How We Cut LLM Costs by 59% With Prompt Caching At ProjectDiscovery, we've been building Neo, an autonomous security testing platform that runs multi-agent, multi-step workflows, routinely executing 20-40+ LLM steps per task. Vulnerability assessments, code reviews, and security audits at scale, enabling continuous testing across the entire development lifecycle. When we launched, our LLM costs were staggering. A single complex task with Opus 4.5 could consume 60 million tokens. Then we implemented prompt caching. Here's what changed:

Originally from ProjectDiscovery: How We Cut LLM Costs by 59% With Prompt Caching ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Everyone is finding vulns. The hard part is proving them. LLMs are a genuine leap forward for vulnerability discovery. Anthropic reported 500+ zero-days from Opus 4.6 and OpenAI's Codex Security discovered 14 CVEs across projects like OpenSSH and GnuTLS. If you've experimented with LLMs for security testing, you've probably been impressed too. The practical reality for a security team deploying AI is messier than the headlines or early POC results suggest. Noise compounds fast. Anthropic brought in external security researchers to help validate the vo

Originally from ProjectDiscovery: Everyone is finding vulns. The hard part is proving them. ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Inside the Benchmark: App Architectures, Walkthroughs of Findings, and What Each Scanner Actually Caught This is Part 2 of our vibe coding security benchmark study. In Part 1, we compared how LLM-based security tools like ProjectDiscovery's Neo and Claude Code performed against traditional SAST and DAST scanners on AI-generated code. We found that LLM-based tools like Neo and Claude Code detected many high-value findings that traditional scanners missed. Between Neo and Claude Code, Neo produced more true positives and fewer false positives because it could validate hypotheses against a running app

Originally from ProjectDiscovery: Inside the Benchmark: App Architectures, Walkthroughs of Findings, and What Each Scanner Actually Caught ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code Executive Summary Neo found a Server-Side Request Forgery (SSRF) vulnerability in Faraday, a widely used HTTP client library in the Ruby ecosystem. This is Neo’s first credited CVE discovery. Neo is ProjectDiscovery’s AI security copilot for tasks like code review and vulnerability discovery. For this finding, Neo reviewed a widely used open source dependency and, without human guidance, surfaced a subtle URL-handling edge case, validated it in runtime, and produced a clear write-up that maint

Originally from ProjectDiscovery: How Neo found an SSRF vulnerability in Faraday, and why it matters for every team that ships code ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

AI code review has come a long way, but it can’t catch everything AI code review can reason about intent, but real incidents often stem from business logic flaws that only show up in runtime. Our benchmark reveals where code-only review falls short.

Originally from ProjectDiscovery: AI code review has come a long way, but it can’t catch everything ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Announcing the ProjectDiscovery OSS Bounty Program Democratizing Security, One Contribution at a Time Today, we're excited to announce the launch of the ProjectDiscovery OSS Bounty Program, a new initiative to reward meaningful contributions to our open-source security tools. The Vision At ProjectDiscovery, we've always believed that security should be accessible to everyone. Our tools are used by researchers, defenders, and builders worldwide. From Fortune 500 security teams to independent bug bounty hunters, from government agencies to ope

Originally from ProjectDiscovery: Announcing the ProjectDiscovery OSS Bounty Program ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

New Report: State of AppSec 2026 | Security at Engineering Speed In 2026, most organizations aren’t shipping “applications” so much as they’re shipping continuous change; across APIs and services, infrastructure and configuration, identity and permissions, feature flags, and AI-assisted code.

