Sep 2024 – Sep 2025 · 1 yr · Gurugram, Haryana, India · On-site

• Responsible for leading the organization’s information security strategy, governance, and compliance across all operations. As part of the executive leadership team, I drive risk management initiatives that align with regulatory expectations and business goals in a high-growth fintech and lending environment.
• Spearheaded successful ISO 27001 certification, establishing and operationalizing a company-wide ISMS.
• Ensured 100% compliance with RBI and NPCI security guidelines, including RBI inspection readiness and completion of multiple third-party audits (e.g., Protean).
• Deployed key enterprise security controls:
• SSO and MFA for access control across core systems.
• Endpoint Detection & Response (EDR) for threat visibility and mitigation.
• Data Loss Prevention (DLP) for regulatory-grade data protection.
• Defined and implemented a comprehensive Cloud Security Policy (AWS-based), aligned with PPI and fintech-specific regulatory mandates.
• Designed the Cyber Crisis Management Plan and led a full-scale drill to validate incident response across teams with no data loss during live simulations.
• Own end-to-end vendor risk management, from onboarding to periodic risk reviews.
• Manage external VAPT, red team exercises, and regular security audits.
• Drive security awareness, policy governance, and cross-functional collaboration with product, tech, and compliance stakeholders.

Feb 2024 – Aug 2024 · 6 mos · Gurugram, Haryana

• Took a purposeful 6-month sabbatical to step back from professional life and invest in personal growth through the Advait Yatra, a spiritual journey across the Himalayas.
• Lived in remote ashrams, away from digital distractions, focusing on inner stillness and reflection.
• Practiced daily silence, mindfulness, and meditation to cultivate clarity and presence.
• Studied Advaita Vedanta, exploring self-inquiry, non-duality, and spiritual philosophy.
• Gained renewed mental clarity, emotional resilience, and a stronger sense of purpose.
• Returned with deeper self-awareness and a more grounded approach to work and leadership.

Jul 2023 – Jan 2024 · 6 mos · Exton, Pennsylvania, United States · Remote

• Conducted comprehensive security audits on web applications, desktop applications, and networks, focusing heavily on thick client environments.
• Audited flagship Bentley products including MicroStation, ProjectWise, and OpenRoads Designer, identifying vulnerabilities and providing actionable remediation recommendations.
• Performed Red Team assessments on Bentley’s critical assets to simulate real-world attack scenarios and enhance detection and response capabilities.
• Carried out both manual and automated source code reviews to identify security flaws early in the development lifecycle.
• Provided security training and mentorship to team members to boost overall efficiency and knowledge-sharing.
• Collaborated closely with development teams to provide security guidelines and help implement secure coding practices across the product portfolio.

Nov 2021 – May 2023 · 1 yr 6 mos · Bangalore

• Performed black box penetration tests on web applications, mobile applications (Android & iOS), and cloud instances, identifying critical vulnerabilities and driving remediation.
• Conducted manual source code reviews prior to release cycles to detect security flaws early.
• Led the penetration testing team, ensuring adherence to industry best practices and testing methodologies.
• Integrated security tools seamlessly into the CI/CD pipeline to enable continuous security testing and faster feedback loops.
• Managed the Bug Bounty Program, facilitating effective communication and coordination with external security researchers.
• Conducted thorough vendor security assessments and reviewed their security reports to mitigate third-party risks.
• Supported continuous vulnerability scanning and testing of the entire infrastructure to maintain a strong security posture.
• Developed a Reconnaissance Pipeline to automate and accelerate the discovery of company assets for security monitoring.
• Delivered targeted security coding training to development teams, embedding secure practices into the SDLC.
• Implemented and enforced Governance, Risk & Compliance (GRC) policies and procedures to ensure organisational adherence to security standards.

Mar 2020 – Nov 2021 · 1 yr 8 mos · Gurgaon, India

• Joined as the very first member of the security team and helped build the entire security function from scratch.
• Built and managed the security team, ensuring efficiency in processes through regular in-house training and skill development programs.
• Contributed extensively to penetration testing of web applications, mobile apps, and infrastructure environments.
• Performed manual source code reviews prior to release cycles to proactively identify and address security issues.
• Supported continuous vulnerability assessments and testing across the entire infrastructure to maintain a strong security posture.
• Launched and managed the Vulnerability Disclosure Program (VDP), facilitating responsible vulnerability reporting and timely fixes.
• Integrated security tools into the CI/CD pipeline, embedding security early and often in the development lifecycle.
• Delivered comprehensive security training to developers and IT teams, driving awareness and enabling faster remediation of vulnerabilities.
• Developed and refined multiple security checklists, including Information Security policies and release policies, and created workflows to streamline security operations.
• Managed third-party vendors for security audits, ensuring thorough assessment and compliance with security standards.
• Administered and optimized F5 and Cloudflare Web Application Firewalls to safeguard critical applications and infrastructure.
• Conducted thorough security testing of AWS infrastructure, including account hardening and implementing controls to secure cloud assets.

Jan 2019 – Mar 2020 · 1 yr 2 mos · Gurgaon, India

• Delivered comprehensive Vulnerability Assessment and Penetration Testing (VAPT) for one of India’s largest telecom providers and fintech clients, covering their assets across the entire African continent.
• Assessed a wide range of systems including on-premises servers, mobile applications, networks, and web applications.
• Conducted both automated and manual source code reviews to uncover security weaknesses.
• Performed thorough manual and automated testing for vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), and complex business logic flaws.
• Carefully evaluated and reproduced findings from automated vulnerability scanners to validate and prioritize risks.

Nov 2016 – Jan 2019 · 2 yrs 2 mos · Noida Area, India

• Conducted security assessments of critical Indian government websites and collaborated closely with developers to guide issue mitigation efforts.
• Performed manual source code reviews and provided actionable recommendations to enhance application security.
• Partnered with the National Informatics Center (NIC) to strengthen the infrastructure of the Transport Department.
• Supported a broad range of government organizations, including CBSE, UPSC, CARA, the Indian Navy, and multiple ministries, helping secure their digital environments.
• Tested over 200 government websites across sectors such as education, power, and banking, contributing to more than 50 projects including red teaming exercises and DDoS mitigation efforts.
• Conducted penetration testing and security assessments of payment gateways, and participated in policy reviews to ensure compliance and security best practices.

Dec 2015 – May 2016 · 5 mos · Bengaluru Area, India