Mar 2025 – Dec 2025 · 9 mos · Remote

• Drive security impact at scale by setting technical direction, influencing cross-team initiatives, and building systems that make secure development the default. Improve security tooling efficiency and replace manual efforts with automated AI agents to free human time for high-impact work.
• Set technical direction for AppSec tooling and processes, scaling impact across security and engineering teams
• Advanced in-house IDOR detection tooling by combining code-aware context with dynamic fuzzing to improve detection accuracy and automated triage efficency
• Built a Chime context-aware LLM SAST leveraging internal tribal knowledge and known anti-patterns, achieving ~77% accuracy, outperforming generic SAST tools in detecting business-logic and AuthZ/AuthN issues, and uncovering exploitable vulnerabilities in legacy codebases
• Contributed to risk and fraud reduction by designing, implementing, and benchmarking advanced emulator detection capabilities
• Designed and implemented an incident resilient MITM protection strategy with infra and mobile teams, enabling signed and remotely switchable certificate pinning or transparency configurations
• Partnered with security engineers to define, collect, and visualize AppSec effectiveness metrics, enabling leadership to assess program efficiency and ROI
• Elevated in-house SAST and DAST program by integrating LLMs and multi-context data to optimize detection and triage workflows, enrich developer facing messaging, reduce false positives, lower developer fatigue, and reduce on-call load
• Onboarded recently acquired teams’ mobile applications into existing SAST or DAST pipelines, rapidly elevating them to Chime security standards
• Acted as an embedded security partner across the SDLC and during live incidents to support high-impact engineering decisions

Apr 2022 – Mar 2025 · 2 yrs 11 mos · Remote

• As a Senior AppSec Engineer, I led efforts to secure mobile and web platforms through scalable, proactive solutions focused on reducing risk, improving developer experience, lowering costs, and fostering strong cross-functional collaboration.
• Integrated Corellium with MobSF to enable Chime-specific iOS DAST, improving coverage and reducing third-party vendor costs.
• Designed and deployed a novel solution to detect IDOR vulnerabilities in GraphQL services before they reached production.
• Applied LLMs to enhance triage workflows across internal AppSec tools such as reducing noise from secret scanning and automating false positive suppression using multi-context data.
• Prototyped and demoed LLM-powered CI/CD security tooling for code summarization and automated GitHub pull request security reviews.
• Improved the in-house SAST orchestrator by refining rulesets, reducing noise, and integrating new scanners to increase detection accuracy.
• Built a reusable, low-code PII redaction service adopted by multiple teams, leading to system-wide PII removal and measurable cost savings.
• Acted as an embedded security partner to engineering teams on high-impact customer facing projects, assisting with pentests, code reviews, and secure architecture design.
• Led intern mentorship on threat modeling and product security reviews, and conducted focused training sessions for the security team to deepen technical skills and domain expertise.

Jan 2021 – Apr 2022 · 1 yr 3 mos · Remote

• Spearheaded Mobile Security maturity initiatives.
• Worked closely with mobile engineers from early design draft to implementation phase, improving the security posture of Chime's Mobile app.
• Migrated Chime's mobile app crypto module to support modern banking grade crypto specifications.
• Collected and analyzed runtime environment signals form over 12 million unique mobile clients to design algorithms to block or alert on insecure operating environments and expose the data points to risk and fraud detection teams.
• Made code contributions to harden mobile app with best practices and actionable security controls.
• Built an automation to monitor and alert for certificate transparency log events.
• Conducted internal pentests of web services and GraphQL API endpoints.
• Worked on a secret segmentation project to reduce the attack surface on Chime's micro services.
• Conducted code reviews (Ruby, Golang, JavaScript, TypeScript, Kotlin, Swift, Terraform and Python) on web and mobile apps.
• Performed Security design reviews and threat modelling to identify security issues, and missing controls during early design and implementation phase.
• Implemented automated SAST scans on Mobile app development pipeline with custom rules and open source tooling.
• Assisted on bug bounty and external pentest reports.

