How Paddle Strengthened Its Security Posture with ProjectDiscovery

Archival copy of a case study originally published on ProjectDiscovery Blog. All content written by Jason Harris.

Business Impact Using ProjectDiscovery

  • Boosted Time to Discovery: Enhanced ability to detect vulnerabilities and CVEs without waiting for external bug bounty reports and manual scans — enabling the team to focus on manually identified issues and remediations.
  • Faster Incident Response: Automated vulnerability detection reduced the time to identify and respond to security issues by cutting discovery time from days to hours.
  • Improved Security Posture: Continuous monitoring and compliance checks helped prevent incidents like subdomain takeovers.
  • Operational Efficiency: Integration with Jira minimized administrative tasks, allowing teams to focus on high-value activities.
  • Compliance Assurance: Automated checks supported PCI DSS and SOC 2 Type 2 certifications with minimal manual intervention.

Introduction: Modern Security Challenges for SaaS Providers

Paddle is a payments infrastructure provider for software companies, powering growth across acquisition, renewals and expansion. Like many SaaS companies, Paddle manages a complex tech ecosystem. As the company’s platform has grown, so has the need for a more scalable, proactive security solution to manage its external attack surface and maintain compliance with standards like PCI DSS and SOC 2 Type 2.

Paddle’s tech stack consists of:

  • Backend: Golang, PHP, Python
  • Frontend: JavaScript/TypeScript, React
  • Infrastructure: AWS

The Challenge: Gaining Visibility into a Dynamic Attack Surface

Before using ProjectDiscovery’s Enterprise tier, Paddle’s security team faced scalability and complexity challenges with their previous solution. They relied on open-source tools like Nuclei and Subfinder, often running manual scans and managing fragmented workflows.

Senior Application Security Engineer Gedas Skikas shared, “We didn’t have a centralized way to get a full view of our attack surface. New assets could pop up without our knowledge, creating potential vulnerabilities like subdomain takeovers.”

The Solution: A Centralized Open Source Security Platform

Seeking a more integrated approach, Paddle adopted ProjectDiscovery. Its cloud-based model and customizable templates immediately stood out. “The out-of-the-box functionality allowed us to consolidate asset management, automate scans, and set custom compliance checks, eliminating the need for constant manual upkeep,” Skikas explained.

Paddle chose ProjectDiscovery due to its open-source roots. Having used tools like Nuclei before, the team trusted its reliability and active development. The open-source foundation meant continuous improvements and the ability to provide feedback, giving Paddle confidence in the platform’s evolving capabilities.

After evaluating several competitors, Paddle chose ProjectDiscovery for its unique blend of capabilities. The team appreciated working with an emerging platform where their feedback could influence product development. Custom Nuclei templates and targeted scans provided a tailored solution, while competitive pricing offered exceptional value compared to more established providers.

Implementation: A Seamless Integration Experience

The onboarding process was quick and straightforward. Colin Barr, Head of Security and IT, described how easy it was to integrate the platform: “Setting it up was seamless. We fed our DNS records into the platform, and it immediately began monitoring assets and flagging issues.”

Paddle integrates ProjectDiscovery with Jira for ticketing, automatically creating tasks when the platform flags issues. Webhooks connect to Paddle’s SIEM for real-time alerts and continuous monitoring. For internal security, Paddle uses a CNAPP platform to scan containers and infrastructure, complementing ProjectDiscovery’s external attack surface monitoring.

Results: Faster Discovery, Better Compliance, and Peace of Mind

After adopting ProjectDiscovery, Paddle saw immediate results. Subdomain takeover risks were flagged and mitigated before they could cause harm. Automated policy monitoring ensured ongoing PCI DSS compliance.

“We now discover vulnerabilities faster and with less effort, allowing us to focus on higher-value security work,” Barr noted.

The platform also provided peace of mind. “It’s like having an insurance policy. You don’t always see immediate returns, but when something critical surfaces, the platform proves its value.”

Conclusion: An Essential Partner for Long-Term Security

ProjectDiscovery has become a cornerstone of Paddle’s security strategy. By automating vulnerability detection and compliance monitoring, it allows the team to focus on delivering value to customers while staying ahead of potential threats. As new vulnerabilities emerge, they’re aware, alert, and ready to respond.

View Next

How ConnectWise Streamlined Vulnerability Detection with ProjectDiscovery

Reducing scan times from 2 days to 15 minutes for 10,000 assets across a growing portfolio of 43+ products.