ProjectDiscovery

Hot take from @ehrishiraj on @DanielMiessler Unsupervised Learning: False positives aren’t an AI problem. They’re a validation problem. Neo separates detection from validation to reduce false positives by over 90%. At #RSAC next week? Meet Rishi and try Neo hands-on at Booth 3131. Watch: youtube.com/watch?v=RsR7pP…

Most RSA booths will show you a demo. We're giving you the keyboard. Built by the team behind Nuclei and the 2025 RSAC Innovation Sandbox winner, Neo consistently outperforms leading security testing tools with fewer false positives and sharper findings. If you're evaluating pentesting automation this year, this is the most honest 20 minutes you'll spend at the conference. Spots are limited, so grab yours here! ➡️ projectdiscovery.io/events/rsac-20…

This is exactly the kind of content we love to see 🙌 Watching @NahamSec dig into AI hacking recon in real time is a masterclass. Honored that Neo has earned a spot in his pentest toolkit. If you're into AI security, this series is one to follow 👇

We benchmarked Neo, Claude Code, Invicti, and Snyk against 3 AI-generated apps (banking, healthcare, insurance) — 74 confirmed vulns total. The results: 🔹 Neo: 66 valid findings, 93% precision, 100% of Critical/High 🔹 Claude Code: 41 valid, 63% precision 🔹 Invicti: 10 valid (all Info-severity) 🔹 Snyk: 0 valid findings The biggest gap wasn't volume — it was vulnerability class. Business logic flaws like arbitrary refund amounts, deactivated sessions that keep working, and broken branch-scoped permissions require understanding what an app *should* do and testing whether it actually does. Code review generates hypotheses. Runtime validation resolves them. Full walkthroughs + open-source benchmark data 👇 projectdiscovery.io/blog/inside-th…

Tired of dealing with duplicate results in your scans? 𝚑𝚝𝚝𝚙𝚡 has a feature for that: Filter Duplicates Tag!🌀 It allows you to filter duplicates as you scan, saving you time and giving you cleaner results. See how it works 👇 youtu.be/4BXMj3ADQ3k?fe…

This is absolutely insane. The prompt: "Set up a lab for Log4Shell at localhost:8080 and find all nuclei templates for this vulnerability. Use OAST detection to demonstrate the JNDI injection exploit with live callback verification." The outcome? Nailed it. Sign up for Neo today 👇 projectdiscovery.io/request-demo

Tired of manually parsing messy JSON responses? Our JSON extractor tool allows you to use familiar JQ or jQuery-style syntax to easily pull information. Watch this video to see how to streamline your workflow and save time👇  youtu.be/iM3vlvaasi4?fe…

An AI just found a CVE in a library with 1.1 billion downloads. No human guidance. No custom rules. Neo reviewed Faraday's code, traced the URL logic, and found an SSRF that Snyk and Semgrep both missed. This is the class of bug that used to require your best engineer and a lot of time. Read the full breakdown: projectdiscovery.io/blog/how-neo-f…

While hackerbot-claw was still active, we had @neo_ai_engineer analyze its git log and generate a full report, here's what it found - neo.projectdiscovery.io/share/de5ba466… cc @PadsalaTushal

Neo Security Engineer is like having a pro hacker in your pocket. Just ask it what you want, it will download and use the necessary tools to achieve it. In this video, I just asked Neo to find all subdomains and check which are live. And, it did.

Did you collect subdomains but don’t know which ones are real? That’s where the real work begins. Passive enumeration maps the surface. Resolution and wildcard filtering build the foundation. Let Subfinder discover them. Let Shuffledns verify them. Clean pipeline below 👇

We built three apps with AI coding tools, then ran four security tools against the same code and deployed builds. Claude Code caught real issues. But it missed six of the 18 critical high-severity vulnerabilities, and they weren't subtle. In one app, a user could dispute a $10 transaction and receive $999,999 in credit. The system just... allowed it. These aren't code-level mistakes. They're missing business rules that only show up when you test a running system end-to-end. Static review, even good AI-powered static review, can't catch what doesn't look broken in isolation. Neo returned the most verified findings with far less noise. 💭 Read the full benchmark on the blog: projectdiscovery.io/blog/ai-code-r…

Your scan didn’t fail, but your workflow might have.🌀 When configured correctly, chaining the tools can yield quality results. naabu → httpx → nuclei is a simple but powerful chain that takes you from open ports to real findings in seconds. As shown below, one clean pipe does the heavy lifting👇

Did you know Subfinder has a "Deep Mode"? 🕵️‍♂️ By adding -recursive, you aren't just looking for subdomains; you're looking for subdomains of subdomains. Give it a try today!👇

@neo_ai_engineer just got a Deploy Agent for Runtime Validation for Security Review & Research Validating vulnerabilities or reviewing a PR shouldn't require hours of environment setup. The Deploy Agent handles that. Give it a CVE - it deploys the vulnerable app, reviews the code, and validates the finding with a real request/response and PoC at runtime. Give it a PR - it spins up the app, validates the changes, and tears it down. Same agent, same power, both workflows. Our @pdnuclei templates team is already using it to validate newly published vulnerabilities and hunt for 0-days in OSS. See Deploy agent in action → neo.projectdiscovery.io/share/fc15a653…

Got questions about our tools or anything security-related? 🌀 Join our Discord community and ask away! We’d love to have you. 👇 discord.com/invite/project…

Annual pentests made sense when code shipped quarterly, but attackers don't wait for your Q4 assessment. If you're shipping code daily, your pentest report is outdated before the ink dries. We're running a live session on February 25 to show how Neo reasons through attack chains continuously. We'll also cover why the most effective AI pentesting isn't full autonomy, but a human-AI loop where security teams steer the reasoning, encode institutional knowledge, and compound testing value over time. No slide decks, no marketing pitch. Our founding SE will run Neo live and take questions throughout. Save your spot here: bit.ly/4rptAzD

Quarterly pentests are outdated the moment they land. Neo runs AI-powered pentesting after every deploy: • Working exploits, not risk ratings • Permanent regression checks • Remembers your architecture • New CVEs covered in hours • Full stack coverage Your security posture should compound, not reset. See Neo in action → projectdiscovery.io/solutions/ai-p…

Managing cloud assets across multiple providers is a significant operational challenge.🌀 Cloudlist simplifies this process by providing a centralized inventory with minimal configuration, ensuring maximum visibility and control.  This unified approach empowers Blue Teams to rapidly identify, monitor, and secure cloud assets across the entire infrastructure. Check it out👉 github.com/projectdiscove…