Why Cyber Neo?

Most security tools require installation, configuration, and expertise to interpret results. Cyber Neo is different:

| Traditional Security Tools | Cyber Neo | |---|---| | Require installation and setup | Works instantly as a Claude Code skill | | Need security expertise to interpret | Plain-language findings with code-level remediation | | Scan one category (SAST or SCA or secrets) | Scans 11 categories in one run | | Output raw findings without context | CWE/OWASP-classified findings with fix examples | | Run sequentially | 5 parallel subagents for speed | | Require paid licenses for full coverage | 100% free and open source |

What It Scans

Cyber Neo covers 11 security domains across every major vulnerability class:

| # | Category | What It Finds | How | |---|----------|--------------|-----| | 1 | Code Security (SAST) | SQL injection, XSS, command injection, code injection, path traversal, SSRF, deserialization, prototype pollution | Semgrep (optional) + Claude-native pattern analysis | | 2 | Authentication & Authorization | Missing auth middleware, JWT misconfigurations, broken access control, IDOR, session management flaws, missing RBAC | Claude-native analysis using auth-authz-patterns.md | | 3 | Cryptographic Security | Weak algorithms (MD5, SHA1, DES, RC4), hardcoded keys/IVs, TLS bypass, insecure random, weak key lengths | Claude-native analysis using crypto-patterns.md | | 4 | Secret Detection | 60+ regex patterns: AWS, GCP, Azure, GitHub, Slack, Stripe, database credentials, private keys, API keys, JWT tokens, .env files | Python batch scanner + Gitleaks (optional) | | 5 | Dependency Vulnerabilities (SCA) | Known CVEs in npm, pip, cargo, bundler, composer, and Go dependencies | Trivy / npm audit / pip-audit / cargo-audit (optional) | | 6 | Web Security | Missing security headers (CSP, CORS, HSTS), CSRF, cookie flags, file upload flaws, open redirects | Claude-native analysis using web-security-patterns.md | | 7 | Supply Chain Security | Lock file integrity, dependency confusion, typosquatting, unpinned versions, malicious packages | Python lockfile checker + Claude-native analysis | | 8 | CI/CD Security | GitHub Actions script injection, overly permissive permissions, unpinned actions, secret exposure in workflows | Claude-native analysis using cicd-security.md | | 9 | Docker & Container Security | Root user, unpinned base images, secrets in layers, privileged containers, Docker socket exposure | Claude-native analysis using iac-docker.md | | 10 | Error Handling | Debug mode in production, stack trace exposure, empty catch blocks, missing error boundaries | Claude-native analysis using error-handling-patterns.md | | 11 | Logging Security | Sensitive data in logs, log injection, missing security event logging | Claude-native analysis using logging-patterns.md |

Standards Coverage

Cyber Neo maps every finding to industry standards:

• All 10 OWASP 2025 Top 10 categories — including the two new entries: A03 Software Supply Chain Failures and A10 Mishandling of Exceptional Conditions
• 15+ CWE Top 25 (2025) items — XSS, SQLi, CSRF, command injection, SSRF, deserialization, path traversal, missing auth, broken crypto, hardcoded credentials, and more
• CVSS-aligned severity scoring — Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (1.0-3.9), Info (0.0-0.9)

Supported Languages & Frameworks

| Language | Frameworks | Reference File | |----------|-----------|---------------| | JavaScript / TypeScript | Express, Next.js, React, Vue, Angular, Fastify, NestJS, Koa, Electron | lang-javascript.md (924 lines) | | Python | Django, Flask, FastAPI, Tornado, Starlette | lang-python.md (935 lines) | | Any language | Generic SAST patterns (eval, exec, hardcoded creds, command injection) | Built into SKILL.md |

Coming in v0.2: Go, Ruby/Rails, Java/Spring, Rust, PHP/Laravel

Installation

Option 1: Clone to Skills Directory (Recommended)

cd ~/.claude/skills
git clone https://github.com/Hainrixz/cyber-neo.git

That's it. Claude Code automatically discovers the skill.

