tarun koyalwar

About

I'm an AI researcher working on offensive security at ProjectDiscovery, where I build the evals, benchmarks, and observability behind Neo, our security agent. I came up self-taught — bug bounty, then Go tooling, then a few years running production platform work — before landing on the problem that's kept me since: showing, with evidence, what these models actually do when you point them at a target.

2018–2022

IIIT Pune

B.Tech in Computer Science, Aug 2018 – Jun 2022. I taught myself security in my third year — the CEH coursework, TryHackMe, HackTheBox, and eventually all ~200 labs in PortSwigger's Web Security Academy. Nobody assigned any of this; it was just how I learned that vulnerabilities follow patterns once you've seen enough of them.

No security roles came through campus placement, so I skipped it and bet on bug bounty instead. GitHub account since Dec 2018 — the tooling habit predates the security one.

2021–2022

Bug bounty

First bounty in September 2021, on Inspectiv. Reported 50+ vulnerabilities that first year (Sept 2021 – Jan 2022), mostly on one private program — about 18 bugs over four months, including 6 criticals. Peak find was a GraphQL IDOR on an e-commerce platform that paid $6,000 and was patched overnight; a later find was worth about $5,000; roughly $15k across the year in total.

One find was three misconfigured S3 buckets on a single target, one holding around 41k files (23.6 GB) including a database backup with PII — write-up on Medium. When the bounty-hunting plateaued, the developer instinct took over: I built Sandman and Talosplus in Go, mostly to learn the language. No formal employer this whole stretch — university straight into bounties.

2022–2025

ProjectDiscovery — OSS to platform

Found PD's hiring post for a Go role, cold-DM'd them on Twitter with no formal experience and a GitHub full of tools instead of a résumé, and got hired in November 2022. It's a flat team — no formal ladder, titles are self-assigned — so I never called myself a lead or a founder, just a core developer.

On Nuclei v3 I authored the Go SDK (PR #4104), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine (PR #4109 — 8,616 lines across 124 files, 15+ protocol libraries) and flow alongside the rest of the core team — never sole author of any of it. I authored Alterx outright. First year at PD: 196 PRs authored, 185 merged, across 36 public repos; on Nuclei specifically, 81 PRs authored and 75 merged, net +14.9k lines. From late 2023 I moved into production platform work, staying a top Nuclei contributor on the side — a 40–70% scan-speed improvement (PR #5148) shipped in 2024.

2025–present

AI-security research

Went all-in on AI security after ProjectDiscovery's Neo product pivot in January 2026. The research and observability focus proper started around April 2026 — I build the harness, the tracing, and the annotation/evals-at-scale pipeline that show what Neo actually does on a run, not just whether it succeeded.

First public marker of the pivot was a blog post benchmarking Neo's black-box DAST capabilities, published April 2026: 51/60 (85%) on Argus under a hardened black-box methodology. My first talk that'll be recorded is BSides Las Vegas 2026 this August — a behavioral audit across 189 offensive-security LLM runs.

by the numbers

PRs authored, first year at PD196185 merged, ~94%, across 36 public repos
Nuclei PRs, first year at PD8175 merged, net +14.9k lines
Nuclei — all-time contributor rank7th175 contributions
Nuclei scan-speed improvement40–70%PR #5148, 2024
Average PR merge rate, first 3 years at PD~91%
Nuclei stars~29k★
Alterx stars~940★
Bug-bounty vulnerabilities, first year50+2021–2022
Peak single bounty$6,000GraphQL IDOR, patched overnight
Bug-bounty earnings, first year~$15kprivate programs, self-reported
ProjectDiscovery blog posts7bylined
Conference talks4