ProjectDiscovery's Neo Aims to End False Positives with Autonomous Pentesting

SAN FRANCISCO, CA – March 24, 2026 – ProjectDiscovery, the company behind the widely adopted open-source scanner Nuclei, today announced the commercial launch of Neo, an advanced security platform designed to autonomously perform end-to-end penetration tests and deliver verifiable proof of exploitability.

Fresh off their 2025 RSAC Innovation Sandbox win, the company is positioning Neo not merely as another scanner but as an automated security engineer. The platform moves beyond flagging potential issues by deploying applications in isolated environments, authenticating across different user roles, building working exploits, and capturing what it calls "pentester-grade evidence." This process aims to close the gap between a security hypothesis and irrefutable proof, tackling one of the industry's most persistent challenges: alert fatigue from unverified findings.

Beyond Scanning: The Promise of Execution-Based Pentesting

For years, security teams have been inundated with alerts from a variety of tools, including Static (SAST) and Dynamic (DAST) Application Security Testing scanners. While these tools are crucial for identifying potential flaws in code and running applications, they often generate a high volume of false positives, forcing engineers to spend valuable time manually validating each potential threat. Neo is engineered to short-circuit this time-consuming process.

"Finding hard vulnerabilities with minimal noise is a genuinely difficult problem," said Rishi Sharma, CEO and co-founder of ProjectDiscovery, in the announcement. "What teams need is a system that can prove findings are real, against a live build, with reproducible evidence."

Neo's architecture is built upon the same battle-tested toolchain as Nuclei, which has been used to run over 10 billion scans by a community of more than 100,000 security practitioners. It integrates over 30 security tools that operate within isolated sandboxes, allowing the platform to reason about and test for vulnerabilities in a manner that mimics a skilled human researcher. By actively attempting to exploit a potential flaw, Neo provides concrete evidence—such as confirmed file reads or out-of-band interaction callbacks—that demonstrates a genuine, exploitable risk.

Putting Neo to the Test: Benchmarks and Real-World Exploits

To substantiate its claims, ProjectDiscovery released the results of a comprehensive benchmark study. The company tested Neo against leading code review tools and traditional scanners on three different full-stack applications generated by AI. The results were compelling: Neo confirmed 66 exploitable vulnerabilities, the highest number of any tool tested.

Crucially, 24 of these verified findings were unique to Neo, missed entirely by the other tools. These weren't minor misconfigurations; they included critical business logic flaws such as an arbitrary refund vulnerability that allowed for transaction manipulation, a flaw where deactivated users retained full application access, and systemic exposure of password hashes. These are the types of complex, multi-step vulnerabilities that traditional scanners often fail to detect.

In a move to promote transparency, the company has open-sourced the full benchmark methodology and source code. This allows for independent scrutiny and validation of its performance claims.

Beyond the benchmark, ProjectDiscovery validated Neo's research capabilities by directing it at popular open-source projects. Operating autonomously, the platform cloned repositories, deployed the applications, and began searching for vulnerabilities. The result was the discovery of 22 new, confirmed Common Vulnerabilities and Exposures (CVEs) across 12 different projects, some with tens of thousands of active deployments. All vulnerabilities were responsibly disclosed to the project maintainers.

From Open Source Roots to Enterprise Scale

ProjectDiscovery's journey from an open-source powerhouse to an enterprise vendor is a significant part of this story. The company built a foundation of trust and a massive following with its suite of free tools, most notably Nuclei, Subfinder, and httpx. This community-first approach has given them deep insight into the workflows and pain points of security professionals.

Neo represents the commercial crystallization of that expertise. The platform is already demonstrating its value in enterprise environments. A publicly traded digital asset financial services platform integrated Neo into its application security workflows during a 30-day proof-of-value. The firm was able to achieve parallel pentesting coverage across its APIs and transaction flows without increasing its security headcount. According to the company, Neo removed a key bottleneck where the "prove it" work of validating findings fell on a small number of senior engineers, enabling faster fix-and-retest cycles driven by the platform's replayable proof packs.

The Rise of the AI Security Engineer

The launch of Neo comes amid a broader industry shift toward autonomous security. As digital attack surfaces expand and development cycles accelerate, periodic manual penetration testing is no longer sufficient to provide continuous assurance. Autonomous platforms are emerging as a way to provide constant, scalable security validation.

These AI-driven systems are increasingly seen as "force multipliers" for security teams. By automating the repetitive and time-consuming tasks of discovery, triage, and validation, they free up human experts to focus on more complex challenges, such as novel attack vectors, intricate business logic flaws, and overall security strategy. While tools like Neo are exceptionally powerful, industry experts maintain that human oversight remains critical. The creativity and contextual understanding of a human pentester are still essential for navigating the most complex security scenarios.

ProjectDiscovery is returning to RSAC in 2026, this time as an exhibitor at Booth #3131. The company is offering live demos where visitors can test drive Neo against a real application and review the verifiable evidence it produces, offering a firsthand look at the future of automated security validation.