Option 2: Symlink from Any Location

git clone https://github.com/Hainrixz/cyber-neo.git ~/projects/cyber-neo
ln -s ~/projects/cyber-neo ~/.claude/skills/cyber-neo

Option 3: Claude Code Plugin Marketplace

/plugin install cyber-neo

Marketplace availability coming soon.

Verify Installation

Open Claude Code and type:

/cyber-neo

If installed correctly, Cyber Neo will ask you for a project path to scan.

Usage

Basic Scan

# Scan a specific project
/cyber-neo /path/to/your/project

# Scan the current working directory
/cyber-neo .

What Happens When You Run It

 Phase 1: Reconnaissance
   Detects your tech stack, frameworks, and infrastructure
   Estimates project scope and applies scanning tier

 Phase 2-6: Parallel Analysis (5 subagents)
   Dependency vulnerabilities (SCA)
   Code security patterns (SAST)
   Secret detection (60+ regex patterns)
   Configuration & infrastructure checks
   Supply chain & CI/CD security

 Phase 7: Report Generation
   Deduplicates, scores, and classifies findings
   Generates professional security report

Output

The report is saved to your Desktop:

~/Desktop/cyber-neo-report-{project-name}-{YYYY-MM-DD}.md

Report Format

Every Cyber Neo report includes:

Executive Summary

Risk Score: 67/100 (High Risk)

| Severity | Count |
|----------|-------|
| Critical | 2     |
| High     | 5     |
| Medium   | 8     |
| Low      | 3     |
| Info     | 4     |

Top 3 Priority Actions:
1. Fix SQL injection in src/api/users.js:42 — use parameterized queries
2. Rotate leaked AWS key in .env — key is active and exposed
3. Add authentication to /api/admin routes — currently public

Detailed Findings

Each finding includes:

[CN-001] SQL Injection in User Query
 Severity: Critical (CVSS ~9.8)
 CWE: CWE-89 (SQL Injection)
 OWASP: A05:2025 (Injection)
 Location: src/api/users.js:42

 Description: User input is directly concatenated into SQL query
 without parameterization, enabling SQL injection attacks.

 Evidence:
   const query = `SELECT * FROM users WHERE id = ${req.params.id}`;

 Remediation:
   const query = 'SELECT * FROM users WHERE id = $1';
   const result = await db.query(query, [req.params.id]);

Additional Sections

• Dependency Vulnerabilities — Table of CVEs with package names, versions, and fix versions
• Supply Chain Assessment — Lock file status, dependency pinning, CI/CD pipeline security
• Scan Metadata — Files scanned, coverage percentage, tools used, scan duration

How It Works — Architecture Deep Dive

Cyber Neo is built as a Claude Code skill — a markdown-based prompt that orchestrates Claude's analysis capabilities. The architecture has three layers:

Layer 1: SKILL.md — The Orchestration Engine

The SKILL.md file (563 lines) is the brain of Cyber Neo. It contains:

• 7-phase analysis pipeline with explicit instructions for each phase
• Subagent dispatch templates for parallel analysis
• Severity scoring rubric aligned with CVSS
• Report generation instructions with deduplication and classification rules
• Safety constraints (read-only iron law) reinforced in every subagent prompt
• Edge case handling for empty projects, unsupported languages, and large codebases

Layer 2: Reference Files — The Security Knowledge Base

14 reference files totaling 10,000+ lines of security patterns:

references/
├── owasp-top-10.md            # OWASP 2025 classification + scoring guide
├── cwe-top-25.md              # CWE mappings with detection patterns
├── secrets-patterns.md        # 60+ regex patterns for secret detection
├── auth-authz-patterns.md     # JWT, sessions, RBAC, IDOR patterns
├── crypto-patterns.md