tarun koyalwar

Teaching models to hack.

AI researcher @ ProjectDiscovery. I build the evals, benchmarks, and observability that show what language models actually do on offensive-security tasks.

now

Right now I'm on Neo, ProjectDiscovery's offensive-security agent — less building new capabilities, more figuring out how well the existing ones hold up against real targets, and proving it with traces and scores instead of adjectives.

My first talk that'll be recorded — BSides Las Vegas 2026, this August.

selected work

Nuclei (external)

Fast, customizable vulnerability scanner built on a YAML template DSL. 7th all-time contributor (175 contributions) on a flat core team — authored the v3 Go SDK (#4104, ~10 lines to integrate), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine (goja, #4109 — 8,616 lines across 124 files, 15+ protocol libraries: SSH, MySQL, Redis, LDAP, SMB, Postgres) and flow. Later drove v3.2's fuzzing, authenticated scanning (-secret-file, OAuth) and ECDSA template signing, plus a 40–70% scan-speed improvement (#5148).

go · ~29k★ · core maintainer

Alterx (external)

Pattern/DSL-based subdomain permutation generator: define a small grammar of custom patterns instead of a static wordlist, and it expands them into candidate hostnames for active enumeration ahead of a scan.

go · ~940★ · author

Neo — evals & benchmarking (external)

PD's offensive-security AI agent. Works on the run-level harness, annotation and evals at scale, and trace-level observability that show what Neo actually did on a target — not just whether it succeeded. Published: 85% (51/60) on Argus under a hardened black-box methodology, and a 189-run behavioral audit of offensive-security LLM runs, to be presented at BSides Las Vegas 2026.

neo · 85% (51/60) argus · 189 runs audited

Talosplus (external)

Template-based recon-automation framework in Go: annotates plain bash scripts (@vars, #modules) into a Go-managed parallel execution graph, with MongoDB/BBoltDB persistence, Discord notifications, and stop/resume for long-running scans. Taught him the most Go of anything he'd built — one of the two tools that got him hired at ProjectDiscovery.

go · ~92★ · last commit mar 2023

see all

writing

see all

talks

Watching Agents Work: A Behavioral Audit of 189 Offensive-Security LLM Runs

bsides las vegas · ground truth · aug 2026 · will be recorded

From Mapping to Mitigation

black hat asia arsenal · apr 2025

Vulnerability Scanning and Enumeration with Nuclei: Deep Dive

bsides ahmedabad · oct 2024

Unveiling Vulnerabilities: A Comprehensive Guide to Bug Bounty Recon

def con 32 · bug bounty village · aug 2024
see all

say hi

I'm around, and up for meeting people offline — if we're in the same city, say hi. Twitter's the fastest line to me, and I'm always happy to talk AI or travel.

say hi on twitter (external)