Skip to main content
Neo automates reconnaissance across your internet-facing footprint. It discovers, enumerates, fingerprints, and tracks assets at scale.

What this covers

  • Domain and subdomain enumeration (CT logs, passive DNS, brute force, permutations)
  • IP, ASN, and netblock expansion (WHOIS and BGP derived scope)
  • HTTP probing and web surface mapping (liveness, titles, TLS, headers, tech)
  • Service and port discovery for identification only (banner grabs and service metadata)
  • Cloud surface discovery (S3 and object storage, CDN edges, ALB/ELB, API gateways)
  • Endpoint and metadata extraction (robots.txt, sitemaps, JS endpoints, DNS records)
  • Asset inventory creation with deduplication and change tracking

Prerequisites

  • Root domains, org names, IP ranges, or ASNs
  • Optional cloud credentials (AWS, GCP, Azure) for provider API enumeration
  • Environment Variables for rate limits, resolver lists, and network policies

Usage

Prompt example: “Discover and enumerate all internet-facing assets for example.com. Build an asset inventory and schedule weekly re-runs to track changes.” What Neo does:
  • Subdomain and domain enumeration via passive and active methods
  • IP, netblock, and ASN expansion with mapping back to assets
  • HTTP probing with technology fingerprinting and TLS metadata capture
  • Service identification for configured ports with banner evidence
  • Cloud endpoint discovery using provider APIs when available
  • Normalization, deduplication, and storage in Files with delta tracking

Data model (asset inventory)

Asset records are stored in Files as JSON documents. Example record: 
{
  "assetId": "domain:example.com",
  "kind": "domain",
  "labels": ["root"],
  "state": "active",
  "sources": [
    { "name": "ctlogs", "evidence": "example.com in certificate SAN" },
    { "name": "dns", "evidence": "A 93.184.216.34" }
  ],
  "attributes": {
    "dns": {
      "a": ["93.184.216.34"],
      "aaaa": [],
      "cname": null,
      "mx": [],
      "txt": ["v=spf1 include:_spf.example.com ~all"]
    },
    "http": {
      "status": 200,
      "title": "Example Domain",
      "tech": ["nginx", "react"],
      "headers": { "server": "nginx" }
    },
    "tls": {
      "issuer": "R3",
      "san": ["example.com", "www.example.com"],
      "notAfter": "2026-01-01T00:00:00Z"
    }
  },
  "relationships": {
    "ip": ["93.184.216.34"],
    "subdomains": ["www.example.com", "api.example.com"]
  },
  "firstSeen": "2025-10-27T00:00:00Z",
  "lastSeen": "2025-10-27T00:00:00Z",
  "hash": "8a1f44..."
}