Skip to main content
A pentest in Neo is a full security engagement run autonomously: reconnaissance through exploitation, with every finding validated before it reaches you. Neo maps your attack surface, builds a targeted testing plan, chains techniques the way a skilled attacker would, and produces confirmed vulnerabilities with working proof-of-concept evidence. Use this when you want comprehensive coverage of an application or API: authentication, authorization, injection, business logic, SSRF, client-side issues, and more. Click Pentest from the Neo home screen to open the workflow form.

Set the scope

1

Set your target

Enter the URL or domain you want Neo to test: for example, staging.yourapp.com or api.yourapp.com. This is the only required field.
2

Upload an API schema (optional)

If your application has an OpenAPI, Swagger, or GraphQL schema, upload it here. Neo uses it to discover and enumerate every endpoint rather than relying solely on crawling, giving you significantly better API coverage.
3

Define what's out of scope (optional)

Specify anything Neo should not touch: production databases, third-party partner domains, specific endpoints, or destructive actions like DoS. For example: production databases, partner-api.com, /admin/delete.
4

Add notes and context (optional)

Tell Neo anything useful about the target: what it does, which areas handle sensitive data, known high-risk flows, or specific things you want tested. The more context you give, the more targeted the assessment.You can also attach supporting files: scope documents, architecture diagrams, or previous pentest reports. Neo reads these to inform its testing strategy.

Add credentials

On the Credentials tab, select any secrets Neo needs to access authenticated parts of your application — for example, an admin account and a standard user account to test privilege separation. If you haven’t added credentials yet, click + Add a credential to create one inline. Credentials are stored encrypted and are never exposed in Neo’s output or logs.
Testing authenticated flows is where Neo finds the most impactful vulnerabilities: IDOR, broken access control, privilege escalation, and business logic flaws only appear when Neo can act as a logged-in user.

Authorize and schedule

On the Precheck & Schedule tab:
1

Complete authorization prechecks

Confirm the authorization item(s) before Neo begins. These exist to ensure the test runs cleanly and that you have the right to perform it.
2

Choose a report format

Select how you want the final report delivered: PDF for a shareable document, JSON for programmatic use, or Markdown for embedding in your wiki or issue tracker. You can select multiple.
3

Enable recurring schedule (recommended)

Turn on Recurring schedule to run this pentest automatically on a cadence you set. Each run builds on the previous one: Neo remembers your infrastructure, refines its attack paths, and produces sharper results over time.Continuous pentesting catches regressions introduced by new deploys and newly disclosed CVEs before attackers do.
Click Start pentest when ready. When the pentest completes, ask Neo to dig deeper into any finding, walk through how it chained an attack, retest a specific endpoint, or explore any area of the application further. You stay in control of how far it goes.