In Episode 20 of runZero Hour, we sat down with ProjectDiscovery co-founders Rishi Sharma and Sandeep Singh for a wide-ranging conversation on how open source is driving the next wave of security tooling and what it means for practitioners in the field. Our CEO HD Moore also dropped by to share some exciting updates on runZero’s recent collaboration on the Nuclei project.
Here’s a recap of what we covered:
How Nuclei became the standard for vulnerability detection #
What started as a tool to automate repetitive bug bounty tasks is now a best-in-class vulnerability scanner with over 10,000 detection templates and over 100,000 users. ProjectDiscovery's open source model and approach to community collaboration have helped scale Nuclei into a critical tool for security professionals and researchers alike.
The growing ecosystem around ProjectDiscovery #
Beyond Nuclei, ProjectDiscovery has released 20+ tools (including Subfinder, DNSX, and HTTPX) that chain together for reconnaissance, service discovery, web crawling, and vulnerability scanning. Each tool can work independently or plug into broader workflows using command-line pipes, creating a powerful, modular toolkit for modern offensive and defensive security teams. These tools aren’t just open source, they are provided under one of the most permissive licenses available (the MIT License), simplifying integrations and collaboration with commercial tools and services.
runZero’s engineering collaboration with ProjectDiscovery #
HD Moore shared how runZero is contributing back by working with the ProjectDiscovery team to support in-process concurrency and eliminate race conditions. These updates make it possible to run thousands of Nuclei engines with different configurations in the same process, enabling new approaches to embedding and integration.
ProjectDiscovery’s roadmap for Nuclei #
From headless, browser-based testing and auto-generated templates to more robust authenticated scanning and better fuzzing support, ProjectDiscovery is doubling down on usability and coverage. They're also experimenting with AI-driven template generation, with a focus on maintaining quality and control. Check out their public roadmap for upcoming features.
A tale of two scanning models #
Nuclei supports automatic targeting using the "autoscan" (-as) flag. This feature uses technology detection templates to then select specific follow-on checks for individual systems and services.
runZero takes a different approach; we handle the service discovery, fingerprinting, and targeting logic within the runZero scanner, and then run thousands of individual Nuclei engines that are each tuned for a single service for precise vulnerability scanning.
Both models work great and whether you want to run a single Nuclei engine or thousands of concurrent engines, the code base now supports both!
Shared commitment to open source and community standards #
Everyone agreed: if you're using open source in your product, you should give back. That’s why runZero is contributing patches, detection templates, test coverage, and new features into the ProjectDiscovery ecosystem. We're excited to be part of the open source community and are working on two big updates; porting SSHamble to Nuclei and integrating our excrypto package to simplify TLS communication across the ecosystem.
Bonus: A printer bug and the return of CVEs #
The team wrapped up with a fun (and very real) story: Stephen Fewer (of Rapid7) reported eight new vulnerabilities in printers made by Brother. One of these issues included the ability for an attacker to obtain detailed device information, including the printer serial number, through an unauthenticated web page. This is important because Rapid7 also discovered that the default password is derived from this serial number and the process can be reversed. Even worse, Brother isn't able to address this in a firmware update, and the fix will only be available in devices built using a new manufacturing process. The funny part is that runZero has been detecting and reporting Brother printer serial numbers for years, using the eSCL protocol, and we didn’t consider it a vulnerability until the recent vulnerability disclosure. As a result, we're now tracking the eSCL serial number leak as a follow-on issue with JPCERT/CC, building off Rapid7’s recent investigation.
Watch the episode #
Check out the whole episode below, and never miss another one – subscribe to the series!
