Pankaj Mouriya

Community Manager

Bengaluru, Karnataka, India7 yrs 6 mos experience

Most Likely To Switch

Key Highlights

Expert in DevSecOps and cloud security automation.
Proven track record in incident response leadership.
Passionate about security innovation and knowledge sharing.

Stackforce AI infers this person is a SaaS Security Engineer with a strong focus on DevSecOps and cloud security.

Contact

Skills

Core Skills

DevsecopsCloud SecuritySupply Chain SecurityIncident ResponseComplianceKubernetes SecuritySecurity AutomationWeb Application Security

Other Skills

SASTSCASBOMSecrets DetectionProvenance TrackingArtifact SigningIncident ManagementCSIRTPSIRTSOC2 ComplianceISO27001 ComplianceKubernetesSecurity ScanningAPI DevelopmentServerless Architecture

About

I help organizations build secure, resilient systems by integrating security into every stage of development and operations. Currently at Kong as a Senior Security Engineer, I focus on DevSecOps automation, supply chain security, and incident response across distributed cloud-native environments. What I Do: - Automate security across CI/CD pipelines (SAST, SCA, SBOM, secrets detection) - Build and maintain supply chain security controls with provenance tracking and artifact signing - Lead incident response as CSIRT/PSIRT Incident Commander - Implement cloud security controls across AWS, GCP, and Kubernetes environments - Drive SOC2/ISO27001 compliance through security automation and policy enforcement Technical Focus: DevSecOps | Kubernetes Security | Cloud Security (AWS/GCP/Azure) | Supply Chain Security | Vulnerability Management | Incident Response | Compliance (SOC2/ISO27001) I'm passionate about security innovation, open-source security tooling, and sharing knowledge through conference talks and technical writing. I've spoken at BSides, Rootconf, and H@cktivityCon, and regularly publish security research at noshellaccess.com. AWS Certified Security Specialty | Certified Kubernetes Administrator (CKA) Always open to connecting with security professionals and discussing the latest in application security, cloud security, and DevSecOps.

Experience

Kong inc.

Senior Security Engineer

May 2024 – Nov 2025 · 1 yr 6 mos · Bengaluru, Karnataka, India · Hybrid

DevSecOps & Security Automation:
Maintained SAST, SCA, SBOM, and secrets scanning across 100+ Kong software repositories
Resolved critical CI/CD pipeline failures during security tool outages, implementing "break glass" mechanisms
Implemented vulnerability database mirroring solutions to reduce pipeline failures from upstream outages
Automated incident response with Tines workflows integrating CrowdStrike, PagerDuty, Jira, and Slack
Automated user correlation for CrowdStrike detections by enriching alerts with MDM data
Supply Chain Security & Standards:
Implemented auditable build process with provenance tracking for production software releases
Deployed container image signing to ensure secure and trustworthy artifacts
Responsible for GitHub Advanced Security across Kong repositories
Vulnerability Management & Incident Response:
Coordinated multiple penetration testing engagements and triaged security findings with engineering teams
Developed CVE determination processes using AI-assisted analysis
Served as Incident Commander for CSIRT/PSIRT security incidents with successful resolution track record
Compliance & Documentation:
Implemented GitHub configuration scanning across Kong's portfolio covering 200+ repositories
Supported SOC2/ISO27K compliance through security control implementation
Created comprehensive security documentation, playbooks, and vulnerability assessment frameworks
Innovation & Leadership:
Evaluated and implemented AI-powered code analysis tools like CodeRabbit and Claude Code
Collaborated with engineering teams across multiple time zones for security integration
Provided technical mentorship and handled ad-hoc security support requests

Web Application SecurityCloud SecurityNetwork Penetration Testing

Deepsource

Security Engineer - L3

Sep 2022 – Sep 2023 · 1 yr · Bengaluru, Karnataka, India

Developed a Kubernetes Validating Admission Controller to check for security misconfigurations in K8s API requests.
Built a serverless security scanner using Go, Trivy, and ECS Fargate.
Developed CRUD APIs using AWS SDK for AWS Elastic Container Registry.
Utilized AWS SDK and Kubernetes Client-go to create CRUD APIs for the Arch0
dashboard.
Developed CRUD APIs using Digital Ocean SDK for DOKS
management.
Implemented Informers to monitor and respond to resource changes in a
Kubernetes cluster.
Implemented Teleport OSS for Just-in-Time access management covering Apps, VM, Kubernetes, and CloudSQL access.
Established runtime security for DeepSource static analyzer to prevent RCE and data exfiltration.
Configured Falco and KubeArmor for syscall detection and policy enforcement.
Set up Terraform and Atlantis for PR automation for GCP IAM management.
Implemented Trivy such that it does not block feature releases. The
implementation flagged more than 400 critical and high severity issues.
Deployed Defectdojo to consume vulnerabilities from various tools such as Trivy,
Trufflehog, tfsec. Utilised Defectdojo metrics to continuously observe security
issues.
Deployed Trufflehog v3 secret scanner within GitHub check-suite with branch
protection rules.
Deployed the open-source CSPM (Scout Suite), identifying and prioritizing several
vulnerabilities for urgent remediation.
Conducted quarterly IAM access audits, employee access level reviews, and
unauthorized access detection and mitigation of all the findings discovered during
the audit.
Helped the organisation achieve SOC 2 and ISO 27001 compliance.
Helped devs achieve code sanitization to prevent malicious code execution
during dependency installation.
Managed DeepSource devices and restricted internal applications and infrastructure to be accessible within DeepSource via Tailscale VPN.
Wrote responsible vulnerability disclosure policy for the organisation's bug bounty program.

Invideo

Senior Security Engineer

Nov 2021 – Oct 2022 · 11 mos · Mumbai, Maharashtra, India

Conducted Web Application Security Assessments for InVideo web applications.
Collaborated with developers to mitigate discovered vulnerabilities.
Automated the Bug Bounty program management, including issue triaging,
communication with external researchers, and alerting engineers about new
reports.
Implemented a SAST/DAST pipeline using tools such as Checkov, detect-secrets,
Semgrep, Trivy, and OWASP ZAP.
Performed audit and configuration review of cloud infrastructure, including
penetration testing, CIS audits, and automated tools in the pipeline like
ProwlerCloud.
Implemented an open-source vulnerability report management solution within the
Kubernetes cluster.
Worked on implementing a complete DevSecOps pipeline as recommended by
OWASP.

Null - the open security community

3 roles

null - Community Manager

Promoted

Aug 2020 – Present · 5 yrs 7 mos

DevSecOpsSecurity AutomationIncident ResponseSupply Chain SecurityCloud SecurityCompliance

Volunteering

May 2020 – Sep 2023 · 3 yrs 4 mos

KubernetesSecurity ScanningAPI DevelopmentServerless ArchitectureKubernetes Security

null Chandigarh Chapter Lead

Sep 2018 – Apr 2020 · 1 yr 7 mos

null is India's largest open security community. Registered as a non-profit society in 2010, we have been active since even before that. null is about spreading information security awareness. All our activities such as null Monthly Meets, null Humla, null Bachaav, null Puliya, null Job Portal are for the cause of that.

Web Application SecuritySASTDASTCloud Security

Appsecco

Security Analyst

Jan 2020 – Dec 2021 · 1 yr 11 mos · Bangalore

Conducted Web Application Security Assessments to identify vulnerabilities and propose mitigations.
AWS and GCP cloud security audits evaluating the security posture of cloud environments, addressing potential risks and compliance issues.
Carried out network penetration testing assessments.
Published various technical blogs and presented my knowledge and research at
various conferences.