Skip to main content
Neo performs comprehensive penetration testing by automating reconnaissance, vulnerability discovery, exploitation, and evidence collection. It tests like a human pentester but with the speed and thoroughness of automation, capturing all findings with proof-of-concept and remediation guidance.

How it works

  1. Reconnaissance: Neo maps the attack surface, discovers endpoints, and identifies technologies
  2. Vulnerability discovery: Tests for common and logic-based vulnerabilities using browser automation and API testing
  3. Exploitation: Validates findings with proof-of-concept exploits
  4. Evidence collection: Captures screenshots, request/response pairs, and reproduction steps
  5. Reporting: Generates detailed findings with severity, impact, and remediation guidance

Prerequisites

  • Target URL, API endpoint, or application scope
  • Test credentials and environment variables for authenticated testing
  • Optional: API specifications, design docs, or architecture diagrams in Files

Web Application Testing

Basic Web App Pentest

Prompt example: “Perform a security assessment of https://app.example.com. Test for common vulnerabilities including XSS, CSRF, authentication issues, and authorization bypasses. Use the test account credentials from environment variables.” What Neo does:
  • Maps the application by crawling and discovering all endpoints
  • Tests for injection vulnerabilities (XSS, SQLi, command injection)
  • Checks authentication and session management
  • Tests authorization controls and access restrictions
  • Validates CSRF protections
  • Captures screenshots and HTTP traces as evidence
  • Generates report with findings, severity, and reproduction steps

Specific Feature Testing

Prompt example: “Test the file upload feature at https://app.example.com/upload for security issues. Check for file type bypass, path traversal, malware upload, and stored XSS.” What Neo does:
  • Tests file upload with various malicious payloads
  • Attempts file type validation bypass
  • Checks for path traversal in filenames
  • Tests for stored XSS in file metadata
  • Validates file size and rate limiting
  • Documents successful attacks with evidence

Authentication Testing

Prompt example: “Assess the authentication mechanism at https://app.example.com/login. Test for brute force protection, password reset vulnerabilities, session fixation, and JWT weaknesses.” What Neo does:
  • Tests login with various attack vectors
  • Checks rate limiting and account lockout
  • Analyzes password reset flow for vulnerabilities
  • Tests session management and token handling
  • Validates JWT implementation if applicable
  • Attempts session fixation and hijacking

API Testing

REST API Security Assessment

Prompt example: “Test the REST API at https://api.example.com/v1 for security issues. Focus on authorization bypasses, injection attacks, and business logic flaws. Use the OpenAPI spec from Files.” What Neo does:
  • Reads OpenAPI specification to understand endpoints
  • Tests each endpoint for authorization bypasses
  • Checks for injection vulnerabilities in parameters
  • Tests business logic (IDOR, mass assignment, rate limits)
  • Validates input validation and error handling
  • Captures API requests/responses as evidence

GraphQL Testing

Prompt example: “Perform security testing on the GraphQL API at https://api.example.com/graphql. Test for introspection, authorization issues, and query complexity attacks.” What Neo does:
  • Attempts GraphQL introspection to map schema
  • Tests authorization at field and query level
  • Checks for nested query attacks
  • Validates rate limiting and complexity limits
  • Tests for injection in resolver parameters
  • Documents vulnerable queries with examples

Logic-Based Vulnerability Testing

Business Logic Flaws

Prompt example: “Test the e-commerce checkout flow at https://shop.example.com for business logic vulnerabilities. Check for price manipulation, discount abuse, inventory bypass, and payment circumvention.” What Neo does:
  • Maps the checkout flow and state transitions
  • Tests price manipulation in cart and checkout
  • Attempts discount code abuse and stacking
  • Checks for inventory validation bypasses
  • Tests payment flow for circumvention
  • Validates order processing and fulfillment logic

Access Control Testing

Prompt example: “Test https://app.example.com for authorization vulnerabilities. Focus on horizontal and vertical privilege escalation, IDOR, and multi-tenancy issues. Test with user, admin, and manager roles.” What Neo does:
  • Tests access control with different user roles
  • Checks for horizontal privilege escalation (user A accessing user B’s data)
  • Tests vertical escalation (user accessing admin functions)
  • Validates object-level authorization (IDOR)
  • Tests tenant isolation in multi-tenant applications
  • Documents authorization bypasses with role context

