Nilanjan Chowdhury
Cybersecurity Practitioner ยท Kolkata, India

Nilanjan Chowdhury

$ > breaking things ethically and documenting it_

1st year Cybersecurity student at RCC Institute of Information Technology, Kolkata.

Specializing in AI Red Teaming, Prompt Injection, Web-LLM Security, XSS, CSRF, SSRF, XXE, Business Logic Vulnerabilities and web application security. Building toward an AI Security career โ€” Bangalore by 2027, Masters abroad by 2029.

200+ GitHub Commits
12 Medium Articles
Top 3% TryHackMe Global
Top 8% Gandalf Global
Top 10 Inter-College CTF
10+ Certifications
Expertise

Skills & Tools

๐Ÿ”ด
AI Red Teaming
Prompt injection, jailbreaking, token fragmentation, positional extraction, acrostic extraction. Built DIVYASTRA โ€” an automated LLM red-teaming framework. Tested with Garak (NVIDIA). All 8 Gandalf levels complete including Gandalf the White.
๐Ÿ’‰
Web Application Security
XSS, CSRF, SSRF, XXE (Expert), Web LLM (Expert), SQLi, Blind SQLi, Path Traversal, Access Control, Business Logic (Expert). Full PortSwigger curriculum complete including Expert-level labs.
๐Ÿ”ง
Tools
Burp Suite, Nmap, Wireshark, Scapy, Kali Linux, Ollama, Garak, OSINT tools, Netcat, OpenSSL, theHarvester, Shodan, Google Dorking, VirtualBox.
๐Ÿ
Python Security Tools
Built DIVYASTRA (AI red-teaming framework), JARVIS (AI assistant), Network Packet Analyzer (Scapy), TCP Port Scanner, Web Reconnaissance & Exposure Scanner v1.1, Blind SQLi brute-forcer.
๐Ÿ•ต๏ธ
OSINT & Reconnaissance
Google Dorking, Shodan, theHarvester, passive and active recon. Real incident response โ€” traced live account hijacking attacker to source.
๐Ÿ“
Technical Writing
12 published Medium articles on cybersecurity. GitHub writeups covering all PortSwigger labs, CTF challenges and real-world findings.
Track Record

