Ghost is the first AI pentester to clear all 104 / 104 benchmark targets — built by NeoSec operators, MTCIT-accredited and ISO 27001 certified. Brief it in plain English. Get a verified report. Move on.
104-target web pentest benchmark
Rank leader
Full clearance
The proof
The public 104-target web-pentest benchmark is the standard for autonomous agents — real, verifiable targets. Here's where Ghost stands.
03 / Benchmark
success rate · 104 web-pentest targets · % solved
Neo Ghost
NeoSec · full clearance · 104/104
Neo Ghost
NeoSec · full clearance · 104/104
Shannon
KeygraphHQ · 100/104
Shannon
KeygraphHQ · 100/104
SQUR
multi-agent · 91/104
SQUR
multi-agent · 91/104
XBOW Baseline
internal · ~88/104
XBOW Baseline
internal · ~88/104
Open-Source Meta-Agent
Claude 4.5 Sonnet · 88/104
Open-Source Meta-Agent
Claude 4.5 Sonnet · 88/104
MAPTA
multi-agent · ~78/104
MAPTA
multi-agent · ~78/104
Higher is better · success rate across 104 targetsUpdated 2026.06.04
Rankings sourced from the public 104-target web-pentest benchmark (XBOW). Percentages reflect targets solved out of 104. Ghost runs the same suite every release — and publishes the delta. View benchmark repo · Methodology
04 / Why neosec
Ghost isn't a wrapper. It's the field engine of NeoSec — the MTCIT-accredited threat intelligence firm running GCC red-team ops against banking, telecom, government, and blockchain. Every finding is shaped by operators who've been in the room.
Security & compliance
Credential handling
AES-256-GCM at rest. Operator-only decryption during active sessions.
Accreditation
MTCIT-accredited in Oman. ISO 27001 certified operations.
Access model
Owner-scoped requests. No cross-tenant report or credential visibility.
Engagement scope
GCC-grade programs across banking, telecom, government, and critical infrastructure.
01 · Record
Ghost holds full clearance on all 104 public web-pentest targets — ahead of Shannon, SQUR, and the field baseline. Not marketing. Measured.
02 · Doctrine
Engineered by NeoSec's red team — OSCP, OSWE, EWPTX, BlackHat KSA speakers. Adversarial doctrine baked into every decision Ghost makes.
03 · Trust
Nationally accredited in Oman, globally certified to ISO 27001. Credentials sealed AES-256-GCM. Operator-only decryption. Owner-only access.
04 · Coverage
Trusted across banking, telecom, government, energy, healthcare, blockchain, aviation, and logistics — at the scale critical sectors require.
Sectors We Worked with
05 / Procedure
Describe your target like you'd brief a teammate — URL, in-scope domains, off-limits zones. No config files. No syntax tax.
Ghost maps your auth flow — Basic, SSO, MFA — seals credentials with AES-256-GCM, and goes to work behind the login.
Watch live progress. Download a human-verified report when findings are confirmed. Signal only — never noise.
06 / FAQ
Common questions from security and engineering leads running their first Ghost intake.
Scope and off-limits zones are locked before dispatch. Ghost only tests what you brief — no surprise scanning outside your intake. Credentials are sealed with AES-256-GCM and decrypted only for the operator session.
Yes. Ghost automates discovery and exploitation; NeoSec operators verify signal before a dossier ships. You get confirmed issues, not raw model output.
NeoSec is MTCIT-accredited in Oman and ISO 27001 certified. Intake credentials and reports follow operator-only access controls with owner-scoped visibility in this platform.
Passwordless sign-in and plain-English scope briefing mean dispatch in minutes. Time-to-first verified finding depends on target complexity; POC deployments are typically live within 24 hours.
Ghost runs continuously at machine speed with operator doctrine baked in. Manual engagements still win on bespoke social engineering and physical scope — Ghost is built for web application assurance at scale.
Basic auth, SSO, and MFA flows can be mapped during intake. Credentials never appear in logs in plaintext — they are sealed at dispatch.
07 / Engage
Passwordless sign-in. First report in minutes. The same engine that cleared all 104 benchmark targets, pointed at your application.
