Runs in your VPC
SaaS or VPC deployment. Customer data stays within your environment when you need it to.
The most advanced security testing platform
Introducing Neo by ProjectDiscovery, a platform of autonomous AI agents that pentest every app, review every PR, manage your vulnerability backlog, and retest every fix.
Trusted by 100k+ security professionals
Security agents engineered for real-world scale.
From the creators of Nuclei, Neo is purpose-built for teams that demand speed, control, and coverage at scale
Continuous testing
Neo continuously tests web apps, APIs, pull requests, cloud assets, and third-party integrations in one loop, tracing attack paths and proving exploitability across your environment.
Verified findings
Neo combines runtime validation and specialized verification tooling to cut noise, confirm real exploitability, and route high-quality critical vulnerabilities straight into remediation workflows.
Backlog management
Neo triages, deduplicates, enriches severity, retests fixes the moment they ship, and catches regressions early so teams spend time remediating live risk and keeping queues current.
Secure sandboxes
Every task runs in an isolated sandbox with privacy and security controls built in, plus rapid spin-ups that let Neo validate safely without slowing your pipeline.
Advanced tooling
Custom parsers, fuzzers, browser proxies, crawlers, and validation layers give Neo the primitives LLMs need to operate efficiently, reliably, and repeatedly at real security scale.
Scalable agent fleets
Launch hundreds of specialized agents across teams, workflows, and environments from a shared platform, with high-quality findings from the first run.
Neo finds the most complex vulnerabilities with the fewest false positives.
We ran a benchmark against widely used DAST scanners and AI security tools. Neo found more verified vulnerabilities with fewer false positives.
Neo discovers zero-days
Neo chains multiple attack steps, verifies out-of-band interactions, and tests complex business logic. The classes of vulnerabilities that scanners just entirely miss.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-26217
Local File Inclusion via file:// URLs
API endpoints accepted URLs but never checked the scheme. Passing file:// instead of https:// let attackers read any file on the server, including passwords and environment variables.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-30875
Authenticated RCE via H5P Import
Uploading a specially crafted content package placed executable code in a public directory. Any logged-in user could use it to run commands on the server.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-31816
Universal Auth Bypass via Webhook Query Param Injection
Adding a webhook-like path to the URL query string tricked the app into skipping all login and permission checks, giving full access to every API endpoint.
CVE-2026-30829
Unauthenticated Access to Unpublished Status Page
The status page API had no login requirement. Anyone could fetch full internal data from unpublished pages by hitting the endpoint directly.
CVE-2026-30885
Unauthenticated IDOR
Resource IDs were sequential and predictable, and no ownership checks were enforced. Anyone could access private content by simply guessing the next ID.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-25765
SSRF via Protocol-Relative URL Override
User-supplied paths starting with // replaced the intended server host, redirecting internal API requests to attacker-controlled servers instead.
CVE-2026-28359
Stored XSS in Rich Text Fields
Rich text content was rendered without sanitization. Sending raw HTML through the API bypassed the editor and injected scripts that ran in every viewer's browser.
CVE-2026-31836
Mass Assignment Privilege Escalation
The user update API accepted any field in the request body without filtering. A regular user could add a role field and promote themselves to admin.
CVE-2026-30928
Unauthenticated Secrets Exposure
Configuration endpoints were accessible without any authentication, exposing database passwords, API keys, and other secrets to anyone on the network.
CVE-2026-30930
SQL Injection via Process Names
Process names were dropped directly into SQL queries during metric exports. A process with SQL in its name could manipulate the database and extract sensitive data.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-26217
Local File Inclusion via file:// URLs
API endpoints accepted URLs but never checked the scheme. Passing file:// instead of https:// let attackers read any file on the server, including passwords and environment variables.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-30875
Authenticated RCE via H5P Import
Uploading a specially crafted content package placed executable code in a public directory. Any logged-in user could use it to run commands on the server.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-31816
Universal Auth Bypass via Webhook Query Param Injection
Adding a webhook-like path to the URL query string tricked the app into skipping all login and permission checks, giving full access to every API endpoint.
CVE-2026-30829
Unauthenticated Access to Unpublished Status Page
The status page API had no login requirement. Anyone could fetch full internal data from unpublished pages by hitting the endpoint directly.
CVE-2026-30885
Unauthenticated IDOR
Resource IDs were sequential and predictable, and no ownership checks were enforced. Anyone could access private content by simply guessing the next ID.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-25765
SSRF via Protocol-Relative URL Override
User-supplied paths starting with // replaced the intended server host, redirecting internal API requests to attacker-controlled servers instead.
