In our latest webinar, our Founding Solutions Engineer, Davis Franklin, addressed the massive gap between finding a vulnerability with an LLM and running a mature security program. That gap is what Neo is built to close.

With the release of Opus 4.6 and the announcement of Mythos, the question we hear constantly has gotten louder: Can I just build this with Claude Code? The short answer is yes. You can spin up a working PoC in about half an hour, find a real vulnerability, and feel genuinely confident you could scale it. But by day 90, prompts are breaking on model updates, nobody's running the tool anymore, and teams are back to the comfortable cadence of quarterly pentests and manual code reviews. The problem was never engineering capability. DIY is powerful. The problem is scope and scale.

Neo isn't an LLM calling security tools. It's security tooling built with an LLM inside: the full architecture, the execution layer, and the orchestration harness that makes complicated, long-running security tasks possible at enterprise scale. Findings land pre-triaged with severity and exploitability already confirmed. The same process runs identically across one application or your entire attack surface, no babysitting, no per-target prompt engineering, no reinventing workflows your team already has. This is what an AI-native security program actually looks like.

Any data yet on Opus 4.7?

Davis: This is one of those questions that actually illustrates a core part of the build vs. buy argument. If you built your own security tooling and needed to maintain it yourself, a new model release can break half of what you wrote overnight. With Neo, we handle that for you. We're currently testing Opus 4.7 for safety and efficacy. It'll be added to the platform very shortly, and once we've confirmed it's safe, it will become the default model.

What kinds of vulnerabilities are easier to find with Neo?

Davis: Business logic vulnerabilities are a big one, and it's worth explaining why. Neo generates its own tests rather than relying on pre-built templates. That means it can actually click through a user interface, make API calls, test network traffic, and test for things like privilege escalation and IDORs in a way that a traditional DAST tool simply cannot.

If you look at the OWASP Top 10 API vulnerabilities, IDOR is near the top of the list, and technically, a traditional DAST tool can't test for it. You can't reliably test a business logic vulnerability with a single pre-made request or payload.

The short answer is: any vulnerability that requires more than one request, more than one step, or real contextual reasoning is where Neo specializes.

Any plans for Neo to do AI red teaming of LLMs, chatbots, and agents?

Davis: Not just plans, that's already a feature. Neo has the native ability to pentest LLMs, just as it handles traditional application pentests, code reviews, and threat modeling. You give Neo the seed information or the target, and it can test it thoroughly.

One of our customers, completely unprompted, used Neo to navigate to their website in their browser, open a support ticket with their AI chatbot, and pentest that chatbot on the fly. You can also build a custom agent within Neo specifically for this use case, using natural language to instruct it to research the top threats to AI agents and to build a purpose-built testing workflow around them.

How much would an end-to-end test of an app cost?

Davis: It depends on the complexity of the application and what you ask Neo to do. The Neo docs include a pricing page that provides a rough ballpark, and we'd encourage anyone on the webinar to check it out. We've built prompt caching and other cost reduction measures into the platform so that teams can run tests as often as they want, ideally every day, not just quarterly. The old model of waiting for a pentest to come back before you could act on it is something we're trying to move past entirely.

Can you customize the tools Neo has access to?

Davis: Yes, absolutely. The 50-plus tools we've built are natively ingrained into Neo and give it strong out-of-the-box capability. But because everything runs in a sandbox, you can also give Neo access to tools your team has already built. If you have internal GitHub tools that your security team relies on, all you have to do is share them with Neo in a prompt. It installs them into its toolkit and will use them when running that task. The goal has always been to fit into the workflows you already prefer, not force a new one on you.

How does Neo manage context and memory across multi-day or multi-week penetration tests?

Davis: Neo's memory grows with you and is not scoped to a single task. When a sandbox spins down at the end of a session, some of its memory is saved globally and can be referenced in future sessions. You can go back to a previous task, share a chat with a teammate, build an agent collaboratively, and all of that context carries forward. That persistent memory is a huge part of why Neo performs as well as it does on complex, long-running assessments.

You can also augment that memory explicitly by uploading files, adding context, or directly adjusting the knowledge base. And if you ever need to, you can delete memory as well.

What challenges does Neo still have to solve in its current state?

Davis: Honestly, I don't think the industry as a whole is all the way there yet, and that includes us. We're constantly building, improving, and hearing new use cases from customers and prospects. AI in security is still nascent. We just came off RSA, and what struck us was how much the market shifted over just three days. People arrived unsure what AI pentesting looked like in practice, and left with a much clearer picture of how they'd actually use it.

Without naming specific gaps, I'll just say this is a work in progress we're genuinely proud of. New attack vectors, new models, and new use cases will keep emerging, and that's exactly why an enterprise-grade solution that evolves with the landscape is fundamentally different from a DIY build you're stuck maintaining yourself.

If you’d like to try Neo yourself, you can request a personalized demo here.

Bring your noisiest repo, your busiest service, or a real PR. We’ll show Neo running end-to-end.