Skip to main content
Neo conducts security-first code reviews that prioritize business context. Instead of generic scanning, it understands the purpose of the change, documents the threat model, and performs targeted verification that aligns with your risk profile. The result is actionable, explainable guidance that developers and security teams can trust.

What it does

  1. Context intake: captures the intent of the change (feature, fix, refactor), affected systems, user flows, and data sensitivity
  2. Threat modeling: identifies assets, trust boundaries, attacker goals, and likely abuse paths
  3. Targeted analysis: applies static checks, configuration validation, and focused dynamic probes based on the threat model
  4. Business-risk alignment: ranks findings by business impact, exploitability, blast radius, and compensating controls
  5. Evidence and reproduction: generates minimal, reproducible steps or artifacts to validate issues
  6. Developer-first feedback: produces concise review comments and optional remediation edits or PRs

Prerequisites

  • Source control integration (GitHub, GitLab, or Bitbucket)
  • Repository access granted via Environment Variables
  • Optional: Architecture notes, data-flow diagrams, and coding standards in Files to enrich context

Usage

Prompt example: “Review PR #456 for context-aware security. Document the purpose, identify threats, and run targeted checks based on data classification and auth flows. Provide comments and propose fixes when appropriate.” What Neo does:
  • Parses the PR description, issue links, and commit messages to understand intent
  • Reads nearby docs (architecture notes, ADRs, runbooks) to ground the review
  • Builds a lightweight threat model for the change and impacted surfaces
  • Runs static checks and, when useful, executes contained dynamic probes to validate risks
  • Posts PR comments with severity, business impact, and clear remediation guidance
  • Optionally proposes a remediation commit or separate PR for review

Examples

  • Contextual review: “Review the auth middleware refactor. Confirm session invalidation logic and CSRF protections still hold.”
  • Data handling: “Identify any paths where PII is logged. Propose safe logging with redaction.”
  • Dependency change: “Assess the ORM upgrade for query escaping changes and migration footguns.”
  • Risk-focused test: “For the payments flow change, validate idempotency and authorization checks across retries.”