CVE-2026-28359
Stored XSS in Rich Text Fields
Rich text content was rendered without sanitization. Sending raw HTML through the API bypassed the editor and injected scripts that ran in every viewer's browser.
CVE-2026-31836
Mass Assignment Privilege Escalation
The user update API accepted any field in the request body without filtering. A regular user could add a role field and promote themselves to admin.
CVE-2026-30928
Unauthenticated Secrets Exposure
Configuration endpoints were accessible without any authentication, exposing database passwords, API keys, and other secrets to anyone on the network.
CVE-2026-30930
SQL Injection via Process Names
Process names were dropped directly into SQL queries during metric exports. A process with SQL in its name could manipulate the database and extract sensitive data.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-26217
Local File Inclusion via file:// URLs
API endpoints accepted URLs but never checked the scheme. Passing file:// instead of https:// let attackers read any file on the server, including passwords and environment variables.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-30875
Authenticated RCE via H5P Import
Uploading a specially crafted content package placed executable code in a public directory. Any logged-in user could use it to run commands on the server.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-31816
Universal Auth Bypass via Webhook Query Param Injection
Adding a webhook-like path to the URL query string tricked the app into skipping all login and permission checks, giving full access to every API endpoint.
CVE-2026-30829
Unauthenticated Access to Unpublished Status Page
The status page API had no login requirement. Anyone could fetch full internal data from unpublished pages by hitting the endpoint directly.
CVE-2026-30885
Unauthenticated IDOR
Resource IDs were sequential and predictable, and no ownership checks were enforced. Anyone could access private content by simply guessing the next ID.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-25765
SSRF via Protocol-Relative URL Override
User-supplied paths starting with // replaced the intended server host, redirecting internal API requests to attacker-controlled servers instead.
CVE-2026-28359
Stored XSS in Rich Text Fields
Rich text content was rendered without sanitization. Sending raw HTML through the API bypassed the editor and injected scripts that ran in every viewer's browser.
CVE-2026-31836
Mass Assignment Privilege Escalation
The user update API accepted any field in the request body without filtering. A regular user could add a role field and promote themselves to admin.
CVE-2026-30928
Unauthenticated Secrets Exposure
Configuration endpoints were accessible without any authentication, exposing database passwords, API keys, and other secrets to anyone on the network.
CVE-2026-30930
SQL Injection via Process Names
Process names were dropped directly into SQL queries during metric exports. A process with SQL in its name could manipulate the database and extract sensitive data.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-26217
Local File Inclusion via file:// URLs
API endpoints accepted URLs but never checked the scheme. Passing file:// instead of https:// let attackers read any file on the server, including passwords and environment variables.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-30875
Authenticated RCE via H5P Import
Uploading a specially crafted content package placed executable code in a public directory. Any logged-in user could use it to run commands on the server.
CVE-2026-26216
Remote Code Execution via Hooks Parameter
The crawl API let users pass Python code that ran directly on the server. A broken sandbox meant anyone could execute system commands without logging in.
CVE-2026-31816
Universal Auth Bypass via Webhook Query Param Injection
Adding a webhook-like path to the URL query string tricked the app into skipping all login and permission checks, giving full access to every API endpoint.
CVE-2026-30829
Unauthenticated Access to Unpublished Status Page
The status page API had no login requirement. Anyone could fetch full internal data from unpublished pages by hitting the endpoint directly.
CVE-2026-30885
Unauthenticated IDOR
Resource IDs were sequential and predictable, and no ownership checks were enforced. Anyone could access private content by simply guessing the next ID.
CVE-2026-29039
Arbitrary File Read via XPath
The content filter accepted XPath expressions without checking for dangerous functions. Attackers used this to read sensitive files like configs and credentials from the server.
CVE-2026-25765
SSRF via Protocol-Relative URL Override
User-supplied paths starting with // replaced the intended server host, redirecting internal API requests to attacker-controlled servers instead.
CVE-2026-28359
Stored XSS in Rich Text Fields
Rich text content was rendered without sanitization. Sending raw HTML through the API bypassed the editor and injected scripts that ran in every viewer's browser.
CVE-2026-31836
Mass Assignment Privilege Escalation
The user update API accepted any field in the request body without filtering. A regular user could add a role field and promote themselves to admin.
