tarun koyalwar

Writing

Bylined posts on the ProjectDiscovery blog, older bug-bounty writeups on Medium, and notes published here — one list, newest first.

all writing

Building for humans and agents

A colophon-style note on why this site renders every page twice — once as HTML for people, once as plain markdown for agents — and what that has to do with the observability work I actually do all day.

jul 2026

Benchmarking Neo's Black-Box DAST Capabilities (external)

Neo scores 51/60 (85%) on Argus under a hardened black-box methodology — the first public marker of the shift to AI-security research.

projectdiscovery blog · apr 2026

Introducing the httpx dashboard (external)

A hosted view over httpx scan output, built on the PDCP dashboard.

projectdiscovery blog · aug 2024

Fuzzing for Unknown Vulnerabilities with Nuclei v3.2 (external)

A walkthrough of v3.2's fuzzing engine, built to surface unknown vulnerability classes rather than known signatures.

projectdiscovery blog · mar 2024

Scanning Login-Protected Targets with Nuclei v3.2 (external)

Using v3.2's authenticated-scanning support to run templates against targets that sit behind a login.

projectdiscovery blog · mar 2024

Nuclei v3.2 Release with Authenticated Scanning, Advanced Fuzzing & more (external)

Authenticated scanning, advanced fuzzing, and ECDSA template signing land in v3.2.

projectdiscovery blog · mar 2024

Introducing Nuclei v3 (external)

A rewrite of Nuclei's execution core: the new Go SDK, the JavaScript scripting engine, and multi-protocol templates.

projectdiscovery blog · oct 2023

How I Got Access to a Company's Auth0 Management API (external)

A leaked Management API token that exposed roughly 300 users' data.

medium · oct 2023

Introducing Alterx: Efficient Active Subdomain Enumeration with Patterns (external)

Why pattern-based subdomain permutation beats a static wordlist, and how Alterx's DSL generates candidates for active enumeration.

projectdiscovery blog · apr 2023

How I Found a Company's Internal S3 Bucket with 41k Files (external)

Three misconfigured S3 buckets on one target, one holding roughly 41k files (23.6 GB) including a database backup.

medium · may 2022

Create Your Ultimate Bug Bounty Automation Without Nerdy Bash Skills (external)

A three-part series on Talosplus, the Go recon-automation framework built to replace ad-hoc bash scripts (3-part series; part 1 linked).

medium · may 2022