Race Condition Testing

Prompt example: “Test the coupon redemption feature at https://app.example.com/coupons for race conditions. Check if multiple concurrent requests can bypass single-use restrictions.” What Neo does:
  • Sends concurrent requests to test race conditions
  • Validates single-use enforcement mechanisms
  • Tests for time-of-check-time-of-use (TOCTOU) issues
  • Checks balance deduction and credit application
  • Documents timing attacks with evidence

Infrastructure and Network Testing

Internal Application Testing

Prompt example: “Assess the internal admin panel at https://internal.example.com:8443. Test for default credentials, misconfigurations, and exposed sensitive data.” What Neo does:
  • Tests for default and common credentials
  • Checks for configuration issues
  • Validates SSL/TLS configuration
  • Tests for sensitive data exposure
  • Checks security headers and hardening
  • Documents misconfigurations with remediation guidance

Server-Side Request Forgery (SSRF)

Prompt example: “Test all URL-fetching features in https://app.example.com for SSRF vulnerabilities. Check image imports, webhooks, and external integrations.” What Neo does:
  • Identifies endpoints that fetch external URLs
  • Tests SSRF with internal IP ranges (127.0.0.1, 169.254.169.254)
  • Attempts cloud metadata access
  • Tests DNS rebinding scenarios
  • Uses OAST to detect blind SSRF
  • Documents SSRF findings with callback evidence

Mobile Application Testing

Mobile API Backend Testing

Prompt example: “Test the mobile app API at https://mobile-api.example.com. Focus on authentication, API key exposure, and mobile-specific vulnerabilities.” What Neo does:
  • Tests API authentication mechanisms
  • Checks for hardcoded API keys or secrets
  • Validates certificate pinning bypass
  • Tests for mobile-specific business logic flaws
  • Checks for insecure data storage in responses
  • Documents findings relevant to mobile context

Desktop Application Security Audit

macOS Application Analysis (.dmg)

Prompt example: “Analyze the macOS app installer MyApp.dmg. Extract and decompile the application, find hardcoded secrets, API endpoints, configuration files, and embedded JavaScript. Test any discovered API endpoints for security issues.” What Neo does:
  • Mounts and extracts the .dmg file
  • Decompiles the macOS application binary
  • Extracts embedded resources (JavaScript files, configs, certificates)
  • Scans for hardcoded API keys, tokens, and credentials
  • Identifies API endpoints from code and configuration
  • Analyzes JavaScript files for sensitive logic and secrets
  • Tests discovered API endpoints for vulnerabilities
  • Checks code signing and security configurations
  • Documents all findings with file paths and evidence

Windows Application Analysis (.exe, .msi)

Prompt example: “Audit the Windows application Setup.exe. Extract embedded resources, decompile binaries, find API endpoints and secrets, then test the backend APIs.” What Neo does:
  • Extracts resources from PE executable
  • Decompiles .NET or native binaries
  • Identifies embedded JavaScript, HTML, and config files
  • Scans for hardcoded credentials and API keys
  • Extracts API endpoints and backend URLs
  • Analyzes update mechanisms and auto-updater security
  • Tests discovered APIs for authentication and authorization issues
  • Checks for DLL hijacking vulnerabilities
  • Documents extraction process and security findings

Electron Application Security

Prompt example: “Security audit the Electron app MyApp-1.2.3.dmg. Extract asar archive, analyze JavaScript source code, find API endpoints and secrets, test for Node.js integration vulnerabilities and XSS.” What Neo does:
  • Extracts the Electron application package
  • Unpacks asar archives to access source code
  • Analyzes JavaScript for hardcoded secrets and API endpoints
  • Checks for insecure Node.js integration (nodeIntegration, contextIsolation)
  • Tests for XSS with Node.js access
  • Validates CSP and security configurations
  • Checks update server security and integrity verification
  • Tests discovered backend APIs for vulnerabilities
  • Analyzes IPC communication for security issues
  • Documents all code-level findings with line references

