Sep 2021 – Present · 4 yrs 6 mos · Bengaluru, Karnataka, India

• Security Engineer I → Security Engineer II → Senior Security Engineer
• Takes care the security of all public facing services in the landscape of Hotstar and ESPNcricinfo.
• Started and Manages Hotstar Vulnerability Disclosure Program
• Lead the Automation pillar and have developed multiple security automation tools over the years as part of Perimeter Security, streamlining vulnerability detection.
• Leverages CI/CD (GitHub Actions) to automate real-time security scans and implements Shift Left Security by integrating security early in the development lifecycle.
• Lead and proactively conduct various Red Teaming activities to identify and mitigate security risks across the organization
• Oversee the security of the Ads component, ensuring a strong AppSec posture
• Manage security incidents, ensuring quick response and mitigation
• Performs penetration testing and develops technical solutions to mitigate security vulnerabilities.
• Conducts security code audits, threat modelling, and design reviews within the SSDLC to identify vulnerabilities before they reach production.
• Proficient in navigating and operating effectively within the Secure Software Development Life Cycle (SSDLC) environment.
• 2-Time Rockstar Award Winner (award discontinued)

Jul 2020 – Sep 2021 · 1 yr 2 mos · Bengaluru, Karnataka, India

• FireCompass - FireCompass is a SaaS platform for Continuous Automated Red Teaming (CART) & Attack Surface Management (ASM). It continuously indexes and monitors the deep, dark & surface web to map out an organization's digital attack surface including Shadow IT blind spots. The platform then automatically launches safe multi-stage attacks, mimicking a real attacker, to help identify attack paths before hackers do.
• Being in FireCompass I have been actively participating/leading various red teaming activities. Also created many tools over the year which may help the team to automate some of the red teaming recon/exploitation tasks. I also kept myself updated by reading new attack techniques and making a PoC top of it and if possible a tool, so that our product can detect interesting bugs using new attack techniques.

Jul 2016 – Jun 2020 · 3 yrs 11 mos · Quilon Area, India

• Played CTFs and solved Web category challenges, which were inline with my interest. Regularly wrote security-related blog posts such as CTF writeups, interesting web attacks, reports, bug discovering blogs, etc. Helped the team in organizing international level CTFs.
• Performed penetration testing on Backdrop CMS, a forked project of Drupal CMS, and received 4 CVEs by reporting them critical vulnerabilities like RCE on the CMS. The testing was done in both White(Code-Review) and Black boxes.
• Found a critical security bug on Quora while doing bug bounty, the bug impact was Horizontal Privilege escalation.
• As part of security research I have done multiple things, some interesting ones are:
• Performed in-depth research on SSRF through Gopher protocols and created an open-source tool named Gopherus, which generates gopher payloads to exploit SSRF vulnerabilities.
• Created a lazy fuzzer to test all PHP functions and check if they call execve internally, which can be used to bypass PHP disable_functions via LD_PRELOAD.