# Tarun Koyalwar

Teaching models to hack.

AI researcher @ ProjectDiscovery. I build the evals, benchmarks, and observability that show what language models actually do on offensive-security tasks.

## now

Right now I'm on Neo, ProjectDiscovery's offensive-security agent — less building new capabilities, more figuring out how well the existing ones hold up against real targets, and proving it with traces and scores instead of adjectives.

My first talk that'll be recorded — [BSides Las Vegas 2026](/talks.md#bsides-las-vegas-2026), this August.

## selected work

- [Nuclei](https://github.com/projectdiscovery/nuclei) — Fast, customizable vulnerability scanner built on a YAML template DSL. 7th all-time contributor (175 contributions) on a flat core team — authored the v3 Go SDK ([#4104](https://github.com/projectdiscovery/nuclei/pull/4104), ~10 lines to integrate), proposed multi-protocol template execution, and co-developed the JavaScript scripting engine (goja, [#4109](https://github.com/projectdiscovery/nuclei/pull/4109) — 8,616 lines across 124 files, 15+ protocol libraries: SSH, MySQL, Redis, LDAP, SMB, Postgres) and flow. Later drove v3.2's fuzzing, authenticated scanning (-secret-file, OAuth) and ECDSA template signing, plus a 40–70% scan-speed improvement ([#5148](https://github.com/projectdiscovery/nuclei/pull/5148)). `go · ~29k★ · core maintainer`
- [Alterx](https://github.com/projectdiscovery/alterx) — Pattern/DSL-based subdomain permutation generator: define a small grammar of custom patterns instead of a static wordlist, and it expands them into candidate hostnames for active enumeration ahead of a scan. `go · ~940★ · author`
- [Neo — evals & benchmarking](https://projectdiscovery.io/blog/neo-black-box-dast-capabilities) — PD's offensive-security AI agent. Works on the run-level harness, annotation and evals at scale, and trace-level observability that show what Neo actually did on a target — not just whether it succeeded. Published: 85% (51/60) on Argus under a hardened black-box methodology, and a 189-run behavioral audit of offensive-security LLM runs, to be presented at BSides Las Vegas 2026. `neo · 85% (51/60) argus · 189 runs audited`
- [Talosplus](https://github.com/tarunKoyalwar/talosplus) — Template-based recon-automation framework in Go: annotates plain bash scripts (@vars, #modules) into a Go-managed parallel execution graph, with MongoDB/BBoltDB persistence, Discord notifications, and stop/resume for long-running scans. Taught him the most Go of anything he'd built — one of the two tools that got him hired at ProjectDiscovery. `go · ~92★ · last commit mar 2023`

## writing

- [Building for humans and agents](/writing/building-for-humans-and-agents.md) `jul 2026`
  A colophon-style note on why this site renders every page twice — once as HTML for people, once as plain markdown for agents — and what that has to do with the observability work I actually do all day.
- [Benchmarking Neo's Black-Box DAST Capabilities](https://projectdiscovery.io/blog/neo-black-box-dast-capabilities) `projectdiscovery blog · apr 2026`
  Neo scores 51/60 (85%) on Argus under a hardened black-box methodology — the first public marker of the shift to AI-security research.
- [Introducing the httpx dashboard](https://projectdiscovery.io/blog/introducing-httpx-dashboard-2) `projectdiscovery blog · aug 2024`
  A hosted view over httpx scan output, built on the PDCP dashboard.
- [Fuzzing for Unknown Vulnerabilities with Nuclei v3.2](https://projectdiscovery.io/blog/nuclei-fuzzing-for-unknown-vulnerabilities) `projectdiscovery blog · mar 2024`
  A walkthrough of v3.2's fuzzing engine, built to surface unknown vulnerability classes rather than known signatures.

## talks

- **Watching Agents Work: A Behavioral Audit of 189 Offensive-Security LLM Runs** — BSides Las Vegas · Ground Truth `aug 2026 · will be recorded`
- **From Mapping to Mitigation** — Black Hat Asia Arsenal `apr 2025`
  with Dogan Can Bakir
- **Vulnerability Scanning and Enumeration with Nuclei: Deep Dive** — BSides Ahmedabad `oct 2024`
  with Dhiyaneshwaran Balasubramaniam
- **Unveiling Vulnerabilities: A Comprehensive Guide to Bug Bounty Recon** — DEF CON 32 · Bug Bounty Village `aug 2024`
  with Prince Chaddha, Dhiyaneshwaran Balasubramaniam
  - [slides](https://docs.google.com/presentation/d/1gaBwSdjiA4Vj38GKxMS8Eoz2KgxwVfx6ae0iuCSN1rs/pub)
  - [repo](https://github.com/projectdiscovery/defcon32)

## say hi

I'm around, and up for meeting people offline — if we're in the same city, say hi. Twitter's the fastest line to me, and I'm always happy to talk AI or travel.

[say hi on twitter](https://x.com/KoyalwarTarun)

---

tarun@no-ide.dev · [github](https://github.com/tarunKoyalwar) · [x](https://x.com/KoyalwarTarun) · [linkedin](https://www.linkedin.com/in/tarun-koyalwar) · [medium](https://medium.com/@zealousme)

agents start at [/agents.md](/agents.md)
