ProjectDiscovery

PR Pentesting | ProjectDiscovery Every PR gets pentested before it ships. Neo combines code analysis, AI reasoning, and runtime exploitation to post verified proof directly in your pull requests.

Your PRs are getting pentested by attackers anyway. Why not test them first?

Neo runs full exploit chains on every pull request:
• Real browser sessions
• Actual exploit attempts
• Proof in PR comments
• Verified remediations

See Neo in action → projectdiscovery.io/solutions/pr...

Continuous Threat Modeling | ProjectDiscovery Build living threat models from design to deployment. Neo learns your architecture, keeps threat models current as your system evolves, and validates threats at runtime.

Threat models shouldn’t go stale the moment you ship.

Neo builds living threat models from your architecture + APIs, updates them as code changes, and even validates threats at runtime (with evidence).

projectdiscovery.io/solutions/th...

We just leveled up Neo.

Claude Opus 4.6 is officially here!

Ready to build? projectdiscovery.io/request-demo

🌀Pro-Tip for httpx:

If you are using the screenshot feature, remember that it integrates seamlessly with the rest of the ProjectDiscovery ecosystem.

You can pipe your findings directly into other tools to filter by status code or technology before you even look at a single image.

Stop inspecting every active host manually. Let httpx automate visual checks and capture screenshots, enabling rapid review and deeper analysis at scale.

Ever feel like you're missing something when researching domains? 🌀

You might be! Private TLDs are often overlooked and #tldfinder will help you discover them!

https://github.com/projectdiscovery/tldfinder

State of AppSec 2026: Security at Engineering Speed | Report AI accelerated delivery. AppSec architecture didn't. Download the State of AppSec 2026 report to learn why scan-and-report hit a ceiling; and what comes next.

PR security reviews weren’t designed for AI-generated code and nonstop merges.

The State of AppSec Report shows why teams are moving beyond static findings and toward runtime proof of exploitability.

Less guessing. Fewer debates. Faster decisions.

projectdiscovery.io/whitepapers/...

Tired of manually managing your security tools?

Meet PDTM the tool that lets you install, update, and uninstall all your project discovery tools with a single command.

✅ Get started here: https://github.com/projectdiscovery/pdtm

🚀 We just launched the ProjectDiscovery OSS Bounty Program! Contribute to our open source security tools, get your PRs merged & earn rewards! 💥

Read more 👇
🔗 projectdiscovery.io/blog/announc...

#OpenSource #BugBounty #Infosec #ProjectDiscovery

State of AppSec 2026: Security at Engineering Speed | Report AI accelerated delivery. AppSec architecture didn't. Download the State of AppSec 2026 report to learn why scan-and-report hit a ceiling; and what comes next.

What’s your biggest AppSec bottleneck right now?

A) too many findings

B) low dev adoption

C) slow remediation / unclear ownership

D) tool sprawl

We cover what teams are doing to fix these in the Neo State of AppSec Report.

📥 projectdiscovery.io/whitepapers/...

#AppSec #SecurityEngineering

🚀 The State of AppSec Report | Security at Engineering Speed is live: projectdiscovery.io/whitepapers/...

Trying to improve AppSec without slowing dev teams down? This is for you:

• trends shaping modern AppSec

• what’s driving noise + delays

• practical moves to improve adoption + remediation

Maximize your endpoint discovery by digging into JavaScript files. Using the -jc flag allows you to parse and crawl JS files to find hidden paths and APIs that standard crawls might miss

Use this command👇

katana -jc -u https://target(.)com

Move beyond simple discovery. Pair Subfinder with httpx to instantly profile your attack surface by extracting tech stacks, status codes, and page titles at scale.

Command👉 subfinder -d target(.)com | httpx -sc -td -title

Reply with your answer! 👇

ShuffleDNS is a fast Go tool for finding subdomains. It uses brute-force to identify valid targets and automatically filters out messy wildcard results

Command👉 shuffledns -d example(.)com -list wordlist(.)txt -r resolvers(.)txt

-r: Your list of DNS resolvers.
-list: Your subdomain wordlist.