CVE-2026-30928
Unauthenticated Secrets Exposure
Configuration endpoints were accessible without any authentication, exposing database passwords, API keys, and other secrets to anyone on the network.
CVE-2026-30930
SQL Injection via Process Names
Process names were dropped directly into SQL queries during metric exports. A process with SQL in its name could manipulate the database and extract sensitive data.
Wired into your stack. Always running.
Neo wires directly into your existing ecosystem — scanning cloud assets, validating code drops, and pushing verified fixes to your developers. It's the operating layer for continuous, autonomous security.
Neo scans your cloud infrastructure for exposures
Attackers move in hours.
Your current tools update in days.
ProjectDiscovery is powered by the world's largest open-source security community, which regularly contributes to its growing Nuclei detection library. When a critical CVE drops, ProjectDiscovery's research team works with this global community to offer you the fastest time to detection with proof.
Built for environments where security tooling must be secure.
Neo runs against your most sensitive assets. It's engineered with defense-in-depth so your security tooling meets the same standards as the environments it protects.
Your data stays yours
Zero-retention LLM agreements. Neo never trains on your data. Configurable retention and auto-deletion.
Sandboxed execution
Each task runs in an isolated environment with strict network controls. Artifacts captured, environment torn down after every run.
Human-in-the-loop
Scoped execution with approval gates. Agents only use secrets and endpoints you explicitly grant.
Audit everything
Full action logs, SAML/OIDC SSO, RBAC with custom policies. Every action traceable, every decision documented.
Transparent AI decisions
Every AI action is explainable, logged, and reviewable. Full visibility into what Neo tested, why, and what it found.
Trusted by security teams who demand proof and speed.
"Neo surfaced real race-condition and payment-bypass scenarios with step-by-step reproduction. We stopped spending days recreating timing-sensitive bugs manually."
Security Engineering Lead
Application Security Team, Fortune 500 Restaurant Chain
"We scanned 14,500 assets in under 5 minutes during a critical CVE. Validated fixes instantly with one-click retests. Our perimeter stayed audit-ready."
Clement Fouque
Principal Information Security Analyst, Elastic
"Neo validated cross-account authorization across every role with actionable PoCs. AppSec stopped being the bottleneck on PR reviews."
Senior Security Engineering Manager
Application Security Team, Top-10 Global Crypto Exchange
"Neo surfaced real race-condition and payment-bypass scenarios with step-by-step reproduction. We stopped spending days recreating timing-sensitive bugs manually."
Security Engineering Lead
Application Security Team, Fortune 500 Restaurant Chain
"We scanned 14,500 assets in under 5 minutes during a critical CVE. Validated fixes instantly with one-click retests. Our perimeter stayed audit-ready."
Clement Fouque
Principal Information Security Analyst, Elastic
"Neo validated cross-account authorization across every role with actionable PoCs. AppSec stopped being the bottleneck on PR reviews."
Senior Security Engineering Manager
Application Security Team, Top-10 Global Crypto Exchange
"Neo surfaced real race-condition and payment-bypass scenarios with step-by-step reproduction. We stopped spending days recreating timing-sensitive bugs manually."
Security Engineering Lead
Application Security Team, Fortune 500 Restaurant Chain
"We scanned 14,500 assets in under 5 minutes during a critical CVE. Validated fixes instantly with one-click retests. Our perimeter stayed audit-ready."
Clement Fouque
Principal Information Security Analyst, Elastic
"Neo validated cross-account authorization across every role with actionable PoCs. AppSec stopped being the bottleneck on PR reviews."
Senior Security Engineering Manager
Application Security Team, Top-10 Global Crypto Exchange
"Neo surfaced real race-condition and payment-bypass scenarios with step-by-step reproduction. We stopped spending days recreating timing-sensitive bugs manually."
Security Engineering Lead
Application Security Team, Fortune 500 Restaurant Chain
"We scanned 14,500 assets in under 5 minutes during a critical CVE. Validated fixes instantly with one-click retests. Our perimeter stayed audit-ready."
Clement Fouque
Principal Information Security Analyst, Elastic
"Neo validated cross-account authorization across every role with actionable PoCs. AppSec stopped being the bottleneck on PR reviews."
Senior Security Engineering Manager
Application Security Team, Top-10 Global Crypto Exchange
3x
more critical findings detected compared to traditional tools
4.2x
faster remediation vs. previous tooling
14.5K
assets scanned in under 5 minutes during live incident