Over the past year, we’ve worked closely with hundreds of users to understand how security teams map their infrastructure using ProjectDiscovery’s open-source tools. With v1, we’ve taken those insights and built a faster, smarter foundation for exposure management—automating critical workflows to help you continuously discover assets and proactively monitor for security risks in real-time.
In this post, we’ll dive into the technical architecture behind our approach. If you’re short on time, here is a TL;DR on what’s new with Asset Discovery in ProjectDiscovery v1
- Smarter asset discovery, instantly – Search-like experience with instant results.
- Expanded discovery capabilities – Added tlsx, uncover, and asnmap in discovery workflows and third party data source support
- AI-powered asset contextualization and labeling – AI-generated and custom labels, plus bulk tagging via filters
- Screenshots catalog – Visually review assets to spot anomalies and detect unauthorized access
- Enhanced technologies view – Richer insights into detected tech stacks and infrastructure changes.
- Precise filtering with dynamic subgroups — Filter by 14+ attributes and save views as dynamic subgroups
- Subsidiary discovery - Identify subsidiaries, brands, and owned domains
- Cloud integrations – Connect AWS, Azure, GCP, DigitalOcean, and more for live asset imports
Get started for free, upgrade to Pro, or request a demo for Enterprise.
First, let’s take a look at how we’re redefining the future of asset discovery and reconnaissance.
At ProjectDiscovery, we’re building an end-to-end framework designed to keep up with modern tech stacks and the way today's internet functions. Security threats are rapidly evolving, with attackers increasingly targeting exposed the applications, endpoints, and services that teams deploy. Our product doesn’t just scan an organization’s full infrastructure, it also thoroughly analyzes these services from a modern web perspective, synthesizing web content and capturing all the critical details that traditional tools miss.
Smarter asset discovery, instantly
Reconnaissance and asset discovery have traditionally been slow and time-consuming. Security teams often don’t have the time to manually initiate scans and wait hours for results.
We’ve reengineered this process to make discovery instant. We rearchitected Chaos, our internet-scale asset database, to deliver results in seconds, leveraging pre-indexed data for hundreds of thousands of domains.
We’ve also expanded the information we gather by including port scanning for top 100 ports, technology detection, AI-powered classification, and screenshots—all instantly queryable in the same experience.
Free accounts get unlimited access to pre-indexed domains and can discover up to 10 new domains per month. For unindexed domains, we automatically initiate active enumeration and perform full reconnaissance.
Discovery data is refreshed weekly, and newly identified domains are continuously added to expand our coverage.
Looking for more enrichment and greater coverage?
Our Pro tier comes with:
- Daily discovery
- 100 new domains a month
- Top 1,000 ports
- Active DNS enumeration with bruteforcing
- Cloud integrations (see below)
- Data export
Our Enterprise tier comes with everything in Pro, plus full 65k port scanning, internal network discovery, and custom domain limits.
Expanded discovery capabilities
Instant results are just the beginning. We’ve made asset discovery even more powerful by integrating additional open-source tools and extending coverage across multiple data sources.
- TLS certificate discovery with tlsx – We’ve added tlsx to extract TLS certificates from targets and feed them back into our scanning workflow. This expands discovery scope by identifying associated domains and subdomains that might otherwise go unnoticed.
- Uncovering exposed hosts – We now leverage uncover to retrieve publicly exposed hosts and IP addresses from search engines and databases, further broadening asset visibility.
- ASN-based discovery with asnmap – By integrating asnmap, we can now map IP ranges associated with Autonomous System Numbers (ASNs) linked to top-level domains. This allows for a more comprehensive discovery process, surfacing infrastructure that might not be directly mapped to a domain.
- Expanded discovery with 3rd party data sources - For deeper insights, you can now integrate API keys from third-party services like Shodan, Censys, and FOFA, unlocking additional discovery data for broader coverage.
With these additions, ProjectDiscovery Cloud now chains together ten open-source tools, plus Nuclei, to create the most comprehensive asset discovery and reconnaissance workflow available for the modern web.
AI-Powered asset contextualization and labeling
Understanding your attack surface is more than just discovering assets—it’s about knowing what types of assets they are and how they fit into your environment. That’s why we’ve introduced AI-driven asset labeling. This capability helps automatically categorize discovered assets based on screenshots, metadata, DNS records, and HTTP data.
- Instant classification – Every asset that enters discovery is automatically labeled, helping you identify key properties at a glance.
- Smart categorization – We assign labels for website types (e.g., API docs, internal apps, login pages, admin panels) and environments (e.g., production, staging, internal).
- Custom & bulk labeling – In addition to AI-driven labels, users can now manually assign custom labels and apply them in bulk based on filters. For example, you can label all assets running on port 8088 as "staging" in just a few clicks.
- Custom AI labels (coming soon) – Soon, you’ll be able to customize labels and define your own prompts, giving you full control over how assets are categorized
With AI-powered contextualization, ProjectDiscovery Cloud not only discovers assets but also helps classify results to help you better organize, contextualize, and prioritize your assets.
Note: Asset labeling is currently in early beta and runs asynchronously. The initial labeling process may take some time, but we're actively optimizing performance. Speed improvements are coming soon!