ProjectDiscovery - Vulnerability management Monitor your infrastructure. Real vulnerabilities. Zero noise. Trusted by 100k+ security professionals to streamline vulnerabilities that can actually be exploited.

To see Neo in your environment, request a demo: projectdiscovery.io/request-demo

See Neo in action for yourself: neo.projectdiscovery.io/share/79a2dc...

ProjectDiscovery - Vulnerability management reimagined Stop chasing false positives. ProjectDiscovery delivers real, exploitable vulnerability findings across your entire attack surface—validated at runtime and prioritized by impact.

Vuln backlog triage is mostly mechanical. Neo pulls findings, clusters + prioritizes with your context, reproduces in an isolated sandbox, captures evidence, drafts remediation, and updates tickets until closure. See it: projectdiscovery.io

Stop just finding subdomains. Start finding endpoints. 🕸️

Recon doesn't end with a list of domains. By piping subfinder and httpx into katana, you can automatically crawl and map out the entire attack surface of a target in seconds.👇

#Recon #Katana #Subfinder

Security work doesn’t fit in a 15‑minute coding loop. Neo is an AI security copilot that plans + executes long‑running security tasks (recon, threat modeling, testing, triage) with real tools (browser, terminal, APIs.) See Neo in action: projectdiscovery.io

Surfacing the real attack surface: Advances in asset discovery — ProjectDiscovery Blog Introduction Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an ...

Here’s a technical look at discovery methods that adapt over time, including cert-based discovery and recursive subdomain expansion. If you’re doing recon or external asset discovery, this is a solid overview of techniques beyond basic DNS bruteforce.
📖 projectdiscovery.io/blog/surfaci...

🌀Naabu + Nmap = Port scan faster and inspect deeper.

Stop wasting time with slow, full-range scans!

Scan a host for open ports and use Nmap to detect the service versions.

Use this 👇

naabu -host projectdiscovery(.)io -nmap-cli ‘nmap -sV’

#naabu #hackwithautomation #portscan

Welcome, 2026!

We look forward to building more great things with you in the new year!

With AI-driven threats emerging as the major challenge, our focus is clear: to bring you the defense you'll need for cutting-edge Attack Surface Management.

#HappyNewYear #Infosec #2026

For 2026, the next generation of Attack Surface Management isn't just about seeing more; it's about knowing what's real.

Want to learn why your security strategy needs proof?

➡️ Get our latest report now: https://projectdiscovery.io/whitepapers/attack-surface-management-2025

🌀Happy Holidays to everyone in our community who is celebrating!

We hope you all have a wonderful time recharging and connecting with loved ones.

[+] Santa_v2025.zip 🎅
— The ProjectDiscovery Team

Need to isolate common ports on a single host?

Use Naabu to target specific, common ports and save the results for your next step.👇

2025 proved one thing: the gap between disclosure and exploitation is gone.
We broke down the 5 vulnerabilities that actually shaped attacker behavior this year.
Read the full analysis 👇
projectdiscovery.io/blog/year-in...

NahamCon - A Virtual Security Conference

🚨 We’re presenting at #NahamCon24!
Join us at 1:30 PM PT for a hands-on recon deep dive using free ProjectDiscovery tools: Subfinder → ShuffleDNS → AlterX → Katana + URLFinder

Learn smart patterns, QPS tuning, rate-limit strategies, and see real demos in action.
🎟️Free registration: www.nahamcon.com

As we get into 2025, we're back with another PD Tips and Tricks video to help improve your workflow. This time, we're focusing on a cool feature of httpx tha... ProjectDiscovery Tips and Tricks - Filter Duplicates Tag!

Tired of dealing with duplicate results in your scans?

Httpx now has a cool feature for that: Filter Duplicates Tag!

It allows you to filter duplicates as you scan, saving you time and giving you cleaner results.

See how it works in 1 min 👇

Security leaders are aligned on this: the perimeter didn’t vanish… it became more dynamic, distributed, and influenced by AI-driven reconnaissance. As a result, visibility isn’t enough. Learn more: projectdiscovery.io/whitepapers/...