We use tools on this site to collect and record your data (e.g., your searches), which we and our vendors may use to provide, improve, and personalize our offerings, make recommendations, and for analytics and marketing. Some of these tools identify visitors and link website activity to business contact and company information so we can better understand interest in our services and tailor our outreach. We may share your data with third parties, such as advertising vendors, social media companies, and research partners, which may be "targeted advertising," "selling," or "sharing" under applicable privacy laws. Continuing to browse our site means you accept these terms and our Privacy Policy. To opt out, click the Your Privacy Choices link in the footer.

Join ProjectDiscovery at Black Hat 2026 to experience Neo in action. Discover live demos, real workflows, and how to uncover and fix exposures at scale.

LLMs can detect vulnerabilities. But can your DIY solution validate, scale, and survive a team transition? Download the whitepaper to find out when building makes sense and when it doesn't.

See why building your own AI security tool is easy until the bill arrives. Join our next webinar to see where the build vs. buy math really lands.

How CVE volume, known-exploited counts and time-to-exploit all changed shape across the LLM build-out and why defenders are now on the wrong side of the clock. In 2018 the world published about 18,000 CVEs and the average vulnerability took roughly two months to get exploited after it went public. By 2025 the world was publishing nearly 50,000 CVEs a year and the average vulnerability was being exploited before it was disclosed. Those two facts are the whole story. The number of vulnerabilitie

Our first engineering post covered prompt caching, the infrastructure change that made long-running agentic tasks economically viable. That post assumed a multi-step, multi-agent system already existed. It did not exist on day one. When we started building Neo, the product was a single agent with a sandbox and a large toolset. Today, a typical task runs through optional planning, an Execution agent that delegates to parallel specialized subagents, and a verification loop that can re-run w

Most AI security tooling shipped over the last year focuses on one of two workflows, code review at PR time or zero-day research in open-source software. Models in PR pipelines now flag insecure patterns at every commit and autonomous research runs have produced more zero-days across open-source projects than the patch teams behind them can realistically triage. We've been running Neo on both of those workflows at ProjectDiscovery for a while now, surfacing zero-days in production software and t

Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library. 🚀 April Stats Release New Templates CVEs Added First-time Contributors v10.4.2 121 61 15 v10.4.3 105 62 12 Total 226 123 27 * 226 new templates shipped across both releases * 123 CVEs covered, including ~10 actively exploited vulnerabilities

Nuclei changed how the industry thinks about vulnerability scanning. Neo is the next chapter. Join us on Wednesday, May 20th, at 1 PM ET as Davis sits down with Rishi in San Francisco to cover why we created Nuclei, the hard questions in security, and where the industry is going.

Legacy DAST struggles with modern apps. Learn where it still fits, where it fails, and what to ask when evaluating a modern DAST replacement.

New research from ProjectDiscovery surfaces an uncomfortable truth: Engineering has accelerated, and Security has been left to absorb the impact, mostly by hand. If you work in application security right now, you already know the shape of the problem. Pull requests are landing faster than they used to. The diffs are bigger. The author on the commit is increasingly your engineering team's AI assistant, not the engineer themselves. And somewhere downstream, you and a small team are expected to ke

Since the launch of Neo, we've been steadily expanding what it can do. Neo has found 33+ real CVEs across open-source projects, performed well on white-box security testing where source code is available, and generally proven itself as a capable security engineer when it has context to work with. What we hadn't shared yet is how Neo does when it's operating purely as a black-box DAST agent no source code, no architecture context, just a URL. The prompt Neo gets is a minimal prompt with no guida

200 cybersecurity practitioners told us what AI-assisted coding is really doing to their teams. The short version: engineering is shipping faster than ever, and security is absorbing the impact. This report breaks down where the pressure is building, what is breaking, and what it will take to close the gap.