Achievements

Jun 2026
CodeAlpha Cybersecurity Internship โ€” Active
Selected for CodeAlpha Cyber Security Internship (July 2026). Completed Task 1: Network Packet Analyzer (Python + Scapy โ€” live traffic capture, protocol detection, HTTP analysis). Completed Task 3: Secure Code Review โ€” audited a vulnerable Flask app, identified 10 vulnerabilities with working PoC exploits (SQLi, Command Injection, Path Traversal, Insecure Deserialization, Broken Access Control, and more), built fully fixed secure version.
// Task 3 highlights
VULN-01  โ†’ SQL Injection โ†’ admin' -- login bypass
VULN-02  โ†’ Command Injection โ†’ uid=0(root) via ping endpoint
VULN-05  โ†’ Insecure Deserialization โ†’ pickle RCE as root
STATUS  โ†’ 10/10 vulns fixed. Pushed to GitHub.
Internship Python Secure Code Review
Jun 2026
DIVYASTRA โ€” AI Red-Teaming Framework
Built DIVYASTRA, an automated LLM prompt injection and jailbreak testing framework. Modular adapter architecture (Ollama, OpenAI-compatible APIs, Custom HTTP). 18 payloads across 6 attack categories mapped to OWASP LLM Top 10. Heuristic detection engine with confidence scoring. First real scan: 9/18 payloads flagged VULNERABLE โ€” DAN roleplay jailbreak leaked simulated system prompt. Published Medium article and open-sourced on GitHub.
AI Security Tool Development OWASP LLM Top 10
Jun 2026
TryHackMe โ€” [0xB] MASTER ยท Diamond League ยท Top 3% Global
Reached [0xB] MASTER rank on TryHackMe. Promoted to Diamond League. Top 3% worldwide. 54,000+ points, 88+ rooms completed, 14 badges including 4 Epic badges (Platinum League 1st 0.9%, Sapphire League 1st 0.8%, Defrosted Five 0.3%, Return of the Yeti 0.6%). 365+ day streak.
TryHackMe Diamond League
Jun 2026
Garak (NVIDIA) โ€” LLM Security Scanner Analysis
Installed and ran NVIDIA's Garak LLM security scanner against llama3 via Ollama. Found 50+ vulnerabilities โ€” 100% success rate on ANSI escape probes. Identified key attack vectors: ANSI escape injection, hyperlink generation, green text rendering. Compared Garak (research-grade) vs DIVYASTRA (practical) โ€” distinct use cases confirmed.
AI Security LLM Research
Jun 2026
Web Reconnaissance & Exposure Scanner v1.1
Designed and developed a modular Python-based reconnaissance platform capable of recursive website crawling, robots.txt discovery, security header assessment, sensitive endpoint detection, risk scoring, and automated JSON/CSV reporting. Multi-module architecture: crawler, analyzer, reporter, utils. Scanned python.org โ€” 50 pages, timestamped reports.
Python Security Tool Development
May 2026
Inter-College CTF Techtrix '26 โ€” Top 10 Solo Finish
Competed alone as team Hack4Fun in a 24-hour inter-college CTF. Finished Top 10 with 1521 points against multi-member teams. Solved challenges across Web Exploitation, Cryptography, Steganography, Reverse Engineering and Forensics. 2nd place in prelims out of 54 teams.
CTF Solo Competitor
May 2026
OverTheWire โ€” Bandit All 33 Levels + Natas 0โ€“25
Completed all 33 Bandit levels (Linux privilege escalation, SSH, SSL/TLS, cryptography). Progressed through Natas levels 0โ€“25 covering LFI, XOR cookie forgery, file upload RCE, SQLi automation, time-based blind SQLi, session ID brute forcing, and encoding reversal.
Linux Security Web Exploitation
May 2026
PortSwigger Web LLM Attacks โ€” All 8/8 Complete (Apprentice to Expert)
Completed the full Web LLM Attacks curriculum. Exploited LLM APIs for excessive agency, OS command injection through LLM, indirect prompt injection + RAG poisoning, XSS + indirect prompt injection chained (iframe payload), SSRF + AI agent + indirect prompt injection, fake vuln report triggering CSRF on /my-account/delete, jailbreak leaking API key, and bypassing AI scanner defenses via "redaction test" reframing.
Web LLM Security Expert Level
May 2026
PortSwigger Business Logic โ€” Complete (Apprentice to Expert)
Completed all Business Logic labs. Expert lab: UTF-7 encoded email parser differential attack โ€” validator sees @ginandjuice.shop, mail server decodes to attacker address. 5 hours of independent research. Carlos deleted.
// expert technique
VECTOR  โ†’ UTF-7 encoded email address parsing discrepancy
METHOD  โ†’ Validator sees @ginandjuice.shop, mail server decodes to attacker
SOLVED  โ†’ Admin access achieved. Carlos deleted.
Web Security Expert Level
May 2026
PortSwigger XXE โ€” Complete + Expert Lab
Completed full XXE curriculum including Expert blind XXE โ€” local DTD repurposing to exfiltrate /etc/passwd via error messages without Burp Collaborator. Also solved XInclude bypass and SVG file upload XXE.
// expert technique
VECTOR  โ†’ Local DTD repurposing via parameter entities
TARGET  โ†’ /etc/passwd via /usr/share/yelp/dtd/docbookx.dtd
SOLVED  โ†’ No Burp Collaborator required
Web Security Expert Level
May 2026
Gandalf AI Prompt Injection โ€” All 8 Levels Complete
Completed all 8 levels of Lakera's Gandalf challenge including Gandalf the White. Used acrostic poetry technique to extract the final password, then reconstructed remaining characters through permutation and combination. Top 8% worldwide.
AI Red Teaming
Apr 2026
Real-World Network Vulnerability Assessment
Identified critical security exposures on a live production network. Produced a professional-grade security report and formally disclosed to administrators โ€” not exploited.
// findings summary
CRIT  โ†’ Database services exposed to public internet
HIGH  โ†’ Credentials transmitted in plaintext (FTP/POP3/IMAP)
DISCLOSED  โ†’ Reported responsibly. Not exploited.
Vulnerability Research
2026
Deloitte Forage โ€” Commendation for Outstanding Work
Received commendation for outstanding performance on Deloitte Australia Cybersecurity Job Simulation. Also completed EY Technology Risk and TATA Cybersecurity Analyst Forage simulations with commendations. IBM SkillsBuild certificate. HackerDNA Rank #475.
Certification
Writing

Published Articles

I Spent a Week Breaking Every CSRF Defense on PortSwigger
Token bypasses, CRLF injection, SameSite bypasses, OAuth exploitation, Referer manipulation. Real payloads. Full practitioner walkthrough.
I Broke Into Internal Networks Using SSRF โ€” Here's Exactly How
Localhost access, internal IP scanning, blacklist bypass via double encoding, and chaining SSRF with open redirect. Real payloads.
AI vs Cybersecurity Student: How I Cracked All 8 Levels of Gandalf
All 8 levels complete including Gandalf the White. Acrostic poetry extraction, permutation reconstruction.
From Prompt Injection to XSS: My First Night Attacking AI and Web Systems
All Apprentice XSS labs + first Practitioner solved in one 4-hour session. Burp Suite, DOM injection, AngularJS template injection.
View All 12 Articles on Medium โ†’
Technical writeups covering XSS, CSRF, SSRF, XXE, Web LLM, Business Logic, SQLi, Prompt Injection, AI Security, DIVYASTRA, Garak, and more.
The Plan

Roadmap

01
Current
Specialization & Internship
Now โ†’ Dec 2026
CodeAlpha internship (July 2026). LangChain/LangGraph security, PyRIT, MCP vulnerability research, advanced prompt injection. eJPT certification. Bug bounty entry.
02
Target
Bangalore Internship
May 2027
Land AI Security / Red Team internship at companies like Astra Security, CloudSEK, Cloudflare, Barracuda, Safe Security in Bangalore. 20+ applications already sent โ€” 7 months ahead of schedule.
03
Vision
Masters Abroad โ€” Germany
2029โ€“2030
Masters in Cybersecurity at TU Darmstadt or Saarland (CISPA). DAAD scholarship. Published research in AI/adversarial ML security. OSCP earned.
Connect

Find Me Online