projectdiscovery https://projectdiscovery.io/blog Latest posts from https://projectdiscovery.io/blog. follow.is: None http://www.rssboard.org/rss-specification python-feedgen Mon, 13 Jul 2026 03:20:59 +0000 ProjectDiscovery v1.3: New navigation, dashboard, and improvements https://projectdiscovery.io/blog/projectdiscovery-v1-3-new-navigation-dashboard-and-improvements We're excited to announce ProjectDiscovery v1.3.0, a significant milestone that transforms how security teams discover, analyze, and respond to vulnerabilities across their attack surface. These improvements represent months of engineering effort informed by our community's feedback and real-world deployment scenarios. We can’t wait for security teams to get their hands on v1.3.0 and put these new capabilities to work in their own environments. Redesigned for Speed and Clarity The new v1.3.0 Introducing Credential Monitoring https://projectdiscovery.io/blog/leaked-credential-monitoring Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl Introducing Neo, an AI security engineer for complex security tasks https://projectdiscovery.io/blog/introducing-neo Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr Getting Started with ProjectDiscovery in Linux and Windows https://projectdiscovery.io/blog/getting-started-with-projectdiscovery-in-linux-and-windows "Just for you, we’ve got this brand new blog all about getting started with ProjectDiscovery on Linux AND Windows." Bug Bounty Etiquette: More than Ethical Hacking (part one) https://projectdiscovery.io/blog/bug-bounty-etiquette-more-than-ethical-hacking-part-one This is part one of our two-part series on polite hacking, focusing on what to do. Part two talks about what not to do (link coming soon).  This blog is not about techniques. It’s not about tools to use, how to find the vulnerability, or anything like that. There are plenty of those out there. It’s much more like an etiquette guide for Bug Bounty reporting, and how working within these social norms can lead to better outcomes for you in your career! Think of it like a cotillion class, or the fa Bug Bounty Etiquette: Our Guide to Polite Hacking (Part Two) https://projectdiscovery.io/blog/bug-bounty-etiquette-2-what-not-to-do This is the second part of our series on bug bounty etiquette. Part one looks at what you should be doing.  Last month we talked about bug bounty etiquette and how to be a good bug bounty hunter; not in the sense of finding more bugs, but rather in how to be the kind of bug bounty hunter people want to work with. This time, we have some advice about what NOT to while bug bounty hunting. Let's get started. 1. Don’t go all out 2. Don’t ignore the rules 3. Don’t report unnecessary stuff 4. Do How Paddle Strengthened Its Security Posture with ProjectDiscovery https://projectdiscovery.io/blog/how-paddle-strengthened-its-security-posture-with-projectdiscovery Modern SaaS companies like Paddle face growing security challenges as their platforms expand. To gain full visibility into their attack surface and automate vulnerability detection, Paddle adopted ProjectDiscovery, an open-source security platform that streamlined their security operations. How ConnectWise streamlined vulnerability detection with ProjectDiscovery https://projectdiscovery.io/blog/how-connectwise-streamlined-vulnerability-detection-with-projectdiscovery ConnectWise chose ProjectDiscovery over Tenable Cloud to streamline vulnerability detection across 20,000+ AWS instances. By leveraging ProjectDiscovery’s automation and scalability, they achieved efficient, high-volume security monitoring without operational overhead. Securing the distributed perimeter: How Elastic scaled proactive detection with ProjectDiscovery Cloud https://projectdiscovery.io/blog/how-elastic-scaled-proactive-detection-with-projectdiscovery-cloud Before going all-in on ProjectDiscovery Cloud, Elastic had already embraced Nuclei, the open-source vulnerability scanner built for customization and speed, along with other ProjectDiscovery tools like naabu and httpx. Advancing Asset Management - PDCP v0.8.9 https://projectdiscovery.io/blog/advancing-asset-management-pdcp-v0-8-9-2 We're excited to announce the release of version 0.8.9 of the ProjectDiscovery Cloud Platform. This update introduces significant enhancements to our asset management capabilities, focusing on asset inventory, AI-powered search, and improved user experience. Key Features in v0.8.9 Asset Inventory and Technologies The new interface for cataloging and organizing all assets along with their associated technologies in one place represents a significant advancement in asset management. Now, rega The Coverage Lie: Why Current Vulnerability Scanners Fail to Stop Breaches https://projectdiscovery.io/blog/why-current-vuln-scanners-fail-to-stop-breaches First-generation scanners drown teams in noise. Only 6% of CVEs are ever exploited, yet attackers weaponize them in hours. ProjectDiscovery, the RSA Sandbox winner, delivers runtime validation and detections within hours so you can act fast, cut false positives, and close real risk. From Detection to Validation: Fixing Broken Vulnerability Workflows https://projectdiscovery.io/blog/from-detection-to-validation-fixing-broken-vulnerability-workflows By going beyond version checks, you’ll reduce noise, speed up critical fixes, and keep engineering smiling. Nuclei Templates Monthly - May 2025 https://projectdiscovery.io/blog/nuclei-templates-monthly-may-2025 Discover the highlights from Nuclei Templates v10.2.1 and v10.2.2 releases: 106 new templates, 57 CVEs covered (including 10 actively exploited KEVs), first-time contributions, a new template bounty program, and key improvements to reduce false positives and negatives. Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale https://projectdiscovery.io/blog/open-by-design-trusted-by-enterprises-how-we-keep-nuclei-templates-reliable-at-scale At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV). Nuclei Templates - April 2026 https://projectdiscovery.io/blog/nuclei-templates-april-2026 Two releases shipped this cycle - v10.4.2 (April 15) and v10.4.3 (May 5) - delivering deep KEV coverage, a major push into AI/LLM attack surface, fresh Perforce visibility, and broad quality improvements across the template library. 🚀 April Stats Release New Templates CVEs Added First-time Contributors v10.4.2 121 61 15 v10.4.3 105 62 12 Total 226 123 27 * 226 new templates shipped across both releases * 123 CVEs covered, including ~10 actively exploited vulnerabilities How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code https://projectdiscovery.io/blog/how-neo-found-an-ssrf-vulnerability-in-faraday-and-why-it-matters-for-every-team-that-ships-code Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint Inside the benchmark: app architectures, walkthroughs of findings, and what each scanner actually caught https://projectdiscovery.io/blog/inside-the-benchmark-pp-architectures-finding-walkthroughs-and-what-each-scanner-actually-caught This is Part 2 of our vibe coding security benchmark study. In Part 1, we compared how LLM-based security tools like ProjectDiscovery's Neo and Claude Code performed against traditional SAST and DAST scanners on AI-generated code. We found that LLM-based tools like Neo and Claude Code detected many high-value findings that traditional scanners missed. Between Neo and Claude Code, Neo produced more true positives and fewer false positives because it could validate hypotheses against a running app Beyond the Model: Neo Hunts, Exploits, and Proves 22 Zero-Days. https://projectdiscovery.io/blog/everyone-is-finding-vulns-the-hard-part-is-proving-them LLMs are a genuine leap forward for vulnerability discovery. Anthropic reported 500+ zero-days from Opus 4.6 and OpenAI's Codex Security discovered 14 CVEs across projects like OpenSSH and GnuTLS. If you've experimented with LLMs for security testing, you've probably been impressed too. The practical reality for a security team deploying AI is messier than the headlines or early POC results suggest. Noise compounds fast. Anthropic brought in external security researchers to help validate the vo Benchmarking Neo's Black-Box DAST Capabilities https://projectdiscovery.io/blog/neo-black-box-dast-capabilities Since the launch of Neo, we've been steadily expanding what it can do. Neo has found 33+ real CVEs across open-source projects, performed well on white-box security testing where source code is available, and generally proven itself as a capable security engineer when it has context to work with. What we hadn't shared yet is how Neo does when it's operating purely as a black-box DAST agent no source code, no architecture context, just a URL. The prompt Neo gets is a minimal prompt with no guida Red-Teaming Cloud Infrastructure with Neo https://projectdiscovery.io/blog/red-teaming-cloud-infrastructure-with-neo Most AI security tooling shipped over the last year focuses on one of two workflows, code review at PR time or zero-day research in open-source software. Models in PR pipelines now flag insecure patterns at every commit and autonomous research runs have produced more zero-days across open-source projects than the patch teams behind them can realistically triage. We've been running Neo on both of those workflows at ProjectDiscovery for a while now, surfacing zero-days in production software and t How Neo's Agent Architecture Evolved: From One Agent → Plan, Execute & Verify https://projectdiscovery.io/blog/neo-agent-architecture Our first engineering post covered prompt caching, the infrastructure change that made long-running agentic tasks economically viable. That post assumed a multi-step, multi-agent system already existed. It did not exist on day one. When we started building Neo, the product was a single agent with a sandbox and a large toolset. Today, a typical task runs through optional planning, an Execution agent that delegates to parallel specialized subagents, and a verification loop that can re-run w