Featured Stories

New Report: State of AppSec 2026 | Security at Engineering Speed

In 2026, most organizations aren’t shipping “applications” so much as they’re shipping continuous change; across APIs and services, infrastructure and configuration, identity and permissions, feature flags, and AI-assisted code.

Surfacing the real attack surface: Advances in asset discovery

Introduction Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an organization maintains. Release cycles move faster, new domains and endpoints are added constantly, and the attack surface continues to shift, leaving static processes and visibility tools struggling to keep up. Traditional discovery tools are effective at identifying well-known or easily indexed a

Year in Review: The Vulnerabilities That Defined 2025

A Year of Real-World Exploitation If you work in security, you probably remember React2Shell. Shortly after public disclosure, scanning activity increased, and exploitation attempts began to surface. That sequence showed up repeatedly across several of 2025’s most impactful vulnerabilities. Advisories were still circulating while attackers were already testing and operationalizing exploits. This wasn’t true for the thousands of CVEs published quietly throughout the year. But for a smaller set

Introducing Neo, an AI security engineer for complex security tasks

Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr

Vulnerability Research

Related stories

View all

How to Research & Reverse Web Vulnerabilities 101

Introduction This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable processes used to evaluate vague advisories, analyze vulnerable software, and ultimately recreate or validate security flaws. The objective is to establish a structured, replicable approach to web vulnerability research. Environment & Tools When approaching a new target for CVE research or reverse-e

Remote Code Execution in DELMIA Apriso

Introduction DELMIA Apriso is a manufacturing execution and operations orchestration platform used by large manufacturers, service providers, and critical infrastructure operators. Because the product exposes multiple integration points (SOAP, file uploads, provisioning feeds) that are often reachable from internal networks, we performed a focused black-box assessment to surface integration and surface-area weaknesses. Our testing uncovered two chained, high-impact issues: an unauthenticated S

Authentication Bypass to RCE in Versa Concerto

Introduction Versa Concerto is a widely used network security and SD-WAN orchestration platform, designed to provide seamless policy management, analytics, and automation for enterprises. With a growing customer base that includes large enterprises, service providers, and government entities, the security of this platform is critical. Given its extensive adoption and potential exposure to external threats, we initiated research to assess its security posture and uncover possible vulnerabilities

Nuclei & Nuclei Template

Related stories

View all

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV).

Nuclei Templates Monthly - May 2025

Discover the highlights from Nuclei Templates v10.2.1 and v10.2.2 releases: 106 new templates, 57 CVEs covered (including 10 actively exploited KEVs), first-time contributions, a new template bounty program, and key improvements to reduce false positives and negatives.

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

We’re excited to tell you about Nuclei Templates release v10.2.0! This new version includes newly added GCP Config Review templates. In this blog post, we’ll discuss automating Google Cloud misconfiguration review, creating custom GCP checks, and sharing results on the PDCP Cloud for review. Following our last release on Azure Cloud Security Config Review and Kubernetes Cluster Security, we decided to expand our coverage to include GCP as well. GCP is well-known for its powerful features and v

Vulnerability Management

Related stories

View all

From Detection to Validation: Fixing Broken Vulnerability Workflows

By going beyond version checks, you’ll reduce noise, speed up critical fixes, and keep engineering smiling.

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

First-generation scanners drown teams in noise. Only 6% of CVEs are ever exploited, yet attackers weaponize them in hours. ProjectDiscovery, the RSA Sandbox winner, delivers runtime validation and detections within hours so you can act fast, cut false positives, and close real risk.

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Customer Stories

Related stories

View all

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

Before going all-in on ProjectDiscovery Cloud, Elastic had already embraced Nuclei, the open-source vulnerability scanner built for customization and speed, along with other ProjectDiscovery tools like naabu and httpx.

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead.

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Modern SaaS companies like Paddle face growing security challenges as their platforms expand. To gain full visibility into their attack surface and automate vulnerability detection, Paddle adopted ProjectDiscovery, an open-source security platform that streamlined their security operations.

Educational Stories

Related stories

View all

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Company Announcements

Related stories

View all

Introducing Neo, an AI security engineer for complex security tasks

Introducing Credential Monitoring

Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

We're excited to announce ProjectDiscovery v1.3.0, a significant milestone that transforms how security teams discover, analyze, and respond to vulnerabilities across their attack surface. These improvements represent months of engineering effort informed by our community's feedback and real-world deployment scenarios. We can’t wait for security teams to get their hands on v1.3.0 and put these new capabilities to work in their own environments. Redesigned for Speed and Clarity The new v1.3.0

View all stories

Featured Stories

New Report: State of AppSec 2026 | Security at Engineering Speed

Surfacing the real attack surface: Advances in asset discovery

Year in Review: The Vulnerabilities That Defined 2025

Introducing Neo, an AI security engineer for complex security tasks

Vulnerability Research

How to Research & Reverse Web Vulnerabilities 101

Remote Code Execution in DELMIA Apriso

Authentication Bypass to RCE in Versa Concerto

Nuclei & Nuclei Template

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

Nuclei Templates Monthly - May 2025

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

Vulnerability Management

From Detection to Validation: Fixing Broken Vulnerability Workflows

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

Advancing Asset Management - PDCP v0.8.9

Customer Stories

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

Introducing Neo, an AI security engineer for complex security tasks

Introducing Credential Monitoring

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

Book a demo.