Featured Stories

Continuous PR Security Review

The security findings that end up in incident post-mortems rarely looked dangerous in the PR that introduced them. Not because anyone was careless but because there's nothing in the change that looks wrong. The code does exactly what it says but the problem is in how the app behaves once it's running. A new endpoint ships without a permission check but every other route in the file handles permissions correctly, so nothing about it stands out. Or a response comes back carrying more of a user's

How Neo's Agent Architecture Evolved: From One Agent → Plan, Execute & Verify

Our first engineering post covered prompt caching, the infrastructure change that made long-running agentic tasks economically viable. That post assumed a multi-step, multi-agent system already existed. It did not exist on day one. When we started building Neo, the product was a single agent with a sandbox and a large toolset. Today, a typical task runs through optional planning, an Execution agent that delegates to parallel specialized subagents, and a verification loop that can re-run w

Red-Teaming Cloud Infrastructure with Neo

Most AI security tooling shipped over the last year focuses on one of two workflows, code review at PR time or zero-day research in open-source software. Models in PR pipelines now flag insecure patterns at every commit and autonomous research runs have produced more zero-days across open-source projects than the patch teams behind them can realistically triage. We've been running Neo on both of those workflows at ProjectDiscovery for a while now, surfacing zero-days in production software and t

Benchmarking Neo's Black-Box DAST Capabilities

Since the launch of Neo, we've been steadily expanding what it can do. Neo has found 33+ real CVEs across open-source projects, performed well on white-box security testing where source code is available, and generally proven itself as a capable security engineer when it has context to work with. What we hadn't shared yet is how Neo does when it's operating purely as a black-box DAST agent no source code, no architecture context, just a URL. The prompt Neo gets is a minimal prompt with no guida

Vulnerability Research

Related stories

View all

Beyond the Model: Neo Hunts, Exploits, and Proves 22 Zero-Days.

LLMs are a genuine leap forward for vulnerability discovery. Anthropic reported 500+ zero-days from Opus 4.6 and OpenAI's Codex Security discovered 14 CVEs across projects like OpenSSH and GnuTLS. If you've experimented with LLMs for security testing, you've probably been impressed too. The practical reality for a security team deploying AI is messier than the headlines or early POC results suggest. Noise compounds fast. Anthropic brought in external security researchers to help validate the vo

Inside the benchmark: app architectures, walkthroughs of findings, and what each scanner actually caught

This is Part 2 of our vibe coding security benchmark study. In Part 1, we compared how LLM-based security tools like ProjectDiscovery's Neo and Claude Code performed against traditional SAST and DAST scanners on AI-generated code. We found that LLM-based tools like Neo and Claude Code detected many high-value findings that traditional scanners missed. Between Neo and Claude Code, Neo produced more true positives and fewer false positives because it could validate hypotheses against a running app

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint

Nuclei & Nuclei Template

Related stories

View all

Nuclei Templates - April 2026

Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library. 🚀 April Stats Release New Templates CVEs Added First-time Contributors v10.4.2 121 61 15 v10.4.3 105 62 12 Total 226 123 27 * 226 new templates shipped across both releases * 123 CVEs covered, including ~10 actively exploited vulnerabilities

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV).

Nuclei Templates Monthly - May 2025

Discover the highlights from Nuclei Templates v10.2.1 and v10.2.2 releases: 106 new templates, 57 CVEs covered (including 10 actively exploited KEVs), first-time contributions, a new template bounty program, and key improvements to reduce false positives and negatives.

Vulnerability Management

Related stories

View all

From Detection to Validation: Fixing Broken Vulnerability Workflows

By going beyond version checks, you’ll reduce noise, speed up critical fixes, and keep engineering smiling.

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

First-generation scanners drown teams in noise. Only 6% of CVEs are ever exploited, yet attackers weaponize them in hours. ProjectDiscovery, the RSA Sandbox winner, delivers runtime validation and detections within hours so you can act fast, cut false positives, and close real risk.

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Customer Stories

Related stories

View all

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

Before going all-in on ProjectDiscovery Cloud, Elastic had already embraced Nuclei, the open-source vulnerability scanner built for customization and speed, along with other ProjectDiscovery tools like naabu and httpx.

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead.

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Modern SaaS companies like Paddle face growing security challenges as their platforms expand. To gain full visibility into their attack surface and automate vulnerability detection, Paddle adopted ProjectDiscovery, an open-source security platform that streamlined their security operations.

Educational Stories

Related stories

View all

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Company Announcements

Related stories

View all

Introducing Neo, an AI security engineer for complex security tasks

Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr

Introducing Credential Monitoring

Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

We're excited to announce ProjectDiscovery v1.3.0, a significant milestone that transforms how security teams discover, analyze, and respond to vulnerabilities across their attack surface. These improvements represent months of engineering effort informed by our community's feedback and real-world deployment scenarios. We can’t wait for security teams to get their hands on v1.3.0 and put these new capabilities to work in their own environments. Redesigned for Speed and Clarity The new v1.3.0

View all stories

Featured Stories

Continuous PR Security Review

How Neo's Agent Architecture Evolved: From One Agent → Plan, Execute & Verify

Red-Teaming Cloud Infrastructure with Neo

Benchmarking Neo's Black-Box DAST Capabilities

Vulnerability Research

Beyond the Model: Neo Hunts, Exploits, and Proves 22 Zero-Days.

Inside the benchmark: app architectures, walkthroughs of findings, and what each scanner actually caught

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

Nuclei & Nuclei Template

Nuclei Templates - April 2026

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

Nuclei Templates Monthly - May 2025

Vulnerability Management

From Detection to Validation: Fixing Broken Vulnerability Workflows

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

Advancing Asset Management - PDCP v0.8.9

Customer Stories

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

Introducing Neo, an AI security engineer for complex security tasks

Introducing Credential Monitoring

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

Book a demo.