Personal sandboxes give you a persistent workspace that carries your files and outputs across sessions. Project-scoped sandboxes are shared across everyone working on the same engagement, so findings, scripts, and reports from one team member are available to others. Team-scoped sandboxes extend this to the entire team. For tasks that require complete isolation (one-off tests, sensitive targets, or anything you do not want to persist), Neo provisions ephemeral sandboxes from a pre-warmed pool. These are spun up on demand, used for a single task, and destroyed when the task completes. The pool keeps warm sandboxes ready in the background, so there is minimal wait time even when you kick off multiple isolated tasks in parallel. This is what makes it possible to scale security testing across your organization. You can run concurrent assessments against different targets, each in its own isolated environment with its own toolchain and workspace. A team of five people can have dozens of tasks running simultaneously, testing different applications, different attack surfaces, different phases of an engagement, and none of it conflicts. The agent handles the full lifecycle of each sandbox: provisioning, tool execution, file management, and cleanup. The practical effect is that you can hand off entire testing workflows. Point Neo at a target, define the scope, and walk away. The sandbox gives the agent everything it needs to conduct reconnaissance, run scans, attempt exploitation, verify findings, and produce a report, all inside a contained environment that does not touch your local machine or interfere with anything else running in your organization.