Teaching models to hack.
AI researcher @ ProjectDiscovery. I build the evals, benchmarks, and observability that show what language models actually do on offensive-security tasks.
now
Right now I'm on Neo, ProjectDiscovery's offensive-security agent — less building new capabilities, more figuring out how well the existing ones hold up against real targets, and proving it with traces and scores instead of adjectives.
My first talk that'll be recorded — BSides Las Vegas 2026, this August.
selected work
Nuclei (external)
Fast, customizable vulnerability scanner built on a YAML template DSL. 7th all-time contributor (175 contributions) on a flat core team — authored the v3 Go SDK (#4104, ~10 lines to integrate), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine (goja, #4109 — 8,616 lines across 124 files, 15+ protocol libraries: SSH, MySQL, Redis, LDAP, SMB, Postgres) and flow. Later drove v3.2's fuzzing, authenticated scanning (-secret-file, OAuth) and ECDSA template signing, plus a 40–70% scan-speed improvement (#5148).
go · ~29k★ · core maintainer
Alterx (external)
Pattern/DSL-based subdomain permutation generator: define a small grammar of custom patterns instead of a static wordlist, and it expands them into candidate hostnames for active enumeration ahead of a scan.
go · ~940★ · author
Neo — evals & benchmarking (external)
PD's offensive-security AI agent. Works on the run-level harness, annotation and evals at scale, and trace-level observability that show what Neo actually did on a target — not just whether it succeeded. Published: 85% (51/60) on Argus under a hardened black-box methodology, and a 189-run behavioral audit of offensive-security LLM runs, to be presented at BSides Las Vegas 2026.
neo · 85% (51/60) argus · 189 runs audited
Talosplus (external)
Template-based recon-automation framework in Go: annotates plain bash scripts (@vars, #modules) into a Go-managed parallel execution graph, with MongoDB/BBoltDB persistence, Discord notifications, and stop/resume for long-running scans. Taught him the most Go of anything he'd built — one of the two tools that got him hired at ProjectDiscovery.
go · ~92★ · last commit mar 2023
writing
talks
Watching Agents Work: A Behavioral Audit of 189 Offensive-Security LLM Runs
From Mapping to Mitigation
Vulnerability Scanning and Enumeration with Nuclei: Deep Dive
Unveiling Vulnerabilities: A Comprehensive Guide to Bug Bounty Recon
say hi
I'm around, and up for meeting people offline — if we're in the same city, say hi. Twitter's the fastest line to me, and I'm always happy to talk AI or travel.
say hi on twitter (external)