what is this?

It's a search engine for the web, organized the way an attacker would.

neobotnet indexes the public-facing assets of companies running a vulnerability reward program (VRP). It collects the assets they own, the web services they run, and the URLs reachable across that surface — then highlights what an attacker would prioritize. All of it normalized, deduplicated, and queryable through a web UI. (REST API coming soon.)

You query neobotnet. You see what an attacker would see.

how it works

Every company on the internet leaves a footprint.

neobotnet runs open-source and custom tooling, applied with a proper mapping methodology. Output is normalized, deduped, signal-typed, and indexed.

The same workflow a careful security researcher would run.

vulnerability signals

Vulnerability signals are URL parameters and values that match patterns commonly tied to security flaws. neobotnet detects them through parameter-name and value-pattern analysis across every URL collected — a parameter named redirect_uri pointing to an external host, a value matching a JWT pattern, a numeric user_id. Each is a candidate entry point a researcher can investigate, not a confirmed vulnerability.

available signal types

same taxonomy you'll filter on inside /urls — click a category to see the subtypes

    • jwt
    • auth token
    • credential in url
    • cloud / api key (any vendor)

the index

The index, right now:

5
companies
12,000
web servers
30,000
subdomains
500,000
urls indexed
700
vulnerability signals

sample vulnerability signals from the index:

external url in param200param: redirect_uriDemo
https://auth.example.com/oauth/authorize?client_id=app-1&redirect_uri=https%3A%2F%2Fexample.com%2Fcallback&response_type=code
numeric id (short)200param: user_idDemo
https://api.example.com/v2/orders?user_id=4827&status=open
jwt200param: access_tokenDemo
https://app.example.com/dashboard?access_token=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2Mj…

the full index opens behind sign-in.

neobotnet in your toolbox

If you run a security team. Point neobotnet at your own assets. It runs the external attacker's reconnaissance methodology against your surface — exposed staging, leaking parameters, internal endpoints, risky configurations. Findings carry an exploit-potential score, severity, and context. Enterprise plans confirm findings before delivery.

If you do security research. Run your own recon framework if you want. If your target is in neobotnet, the recon stage is already done — filter the index by signal type, status code, technology, content type, parameter, or vulnerability class and start where the weak links surface.

what it isn't

  • ×not a botnet. doesn't take control of anything. doesn't run on machines you don't own.
  • ×not a vulnerability scanner. it surfaces signals — patterns that correlate with real vulnerabilities. Investigation stays yours. (Enterprise plans get findings confirmed by neobotnet.)
  • ×not a general-purpose internet crawler. targets are bug-bounty programs that authorize reconnaissance. out-of-scope hosts are excluded.
  • ×not a replacement for your own process. if you have one that works, keep it — neobotnet handles the repetitive groundwork so you can skip to analysis.

questions you might be asking

is this a botnet?
No. The name is a riff — neobotnet uses distributed automated tooling like an attacker would, but to map the public-facing attack surface of bug bounty programs that have authorized that mapping. It doesn't take control of anything. It doesn't run on machines you don't own. It's the inverse of a botnet.
who is it for?
  • Security researchers who want the information-gathering stage done before they sit down.
  • Companies and startups interested in understanding their own exposure — what an outside attacker would pick first.
is there an API?

Coming soon — currently under testing.

what about my company — can you run this on us?

Yes. Point neobotnet at your own web assets and it'll show you what an attacker mapping your surface would find first: exposed staging, leaking parameters, internal endpoints surfaced in customer JavaScript, risky configurations. Each finding is scored by exploit potential. Enterprise plans confirm findings before delivery.

how much does it cost?

There's a free tier for researchers — enough to actually use it on real targets. Pro adds vulnerability signal filtering, higher quotas, and exports. Enterprise is custom. Pricing is on the homepage.

why is it called neobotnet?

Because the name argues with itself, and that's the point. A botnet exists to exploit. neobotnet uses the same distributed-automation shape — many small jobs, many small payloads, many small writes — but pointed at mapping authorized attack surface so defenders see it before attackers do. It's deliberately uncomfortable. If the name makes you stop and check, the page did its job.

who's behind this

Sam Paredes — @caffeinedoom (caffeine on most spaces). Security engineer by day, researcher at night. Web security research in bug bounty programs since 2020 — web intel data has been at the core of my work ever since. neobotnet is a solo, automated product by design.

If something's broken, missing, or obviously wrong, that's on me — and I'd rather hear it.

sam@neobotnet.com

← back to home

neobotnet 2026