About
I'm an AI researcher working on offensive security at ProjectDiscovery, where I build the evals, benchmarks, and observability behind Neo, our security agent. I came up self-taught — bug bounty, then Go tooling, then a few years running production platform work — before landing on the problem that's kept me since: showing, with evidence, what these models actually do when you point them at a target.
2018–2022
IIIT Pune
B.Tech in Computer Science, Aug 2018 – Jun 2022. I taught myself security in my third year — the CEH coursework, TryHackMe, HackTheBox, and eventually all ~200 labs in PortSwigger's Web Security Academy. Nobody assigned any of this; it was just how I learned that vulnerabilities follow patterns once you've seen enough of them.
No security roles came through campus placement, so I skipped it and bet on bug bounty instead. GitHub account since Dec 2018 — the tooling habit predates the security one.
2021–2022
Bug bounty
First bounty in September 2021, on Inspectiv. Reported 50+ vulnerabilities that first year (Sept 2021 – Jan 2022), mostly on one private program — about 18 bugs over four months, including 6 criticals. Peak find was a GraphQL IDOR on an e-commerce platform that paid $6,000 and was patched overnight; a later find was worth about $5,000; roughly $15k across the year in total.
One find was three misconfigured S3 buckets on a single target, one holding around 41k files (23.6 GB) including a database backup with PII — write-up on Medium. When the bounty-hunting plateaued, the developer instinct took over: I built Sandman and Talosplus in Go, mostly to learn the language. No formal employer this whole stretch — university straight into bounties.
2022–2025
ProjectDiscovery — OSS to platform
Found PD's hiring post for a Go role, cold-DM'd them on Twitter with no formal experience and a GitHub full of tools instead of a résumé, and got hired in November 2022. It's a flat team — no formal ladder, titles are self-assigned — so I never called myself a lead or a founder, just a core developer.
On Nuclei v3 I authored the Go SDK (PR #4104), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine (PR #4109 — 8,616 lines across 124 files, 15+ protocol libraries) and flow alongside the rest of the core team — never sole author of any of it. I authored Alterx outright. First year at PD: 196 PRs authored, 185 merged, across 36 public repos; on Nuclei specifically, 81 PRs authored and 75 merged, net +14.9k lines. From late 2023 I moved into production platform work, staying a top Nuclei contributor on the side — a 40–70% scan-speed improvement (PR #5148) shipped in 2024.
2025–present
AI-security research
Went all-in on AI security after ProjectDiscovery's Neo product pivot in January 2026. The research and observability focus proper started around April 2026 — I build the harness, the tracing, and the annotation/evals-at-scale pipeline that show what Neo actually does on a run, not just whether it succeeded.
First public marker of the pivot was a blog post benchmarking Neo's black-box DAST capabilities, published April 2026: 51/60 (85%) on Argus under a hardened black-box methodology. My first talk that'll be recorded is BSides Las Vegas 2026 this August — a behavioral audit across 189 offensive-security LLM runs.
by the numbers
| PRs authored, first year at PD | 196 | 185 merged, ~94%, across 36 public repos |
|---|---|---|
| Nuclei PRs, first year at PD | 81 | 75 merged, net +14.9k lines |
| Nuclei — all-time contributor rank | 7th | 175 contributions |
| Nuclei scan-speed improvement | 40–70% | PR #5148, 2024 |
| Average PR merge rate, first 3 years at PD | ~91% | |
| Nuclei stars | ~29k★ | |
| Alterx stars | ~940★ | |
| Bug-bounty vulnerabilities, first year | 50+ | 2021–2022 |
| Peak single bounty | $6,000 | GraphQL IDOR, patched overnight |
| Bug-bounty earnings, first year | ~$15k | private programs, self-reported |
| ProjectDiscovery blog posts | 7 | bylined |
| Conference talks | 4 |