The team behind Nuclei brings execution-based pentesting to market; outperforming code review and traditional scanners in independent benchmark research
SAN FRANCISCO, March 24, 2026 /PRNewswire/ — ProjectDiscovery, winner of the 2025 RSAC Innovation Sandbox, today announced the commercial launch of Neo, an advanced security testing platform that autonomously performs end-to-end penetration testing, validates findings against live running applications, and delivers pentester-grade evidence.
Neo closes the loop between hypothesis and proof. It deploys applications, authenticates across roles, builds working exploits, and captures observable evidence; the same loop a skilled human researcher runs, automated end to end.
Built by the Team Behind Nuclei
ProjectDiscovery is the team behind Nuclei, the open source vulnerability scanner with more than 10 billion scans run and a community of over 100,000 security practitioners worldwide. Neo is built on top of that same toolchain — 30+ agentnative security tools running inside isolated sandboxes — so it reasons about vulnerabilities the way a researcher does, with the execution environment practitioners already trust.
“Finding hard vulnerabilities with minimal noise is a genuinely difficult problem,” said Rishi Sharma, CEO and co-founder of ProjectDiscovery. “What teams need is a system that can prove findings are real, against a live build, with reproducible evidence.”
Benchmark Research: More Verified Findings, Less Noise
In a benchmark study published ahead of RSAC, ProjectDiscovery tested Neo against leading code review and scanning tools across three AI-generated fullstack applications in different verticals (banking, healthcare, and insurance.)
Neo confirmed 66 exploitable vulnerabilities, the most of any tool tested, including 24 verified findings no other tool caught. Critical findings exclusive to Neo included an arbitrary refund vulnerability allowing users to manipulate transaction amounts, deactivated users retaining full application access, and systemic password hash exposure through ORM relation queries.
The full benchmark methodology and source code are open-sourced at projectdiscovery.io/blog.
Customers: Scaling Pentesting Without Scaling Headcount
A publicly traded digital asset financial services platform embedded Neo into its AppSec workflows as part of a 30-day proof of value.
Results included parallel pentesting coverage across APIs, transaction flows, and payment-protocol changes without adding headcount; higher-confidence decisions grounded in observable evidence rather than summaries; and faster fixand-retest loops driven by Neo’s replayable proof packs.
“The bottleneck wasn’t expertise. It was that too much of the ‘prove it’ work sat with a small number of senior engineers.” Neo removed that bottleneck.
22 CVEs Across Major Open Source Projects
To validate Neo’s research capabilities, the ProjectDiscovery team pointed it at trending open source projects without directing it toward specific vulnerability classes. Neo autonomously cloned repositories, deployed applications, and built working exploits, returning 22 confirmed CVEs across 12 projects, including critical findings in software with tens of thousands of active deployments. All findings were reported through coordinated disclosure. Full write-ups are at projectdiscovery.io/blog.
Visit Neo & ProjectDiscovery at RSAC 2026
Winners of the RSAC Innovation Sandbox award in 2025, ProjectDiscovery returns this year exhibiting at Booth #3131. Visitors can test drive Neo live in a labs environment, running it against a real application and reviewing the evidence it produces.
Book a demo or request access at https://projectdiscovery.io/events/rsac-2026.
About ProjectDiscovery
ProjectDiscovery is an open source cybersecurity company that built the security toolchain trusted by more than 100,000 practitioners worldwide. The company created Nuclei, the most widely used open source vulnerability scanner with over 10 billion scans run, along with a suite of modular tools, including Subfinder, httpx,
and Naabu, that security teams use to map attack surfaces and identify exploitable vulnerabilities across their organizations. ProjectDiscovery is a winner of the RSAC Innovation Sandbox 2025) and a Black Hat Asia award recipient 2025 . Learn more at projectdiscovery.io.
SOURCE ProjectDiscovery