Full Desktop App Pentest Workflow

Prompt example: “Perform a complete security audit of the desktop app MyApp.dmg. Extract all assets, find API endpoints and secrets, test the backend infrastructure, analyze update mechanisms, and check for local privilege escalation.” What Neo does:
  1. Application extraction and analysis:
    • Extracts and decompiles the application
    • Identifies application framework (Electron, Qt, native, etc.)
    • Maps all embedded files and resources
  2. Secret and endpoint discovery:
    • Scans all code and resources for hardcoded secrets
    • Extracts API endpoints from JavaScript, config files, and binaries
    • Identifies authentication mechanisms and token storage
    • Finds backend server URLs and infrastructure
  3. API security testing:
    • Tests all discovered API endpoints
    • Checks authentication and authorization
    • Validates API key security and rotation
    • Tests for injection and business logic flaws
  4. Local security testing:
    • Checks local data storage security (credentials, tokens, sensitive data)
    • Tests for privilege escalation vulnerabilities
    • Validates file permissions and installation security
    • Checks for insecure IPC or URL scheme handlers
  5. Update and installation security:
    • Analyzes auto-update mechanism
    • Tests update server authentication and integrity checks
    • Validates code signing and signature verification
    • Checks for installer vulnerabilities
  6. Evidence and reporting:
    • Saves extracted files and decompiled code to Files
    • Documents all hardcoded secrets with file locations
    • Provides API endpoint test results with evidence
    • Generates remediation recommendations

API Endpoint Extraction Examples

Prompt example: “Extract all API endpoints from the Electron app MyApp.asar. Search JavaScript files for fetch(), axios, HTTP libraries, and WebSocket connections. Test each endpoint for security issues.” What Neo does:
  • Unpacks asar archive and analyzes all JavaScript files
  • Searches for HTTP client usage (fetch, axios, XMLHttpRequest, WebSocket)
  • Extracts base URLs, API paths, and query parameters
  • Identifies authentication headers and API keys
  • Maps complete API surface from client code
  • Tests each endpoint for proper authentication
  • Checks for authorization bypasses
  • Documents API structure and vulnerabilities

JavaScript and Configuration Analysis

Prompt example: “Analyze all JavaScript files in DesktopApp.dmg. Find hardcoded secrets, encryption keys, API tokens, backend URLs, and sensitive business logic. Check configuration files for security issues.” What Neo does:
  • Extracts all JavaScript, JSON, and configuration files
  • Scans for patterns indicating secrets (API keys, tokens, passwords)
  • Identifies encryption keys and cryptographic material
  • Extracts environment variables and backend configurations
  • Analyzes authentication and session management logic
  • Checks for sensitive business logic in client-side code
  • Validates configuration file permissions and exposure
  • Documents all findings with file paths and line numbers

Continuous Security Testing

Scheduled Pentesting

Prompt example: “Schedule weekly security scans of https://app.example.com. Alert immediately on critical findings and track changes from previous scans.” What Neo does:
  • Runs automated security tests weekly
  • Compares findings with previous scan results
  • Identifies new vulnerabilities and regressions
  • Alerts security team on critical issues
  • Tracks remediation progress over time
  • Generates trend reports on security posture

Pre-Release Security Validation

Prompt example: “Before deploying v2.5 to production, test the staging environment at https://staging.example.com. Validate all security fixes from this release and check for new vulnerabilities.” What Neo does:
  • Tests all reported security fixes are effective
  • Performs regression testing on previously patched vulnerabilities
  • Scans for new security issues in changed code
  • Validates security controls and configurations
  • Generates go/no-go recommendation for deployment
  • Documents all findings for release approval

Evidence and Reporting

Neo automatically captures for each finding:
  • Severity: Critical, High, Medium, Low based on exploitability and impact
  • Description: What the vulnerability is and why it matters
  • Reproduction steps: Exact steps to reproduce the issue
  • Proof-of-concept: HTTP requests, payloads, screenshots showing exploitation
  • Impact: Business impact and potential attacker goals
  • Remediation: Specific guidance on how to fix the vulnerability
  • References: Links to CWE, OWASP, or vendor documentation
All evidence is saved to Files and can be exported as:
  • PDF report for clients or management
  • Jira/Linear tickets for tracking remediation
  • Markdown for technical teams
  • JSON for integration with vulnerability management tools

Common Testing Patterns

Authentication & Session Management

“Test authentication security: brute force protection, session handling, password policies, MFA bypass, and remember-me functionality.”

Authorization & Access Control

“Test all authorization controls: role-based access, object-level permissions, tenant isolation, and privilege escalation vectors.”

Input Validation

“Test input validation across all forms and APIs: XSS, SQLi, command injection, XML/XXE, LDAP injection, and template injection.”

File Handling

“Test file upload/download security: type validation, size limits, path traversal, malware, stored XSS, and arbitrary file access.”

Business Logic

“Test business logic: state manipulation, workflow bypass, rate limit abuse, price tampering, and idempotency issues.”

Configuration & Deployment

“Test security configuration: CORS, CSP, security headers, HTTPS enforcement, cookie flags, and error handling.”