Cybersecurity Practitioner · Kolkata, India

Nilanjan Chowdhury

$ > breaking things ethically and documenting it_

1st year Cybersecurity student at RCC Institute of Information Technology, Kolkata.

Specializing in AI Red Teaming, Prompt Injection, XSS, SQLi and web application security. Building toward an AI Security career — Bangalore by 2027, Masters abroad by 2029.

60+ GitHub Commits
7 Medium Articles
Top 8% Gandalf Players
33 Bandit Levels
5+ Certifications
Expertise

Skills & Tools

🔴
AI Red Teaming
Prompt injection, jailbreaking, token fragmentation, positional extraction, system prompt extraction. Top 8% on Gandalf by Lakera.
💉
Web Application Security
XSS (Reflected, Stored, DOM), SQLi, Blind SQLi, Path Traversal, Access Control, Authentication flaws. PortSwigger Practitioner level.
🔧
Tools
Burp Suite, Nmap, Wireshark, Kali Linux, Netcat, OpenSSL, theHarvester, Shodan, Google Dorking.
🐍
Python Security Tools
Built port scanner with service detection and security web crawler with endpoint detection from scratch.
🕵️
OSINT & Reconnaissance
Google Dorking, Shodan, theHarvester, passive and active recon techniques documented with real-world examples.
📝
Technical Writing
6 published Medium articles on cybersecurity topics. GitHub writeups covering all major labs and CTF challenges.
Track Record

Achievements

May 2026
Gandalf Prompt Injection — Top 8% Worldwide
Cleared all 7 levels of Lakera's Gandalf challenge using 7 distinct prompt injection techniques — including positional character extraction invented on the fly at 2AM.
AI Red Teaming
May 2026
PortSwigger CSRF — Complete Section Finished
Completed all CSRF labs including every Practitioner bypass technique — token validation flaws, CRLF cookie injection, SameSite Strict/Lax bypasses, OAuth cookie refresh exploitation, and Referer header manipulation. Full writeups on GitHub.
Web Security
May 2026
PortSwigger XSS — Apprentice to Practitioner
Solved all Apprentice XSS labs + multiple Practitioner labs including AngularJS template injection in one session using Burp Suite. Full writeups published on GitHub and Medium.
Web Security
Apr 2026
Real-World Network Vulnerability Assessment
Identified critical security exposures on a live production network. Produced a professional-grade security report documenting findings and formally disclosed to administrators — not exploited.
// findings summary
CRIT  → Database services exposed to public internet
HIGH  → Non-standard service on production server
HIGH  → Credentials transmitted in plaintext (FTP/POP3/IMAP)
// status
DISCLOSED  → Reported responsibly. Not exploited.
Vulnerability Research
Apr 2026
Incident Response — Live LinkedIn Account Hijacking
Conducted forensic analysis of a real account takeover affecting a peer. Traced attacker OS, browser fingerprint, and approximate geolocation from notification metadata. Identified attack vector and published a full incident response report.
Digital Forensics
Apr 2026
OverTheWire Bandit — All 33 Levels Completed
Completed all levels covering Linux privilege escalation, SSH key authentication, SSL/TLS, cryptography, and file system navigation. Full writeup on GitHub.
Linux Security
Apr 2026
1st Rank — College CTF Competition
Ranked 1st in cybersecurity CTF competition at RCC Institute of Information Technology. Writeup documented and published.
CTF
Apr 2026
HackerDNA — Certificate of Achievement
Rank #570 globally, 35 points, 5 labs completed. LinkedIn verified.
Recognition
2026
Deloitte Forage — Commendation for Outstanding Work
Received commendation for outstanding performance. Also holds IBM SkillsBuild cybersecurity certificate.
Certification
Writing

Published Articles

CSRF · Web Security
I Spent a Week Breaking Every CSRF Defense on PortSwigger
Token bypasses, CRLF injection, SameSite bypasses, OAuth exploitation, Referer manipulation. Real payloads. Full practitioner walkthrough.
Prompt Injection · AI Security
AI vs Cybersecurity Student: How I Cracked All 7 Levels of Gandalf
Top 8% worldwide. 7 levels, 7 techniques — from direct extraction to positional character extraction invented at 2AM.
XSS · Prompt Injection
From Prompt Injection to XSS: My First Night Attacking AI and Web Systems
All Apprentice XSS labs + first Practitioner solved in one 4-hour session. Burp Suite, DOM injection, AngularJS template injection.
SQL Injection · Web Security
SQL Injection Series — From Basic to Blind SQLi
Full series covering SQLi theory, exploitation, database extraction, and blind SQL injection with conditional responses.
Medium · 6 Articles
View All Articles on Medium →
6 published technical writeups covering XSS, SQLi, Prompt Injection, AI Security, OSINT and more.
The Plan

Roadmap

01
Current
Foundation & AI Security
Now → Dec 2026
Complete PortSwigger curriculum. Master prompt injection, LLM vulnerabilities, OWASP Top 10 for LLMs. Build AI red team lab.
02
Target
Bangalore Internship
May 2027
Land AI Security / Red Team internship at companies like Barracuda, CloudSEK, Safe Security, or Cisco in Bangalore.
03
Vision
Masters Abroad — Germany
2029
Masters in Cybersecurity at TU Darmstadt or Saarland (CISPA). DAAD scholarship. Published research in AI security.
Connect

Find Me Online

🐙 github.com/CalculusGuy 💼 linkedin.com/in/nilanjan-chowdhury ✍️ medium.com/@nilanjan.calculus