# About

I'm an AI researcher working on offensive security at ProjectDiscovery, where I build the evals, benchmarks, and observability behind Neo, our security agent. I came up self-taught — bug bounty, then Go tooling, then a few years running production platform work — before landing on the problem that's kept me since: showing, with evidence, what these models actually do when you point them at a target.

## 2018–2022 — IIIT Pune

B.Tech in Computer Science, Aug 2018 – Jun 2022. I taught myself security in my third year — the CEH coursework, TryHackMe, HackTheBox, and eventually all ~200 labs in PortSwigger's Web Security Academy. Nobody assigned any of this; it was just how I learned that vulnerabilities follow patterns once you've seen enough of them.

No security roles came through campus placement, so I skipped it and bet on bug bounty instead. GitHub account since Dec 2018 — the tooling habit predates the security one.

## 2021–2022 — Bug bounty

First bounty in September 2021, on Inspectiv. Reported 50+ vulnerabilities that first year (Sept 2021 – Jan 2022), mostly on one private program — about 18 bugs over four months, including 6 criticals. Peak find was a GraphQL IDOR on an e-commerce platform that paid $6,000 and was patched overnight; a later find was worth about $5,000; roughly $15k across the year in total.

One find was three misconfigured S3 buckets on a single target, one holding around 41k files (23.6 GB) including a database backup with PII — write-up on Medium. When the bounty-hunting plateaued, the developer instinct took over: I built Sandman and Talosplus in Go, mostly to learn the language. No formal employer this whole stretch — university straight into bounties.

## 2022–2025 — ProjectDiscovery — OSS to platform

Found PD's hiring post for a Go role, cold-DM'd them on Twitter with no formal experience and a GitHub full of tools instead of a résumé, and got hired in November 2022. It's a flat team — no formal ladder, titles are self-assigned — so I never called myself a lead or a founder, just a core developer.

On Nuclei v3 I authored the Go SDK ([PR #4104](https://github.com/projectdiscovery/nuclei/pull/4104)), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine ([PR #4109](https://github.com/projectdiscovery/nuclei/pull/4109) — 8,616 lines across 124 files, 15+ protocol libraries) and flow alongside the rest of the core team — never sole author of any of it. I authored Alterx outright. First year at PD: 196 PRs authored, 185 merged, across 36 public repos; on Nuclei specifically, 81 PRs authored and 75 merged, net +14.9k lines. From late 2023 I moved into production platform work, staying a top Nuclei contributor on the side — a 40–70% scan-speed improvement ([PR #5148](https://github.com/projectdiscovery/nuclei/pull/5148)) shipped in 2024.

## 2025–present — AI-security research

Went all-in on AI security after ProjectDiscovery's Neo product pivot in January 2026. The research and observability focus proper started around April 2026 — I build the harness, the tracing, and the annotation/evals-at-scale pipeline that show what Neo actually does on a run, not just whether it succeeded.

First public marker of the pivot was a blog post benchmarking Neo's black-box DAST capabilities, published April 2026: 51/60 (85%) on Argus under a hardened black-box methodology. My first talk that'll be recorded is BSides Las Vegas 2026 this August — a behavioral audit across 189 offensive-security LLM runs.

## by the numbers

| stat | value | note |
|---|---|---|
| PRs authored, first year at PD | 196 | 185 merged, ~94%, across 36 public repos |
| Nuclei PRs, first year at PD | 81 | 75 merged, net +14.9k lines |
| Nuclei — all-time contributor rank | 7th | 175 contributions |
| Nuclei scan-speed improvement | 40–70% | PR #5148, 2024 |
| Average PR merge rate, first 3 years at PD | ~91% |  |
| Nuclei stars | ~29k★ |  |
| Alterx stars | ~940★ |  |
| Bug-bounty vulnerabilities, first year | 50+ | 2021–2022 |
| Peak single bounty | $6,000 | GraphQL IDOR, patched overnight |
| Bug-bounty earnings, first year | ~$15k | private programs, self-reported |
| ProjectDiscovery blog posts | 7 | bylined |
| Conference talks | 4 |  |

---

tarun@no-ide.dev · [github](https://github.com/tarunKoyalwar) · [x](https://x.com/KoyalwarTarun) · [linkedin](https://www.linkedin.com/in/tarun-koyalwar) · [medium](https://medium.com/@zealousme)

agents start at [/agents.md](/agents.md)