Screenshots catalog
A visual review of discovered assets can reveal security risks that metadata alone might miss. That’s why we’ve introduced the screenshot catalog—a tiled, visual overview of all discovered assets, making it easier to spot anomalies at a glance.
- At-a-glance context – Each screenshot is displayed alongside key details, including the host, IP address, capture timestamp, labels, and detected technologies.
- Identify security risks – Quickly detect unauthenticated access to sensitive pages, misconfigured admin panels, or redirects to unexpected domains.
- Monitor unexpected changes – Catch defaced pages, exposed internal tools, or services that shouldn’t be public.
- Coming soon: filtering & sorting – Soon, you’ll be able to filter and sort screenshots by attributes like labels, technologies, and capture dates for faster analysis.
The screenshot catalog adds a new layer of visibility to asset discovery, helping security teams detect misconfigurations and exposure risks faster.
Enhanced technologies view
Attackers don’t just look for exposed assets—they profile the underlying technologies to find relevant weaknesses. Our technologies view feature helps you do the same by detecting and mapping the tech stacks running across your infrastructure.
- Instant visibility – See every detected technology in a simple list format, along with the number of hosts running it.
- Drill down with precision – Filter by technology, like Nginx or Envoy, and instantly view associated hosts.
- Detect unusual stacks – Identify outdated, misconfigured, or unexpected technologies. If your infrastructure runs modern frameworks, but an Apache Struts instance appears, it could signal a forgotten or risky deployment.
- Security advisories (coming soon) – Get real-time alerts on vulnerabilities affecting the technologies in your environment.
- Expanded detection (coming soon) – Deeper technology fingerprinting powered by Nuclei templates, giving you broader coverage across your attack surface.
With technologies view, you gain continuous awareness of what’s running across your infrastructure—just like an attacker would—but with the power to act before threats emerge.
Technologies view is currently available in the Pro and Enterprise tiers.
Precise filtering with dynamic subgroups
Managing exposure across thousands—or even millions—of assets is no small task. Our filters make it easier to cut through heaps of asset data and focus on what matters.
- Filter across 14+ attributes – Narrow results by port number, labels, technologies, CNAME, domain, content length, and more.
- Real-time subtotals – Instantly see how many assets match a filter. For example, quickly identify all hosts running on port 22 (SSH), 3389 (RDP), or 3306 (MySQL)—common targets for attackers.
- Advanced filtering options – Multi-select values (e.g., all assets running on Nginx and Apache) or exclude specific attributes (e.g., all assets under a subsidiary domain)
- Saved & dynamic groups – Save custom filters as dynamic asset groups that update automatically as new assets are discovered or attack surface changes.
With filters, security teams can:
- Prioritize high-risk services like assets running on exposed interfaces like RDP (3389) or SSH (22)
- Identify hosts returning 200 OK responses for admin panels or login pages that shouldn’t be publicly accessible
- Find assets resolving to unexpected third-party services like AWS S3 which could indicate orphaned storage buckets
- Or, simply creating a more targeted asset list for vulnerability scans
Filters give security teams full control over their asset inventory, enabling powerful analysis and identification of potential security risks in seconds.
Subsidiary discovery
For large organizations, mapping out subsidiaries, brands, and owned web properties is a challenge in itself. Many enterprises operate hundreds or even thousands of related entities, making it difficult to get a clear picture of their full attack surface.
- Automated subsidiary correlation – We integrate with the Crunchbase API to automatically identify and map subsidiaries, helping security teams track associated assets across their entire corporate structure.
- Seamless onboarding experience – This visibility is presented during onboarding, giving users an instant snapshot of their organization's extended footprint as they set up their account.
- Coming soon: WHOIS-based discovery – We’re expanding this capability with reverse WHOIS lookups, surfacing additional owned domains and associated entities.
- Coming soon: community API access – We’ll soon open this data via API, enabling researchers to contribute and enhance our subsidiary detection engine.
Currently, this feature is available to users who sign up with a valid business email, providing insights specific to the company associated with that email domain.
Cloud integrations – real-time visibility, seamlessly connected
Our discovery workflows are powerful, but nothing replaces real-time exposure data pulled directly from your cloud environments. Powered by our open-source tool Cloudlist, our read-only cloud integrations provide continuous visibility into your attack surface, ensuring that your security data is always up to date.
- Seamless cloud coverage – Integrate with AWS, GCP, and Azure to automatically track assets across your cloud infrastructure.
- Scale with assume role support – Easily onboard large numbers of cloud accounts using Assume Role, streamlining multi-account security monitoring.
- Daily auto-updates – Your cloud exposure data refreshes every 24 hours, so you always have an up-to-date view of your infrastructure.
- Intelligent asset deduplication – To prevent duplicate asset counts, we resolve IPs on the backend so you’re never double charged.
- Vercel integration (coming soon) – We’re expanding our coverage to Vercel, allowing security teams to actively test deployments—including preview environments—in real time.
With cloud integrations, security teams gain instant, automated visibility into their cloud-hosted assets, reducing blind spots and improving security posture across dynamic environments.
Cloud integrations are available in Enterprise, Pro, and free accounts with a valid business email.