Originally from ProjectDiscovery: New Report: State of AppSec 2026 | Security at Engineering Speed ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Surfacing the real attack surface: Advances in asset discovery Introduction Accurate external asset discovery remains a moving target for security teams at scale. What’s actually exposed is hard to pin down, regardless of how many inventories or spreadsheets an organization maintains. Release cycles move faster, new domains and endpoints are added constantly, and the attack surface continues to shift, leaving static processes and visibility tools struggling to keep up. Traditional discovery tools are effective at identifying well-known or easily indexed a

Originally from ProjectDiscovery: Surfacing the real attack surface: Advances in asset discovery ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Year in Review: The Vulnerabilities That Defined 2025 A Year of Real-World Exploitation If you work in security, you probably remember React2Shell. Shortly after public disclosure, scanning activity increased, and exploitation attempts began to surface. That sequence showed up repeatedly across several of 2025’s most impactful vulnerabilities. Advisories were still circulating while attackers were already testing and operationalizing exploits. This wasn’t true for the thousands of CVEs published quietly throughout the year. But for a smaller set

Originally from ProjectDiscovery: Year in Review: The Vulnerabilities That Defined 2025 ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Introducing Neo, an AI security engineer for complex security tasks Neo is a cloud-based AI security engineer that works alongside your team and takes on real security tasks like a true co-engineer. As it operates, it continuously learns your systems and processes, improving over time just like an engineer ramping up on your team. Neo is built as a framework, not as a black box. It combines the reasoning of large language models with purpose-built execution tools, isolated sandboxes, a memory layer that learns your code, architecture and naming, and deep integr

Originally from ProjectDiscovery: Introducing Neo, an AI security engineer for complex security tasks ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Nuclei Templates - November 2025 Summary of Releases v10.3.2 & v10.3.4 This month, we had two releases of Nuclei Templates, introducing numerous improvements and new templates for Nuclei users. 🚀 November Stats Release New Templates Added CVEs Added First-time Contributors Bounties Awarded v10.3.2 129 56 9 7 v10.3.4 68 27 11 3 Total 197 83 20 10 Introduction November kept the momentum strong for Nuclei Templates with two new releases (v10.3.2 & v10.3.4). We added 197 new templates and coverage for

Originally from ProjectDiscovery: Nuclei Templates - November 2025 ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

How to Research & Reverse Web Vulnerabilities 101 Introduction This blog serves as a detailed methodology guide for analyzing, reversing, and researching web vulnerabilities, particularly those with CVEs assigned. The content outlines repeatable processes used to evaluate vague advisories, analyze vulnerable software, and ultimately recreate or validate security flaws. The objective is to establish a structured, replicable approach to web vulnerability research. Environment & Tools When approaching a new target for CVE research or reverse-e

Originally from ProjectDiscovery: How to Research & Reverse Web Vulnerabilities 101 ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Introducing Credential Monitoring Imagine discovering that your company's login credentials are sitting in plain sight on the internet, accessible to anyone who knows where to look. Unfortunately, this isn't hypothetical – it's happening right now to organizations worldwide through malware-stolen credentials. The Hidden Threat: Malware-Stolen Credentials Every day, cybercriminals deploy malicious software that quietly steals passwords from infected computers. These "stealer" programs harvest credentials from browsers and appl

Originally from ProjectDiscovery: Introducing Credential Monitoring ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Hacktober 2025 - Nuclei Templates Summary of Releases v10.3.0 & v10.3.1 This month, we had two major releases of Nuclei Templates, introducing numerous improvements and new templates for Nuclei users. 🚀 Hacktober Stats Release New Templates Added CVEs Added First-time Contributors Bounties Awarded v10.3.0 124 90 6 12 v10.3.1 119 88 10 12 Total 243 178 16 24 Introduction October was huge for Nuclei Templates, two releases (v10.3.0 & v10.3.1) dropped during Hacktoberfest, adding coverage for 44 actively expl

Originally from ProjectDiscovery: Hacktober 2025 - Nuclei Templates ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch

Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale At ProjectDiscovery, our greatest strength is our community. Thousands of security researchers, bug bounty hunters, and vulnerability analysts who identify zero‑day vulnerabilities, trending CVEs, and actively exploited vulnerabilities (including those listed in CISA KEV).

Originally from ProjectDiscovery: Open by design, trusted by enterprises: how we keep Nuclei templates reliable at scale ( :-{ı▓ #projectdiscovey #bugbounty #cyberresearch