Featured Stories

Benchmarking Neo's Black-Box DAST Capabilities

Since the launch of Neo, we've been steadily expanding what it can do. Neo has found 33+ real CVEs across open-source projects, performed well on white-box security testing where source code is available, and generally proven itself as a capable security engineer when it has context to work with. What we hadn't shared yet is how Neo does when it's operating purely as a black-box DAST agent no source code, no architecture context, just a URL. The prompt Neo gets is a minimal prompt with no guida

Neo v. DIY: The gap between a single finding and a mature security program

In our latest webinar, our Founding Solutions Engineer, Davis Franklin, addressed the massive gap between finding a vulnerability with an LLM and running a mature security program. That gap is what Neo is built to close. With the release of Opus 4.6 and the announcement of Mythos, the question we hear constantly has gotten louder: Can I just build this with Claude Code? The short answer is yes. You can spin up a working PoC in about half an hour, find a real vulnerability, and feel genuinely co

How We Cut LLM Costs by 59% With Prompt Caching

At ProjectDiscovery, we've been building Neo, an autonomous security testing platform that runs multi-agent, multi-step workflows, routinely executing 20-40+ LLM steps per task. Vulnerability assessments, code reviews, and security audits at scale, enabling continuous testing across the entire development lifecycle. When we launched, our LLM costs were staggering. A single complex task with Opus 4.5 could consume 60 million tokens. Then we implemented prompt caching. Here's what changed:

Everyone is finding vulns. The hard part is proving them.

LLMs are a genuine leap forward for vulnerability discovery. Anthropic reported 500+ zero-days from Opus 4.6 and OpenAI's Codex Security discovered 14 CVEs across projects like OpenSSH and GnuTLS. If you've experimented with LLMs for security testing, you've probably been impressed too. The practical reality for a security team deploying AI is messier than the headlines or early POC results suggest. Noise compounds fast. Anthropic brought in external security researchers to help validate the vo

Vulnerability Research

Related stories

View all

Everyone is finding vulns. The hard part is proving them.

Inside the benchmark: app architectures, walkthroughs of findings, and what each scanner actually caught

This is Part 2 of our vibe coding security benchmark study. In Part 1, we compared how LLM-based security tools like ProjectDiscovery's Neo and Claude Code performed against traditional SAST and DAST scanners on AI-generated code. We found that LLM-based tools like Neo and Claude Code detected many high-value findings that traditional scanners missed. Between Neo and Claude Code, Neo produced more true positives and fewer false positives because it could validate hypotheses against a running app

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint

Nuclei & Nuclei Template

Related stories

View all

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV).

Nuclei Templates Monthly - May 2025

Discover the highlights from Nuclei Templates v10.2.1 and v10.2.2 releases: 106 new templates, 57 CVEs covered (including 10 actively exploited KEVs), first-time contributions, a new template bounty program, and key improvements to reduce false positives and negatives.

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

We’re excited to tell you about Nuclei Templates release v10.2.0! This new version includes newly added GCP Config Review templates. In this blog post, we’ll discuss automating Google Cloud misconfiguration review, creating custom GCP checks, and sharing results on the PDCP Cloud for review. Following our last release on Azure Cloud Security Config Review and Kubernetes Cluster Security, we decided to expand our coverage to include GCP as well. GCP is well-known for its powerful features and v

Vulnerability Management

Related stories

View all

From Detection to Validation: Fixing Broken Vulnerability Workflows

By going beyond version checks, you’ll reduce noise, speed up critical fixes, and keep engineering smiling.

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

First-generation scanners drown teams in noise. Only 6% of CVEs are ever exploited, yet attackers weaponize them in hours. ProjectDiscovery, the RSA Sandbox winner, delivers runtime validation and detections within hours so you can act fast, cut false positives, and close real risk.

Advancing Asset Management - PDCP v0.8.9

We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega

Customer Stories

Related stories

View all

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

Before going all-in on ProjectDiscovery Cloud, Elastic had already embraced Nuclei, the open-source vulnerability scanner built for customization and speed, along with other ProjectDiscovery tools like naabu and httpx.

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead.

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Modern SaaS companies like Paddle face growing security challenges as their platforms expand. To gain full visibility into their attack surface and automate vulnerability detection, Paddle adopted ProjectDiscovery, an open-source security platform that streamlined their security operations.

Educational Stories

Related stories

View all

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing. Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do

Bug Bounty Etiquette: More than Ethical Hacking (part one)

This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon). This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa

Getting Started with ProjectDiscovery in Linux and Windows

"Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows."

Company Announcements

Related stories

View all

Introducing Neo, an AI security engineer for complex security tasks

Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr

Introducing Credential Monitoring

Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

We're excited to announce ProjectDiscovery v1.3.0, a significant milestone that transforms how security teams discover, analyze, and respond to vulnerabilities across their attack surface. These improvements represent months of engineering effort informed by our community's feedback and real-world deployment scenarios. We can’t wait for security teams to get their hands on v1.3.0 and put these new capabilities to work in their own environments. Redesigned for Speed and Clarity The new v1.3.0

View all stories

Featured Stories

Benchmarking Neo's Black-Box DAST Capabilities

Neo v. DIY: The gap between a single finding and a mature security program

How We Cut LLM Costs by 59% With Prompt Caching

Everyone is finding vulns. The hard part is proving them.

Vulnerability Research

Everyone is finding vulns. The hard part is proving them.

Inside the benchmark: app architectures, walkthroughs of findings, and what each scanner actually caught

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code

Nuclei & Nuclei Template

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale

Nuclei Templates Monthly - May 2025

GCP Cloud Configuration Review Templates - Nuclei Templates v10.2.0 🎉

Vulnerability Management

From Detection to Validation: Fixing Broken Vulnerability Workflows

The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches

Advancing Asset Management - PDCP v0.8.9

Customer Stories

Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud

How ConnectWise streamlined vulnerability detection with ProjectDiscovery

How Paddle Strengthened Its Security Posture with ProjectDiscovery

Educational Stories

Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two)

Bug Bounty Etiquette: More than Ethical Hacking (part one)

Getting Started with ProjectDiscovery in Linux and Windows

Company Announcements

Introducing Neo, an AI security engineer for complex security tasks

Introducing Credential Monitoring

ProjectDiscovery v1.3: New navigation, dashboard, and improvements

Book a demo.