Skip to main content
Neo performs comprehensive security reviews of new features and product changes before they go live. It analyzes design docs, tests the implementation, identifies vulnerabilities, and provides clear remediation guidance so you can ship features confidently.

How it works

  1. Feature analysis: Neo reads specs, user stories, and design docs to understand what the feature does
  2. Security testing: Tests the feature for common vulnerabilities and business logic flaws
  3. Evidence collection: Captures screenshots, API traces, and reproduction steps for all findings
  4. Risk assessment: Prioritizes issues by severity and business impact
  5. Report generation: Creates actionable reports with remediation guidance for developers

Prerequisites

  • Feature specs, user stories, or design docs in Files
  • Test credentials and environment access
  • Staging or pre-production environment URL
  • Optional: Previous security findings in Files for context

Usage

Pre-Launch Feature Review

Prompt example: “Review the new file sharing feature in staging (https://staging.example.com/share). Read the spec from Files, test for security issues including access control, file upload vulnerabilities, and authorization bypass. Generate a report with findings.” What Neo does:
  • Reads feature specification to understand intended behavior
  • Maps all feature endpoints and user flows
  • Tests file upload for malicious files and path traversal
  • Checks authorization (can users access files they shouldn’t?)
  • Tests share link generation for predictability issues
  • Validates rate limiting and abuse protections
  • Generates report with severity-ranked findings
  • Provides fix recommendations for each issue

Payment Flow Security Assessment

Prompt example: “Security review the new subscription payment flow at https://app.example.com/billing. Test for price manipulation, discount abuse, payment bypass, and race conditions. Focus on business logic flaws.” What Neo does:
  • Maps the complete payment flow (cart → checkout → payment → confirmation)
  • Tests price manipulation in cart and checkout
  • Attempts discount code stacking and abuse
  • Checks for payment amount tampering
  • Tests race conditions in payment processing
  • Validates refund and cancellation logic
  • Checks for idempotency issues
  • Documents all vulnerabilities with proof-of-concept

Authentication Feature Review

Prompt example: “Review the new SSO integration with Okta at https://staging.example.com/auth/okta. Test for authentication bypass, session handling issues, and authorization flaws.” What Neo does:
  • Tests SSO authentication flow end-to-end
  • Validates SAML/OAuth implementation
  • Checks session management and token handling
  • Tests for authentication bypass vectors
  • Validates authorization after SSO login
  • Checks for session fixation and hijacking
  • Tests logout and session invalidation
  • Documents security configuration issues

API Feature Security Review

Prompt example: “Review the new REST API endpoints in /api/v2/reports. Check the OpenAPI spec in Files and test for authorization issues, injection vulnerabilities, and rate limiting.” What Neo does:
  • Reads OpenAPI specification
  • Tests each endpoint for proper authentication
  • Checks authorization (can users access others’ data?)
  • Tests for SQL injection, NoSQL injection, command injection
  • Validates input validation and sanitization
  • Checks rate limiting and abuse prevention
  • Tests error handling and information disclosure
  • Documents API security issues with request/response examples

Multi-Tenant Feature Review

Prompt example: “Security review the new organization workspace feature. Test for tenant isolation issues, data leakage between organizations, and privilege escalation.” What Neo does:
  • Creates test accounts in multiple organizations
  • Tests data isolation between tenants
  • Attempts to access other organizations’ data via ID manipulation
  • Checks for cross-tenant data leakage in search and APIs
  • Tests organization switching and role changes
  • Validates admin permissions are properly scoped
  • Checks for tenant context in all queries
  • Documents any tenant isolation vulnerabilities

Common Review Scenarios

Pre-Production Gate

“Before promoting to production, review all changes in release v2.8. Compare with previous version, test new functionality, and verify no security regressions.” Neo will:
  • Identify all feature changes in v2.8
  • Test each new feature for vulnerabilities
  • Validate previous security fixes still work
  • Check for new security issues introduced
  • Generate go/no-go recommendation

Feature Flag Rollout

“Review the new admin dashboard feature behind the ‘admin_v2’ feature flag. Test with feature enabled and disabled to ensure proper access control.” Neo will:
  • Test feature with flag enabled and disabled
  • Validate access control respects feature flag
  • Check for feature detection bypasses
  • Test partial rollout scenarios
  • Ensure disabled features are truly inaccessible

Third-Party Integration

“Review the Stripe payment integration. Test webhook handling, API key security, and payment data handling for PCI compliance.” Neo will:
  • Test webhook signature validation
  • Check API key storage and rotation
  • Validate payment data is not logged or stored
  • Test for webhook replay attacks
  • Check error handling doesn’t leak sensitive data
  • Verify TLS and encryption requirements

Mobile Feature Backend Review

“Review the new mobile app API endpoints at https://mobile-api.example.com/v3. Test authentication, authorization, and mobile-specific vulnerabilities.” Neo will:
  • Test API authentication mechanisms
  • Check for hardcoded secrets in responses
  • Validate authorization for each endpoint
  • Test for mobile-specific business logic flaws
  • Check rate limiting for mobile endpoints
  • Test offline/online sync vulnerabilities

Integration with Development Workflow

During Design Review

Use Neo early in the feature development process: “Review the design doc for the new file export feature. Identify potential security risks and generate a security checklist for developers.” Neo analyzes the design and creates a security checklist before code is written.

Before Merge to Main

Integrate into your PR workflow: “Review PR #456 implementing the user profile feature. Test the staging deployment and identify any security issues before merging.” Neo tests the feature and posts findings as PR comments.

Pre-Release Validation

Before each release: “Review all new features in the v3.0 release. Generate a security scorecard and identify any blocking issues.” Neo provides a comprehensive security assessment for release approval.

Reporting

For each feature review, Neo provides:
  • Executive summary: High-level findings and risk assessment
  • Detailed findings: Each vulnerability with severity, description, and proof-of-concept
  • Reproduction steps: Exact steps to reproduce each issue
  • Remediation guidance: Specific recommendations for fixing each vulnerability
  • Evidence: Screenshots, API requests/responses, and test artifacts
  • Security scorecard: Pass/fail status for common security controls
All reports saved to Files and optionally posted to Jira, Linear, or PR comments.