Featured Stories

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint

AI code review has come a long way, but it can’t catch everything

AI code review can reason about intent, but real incidents often stem from business logic flaws that only show up in runtime. Our benchmark reveals where code-only review falls short.

New Report: State of AppSec 2026 | Security at Engineering Speed

In 2026, most organizations aren’t shipping “applications” so much as they’re shipping continuous change; across APIs and services, infrastructure and configuration, identity and permissions, feature flags, and AI-assisted code.

Surfacing the real attack surface: Advances in asset discovery

Introduction Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an organization maintains. Release cycles move faster, new domains and endpoints are added constantly, and the attack surface continues to shift, leaving static processes and visibility tools struggling to keep up. Traditional discovery tools are effective at identifying well-known or easily indexed a

Vulnerability Research

Related stories

View all

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

AI code review has come a long way, but it can’t catch everything

AI code review can reason about intent, but real incidents often stem from business logic flaws that only show up in runtime. Our benchmark reveals where code-only review falls short.

How to Research & Reverse Web Vulnerabilities 101

Introduction This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable processes used to evaluate vague advisories, analyze vulnerable software, and ultimately recreate or validate security flaws. The objective is to establish a structured, replicable approach to web vulnerability research. Environment & Tools When approaching a new target for CVE research or reverse-e

Nuclei & Nuclei Template

Related stories

View all

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV).

Nuclei Templates Monthly - May 2025

Discover the highlights from Nuclei Templates v10.2.1 and v10.2.2 releases: 106 new templates, 57 CVEs covered (including 10 actively exploited KEVs), first-time contributions, a new template bounty program, and key improvements to reduce false positives and negatives.

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

We’re excited to tell you about Nuclei Templates release v10.2.0! This new version includes newly added GCP Config Review templates. In this blog post, we’ll discuss automating Google Cloud misconfiguration review, creating custom GCP checks, and sharing results on the PDCP Cloud for review. Following our last release on Azure Cloud Security Config Review and Kubernetes Cluster Security, we decided to expand our coverage to include GCP as well. GCP is well-known for its powerful features and v

Vulnerability Management

Related stories

View all

From Detection to Validation: Fixing Broken Vulnerability Workflows

By going beyond version checks, you’ll reduce noise, speed up critical fixes, and keep engineering smiling.

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

First-generation scanners drown teams in noise. Only 6% of CVEs are ever exploited, yet attackers weaponize them in hours. ProjectDiscovery, the RSA Sandbox winner, delivers runtime validation and detections within hours so you can act fast, cut false positives, and close real risk.

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Customer Stories

Related stories

View all

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

Before going all-in on ProjectDiscovery Cloud, Elastic had already embraced Nuclei, the open-source vulnerability scanner built for customization and speed, along with other ProjectDiscovery tools like naabu and httpx.

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead.

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Modern SaaS companies like Paddle face growing security challenges as their platforms expand. To gain full visibility into their attack surface and automate vulnerability detection, Paddle adopted ProjectDiscovery, an open-source security platform that streamlined their security operations.

Educational Stories

Related stories

View all

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Company Announcements

Related stories

View all

Introducing Neo, an AI security engineer for complex security tasks

Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr

Introducing Credential Monitoring

Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

We're excited to announce ProjectDiscovery v1.3.0, a significant milestone that transforms how security teams discover, analyze, and respond to vulnerabilities across their attack surface. These improvements represent months of engineering effort informed by our community's feedback and real-world deployment scenarios. We can’t wait for security teams to get their hands on v1.3.0 and put these new capabilities to work in their own environments. Redesigned for Speed and Clarity The new v1.3.0

View all stories

Featured Stories

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

AI code review has come a long way, but it can’t catch everything

New Report: State of AppSec 2026 | Security at Engineering Speed

Surfacing the real attack surface: Advances in asset discovery

Vulnerability Research

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

AI code review has come a long way, but it can’t catch everything

How to Research & Reverse Web Vulnerabilities 101

Nuclei & Nuclei Template

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

Nuclei Templates Monthly - May 2025

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

Vulnerability Management

From Detection to Validation: Fixing Broken Vulnerability Workflows

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

Advancing Asset Management - PDCP v0.8.9

Customer Stories

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

Introducing Neo, an AI security engineer for complex security tasks

Introducing Credential Monitoring

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

Book a demo.