Mar 2019 – Jan 2021 · 1 yr 10 mos

• Responsible for Security Research, and Product Security at Trend Micro CloudOne Application Security
• Evangelized and spearheaded Product Security initiatives, discussions, and tasks.
• R&D of Cloud Native Runtime Security solutions for Serverless, Containers, and Kubernetes.
• Developed PoC for kernel & userspace tracing/blocking of syscalls and network packets.
• Worked extensively on eBPF, seccomp-BPF, ptrace API, XDP, and tc.
• Worked with the engineering team for security architectural reviews and design.
• Conducted Threat Modelling of critical product features.
• Conducted AWS infrastructure security and compliance assessments.
• Performed Pentest of applications hosted in AWS Compute services like EKS, Lambda, Fargate, etc.
• Performed Secure code review of Infrastructure as Code(IaC) deployments like Cloudformation, Serverless Framework, etc.
• Implemented DevSecOps practices addressing code review, composition analysis, dynamic fuzzing, and dependency management.
• Developed a test suite for security validation and performance monitoring of agents using TICK stack.

Oct 2017 – Feb 2019 · 1 yr 4 mos

• Security Researcher at Trend Micro acquired IMMUNIO, eliminating web vulnerability classes one at a time.
• Conducted independent security research, developed or improved novel defence techniques against Deserialization remote code execution and Expression language injection in web applications.
• Worked on integrating and testing IPS and RASP technologies for the next generation security product that focus on containerized environments.
• Developed tooling to detect, parse and repeat HTTP packets from PCAP at scale.
• Performed Security testing and improved SQLi detection algorithms.
• Designed and developed SQLi Fuzz testing harness with support for multiple SQL dialects.

Dec 2015 – Aug 2017 · 1 yr 8 mos · Bangalore

• Founded OpSecX, an online platform for self paced application security education. The e-learning platform captured 5000+ students from 80+ countries and started to run on profit from second month of it's launch.
• Visit: https://opsecx.com

Oct 2015 – Sep 2017 · 1 yr 11 mos

• Web and Mobile Security, Security Architecture and DevSecOps
• Involved in security architecture and design review of new products.
• Conducted pentest and code review of Yodlee's fintech web and mobile applications written in Java, Objective C, PHP, Node.js, and Golang.
• Coordinated with engineering team to ensure that solid application security practices are followed in the SDLC process.
• Conducted zero day exploit analysis and implemented interim code patch or WAF rule before vendor support/software update is available.
• Automated security assessments, developed security tools and secure libraries to be used within the organization (Python, Golang, .NET, JavaScript).
• Implemented DevSecOps pipelines to keep security in pace with agile development environment.
• Mentored and trained a team of freshers in Application Security and Security Engineering.
• Designed Security CTF competitions for improving competence of team members.

Jun 2014 – Sep 2015 · 1 yr 3 mos

• Web and Mobile Security, Security Assessment and Automation
• Conducted threat modelling, pentests, manual and automated code reviews and security certification of hybrid mobile applications ( Android, iOS), web applications (Java, Node.js) and SDKs (Android, Node.js, JavaScript).
• Developed open source security tools for automated security testing of mobile and web applications.
• Major open source contributions include YSO Mobile Security Framework, NodeJsScan, and OAuth 1.0a Request Proxy (Python, .NET, Java, JavaScript).
• Worked with engineering team to ensure that secure SDLC is followed and all Yodlee applications are built with security controls right from the early design and implementation phase.
• Performed application security research and published the research findings at multiple security conferences.

Sep 2015 – Oct 2017 · 2 yrs 1 mo · Bengaluru Area, India · Remote

• IMMUNIO provides web security in 2 minutes with its next-generation Runtime Application Self-Protection (RASP) agents that work within your web framework to defend against popular web attacks realtime at application layer with maximum accuracy.
• Product Security, Security Engineering and Research
• Member of Security Research and Development team responsible for designing and developing cutting edge security defences with runtime instrumentation (Python, Ruby, Java, Node.js, Lua and JavaScript).
• Researched and developed or improved novel defence techniques against DOM XSS, Verb Tampering, Layer 7 DDoS, Session Hijacking and Credential Stuffing in web applications.
• Published an academic research paper titled Injecting Security into Webapps at Runtime.
• Developed a Differential Pentest POC based on context learning capabilities of RASP that reduced automated DAST scan times from hours to minutes.
• Developed a framework for benchmarking RASP, WAF and other security products.
• Discovered bypasses and edge cases in RASP agents and developed fixes or provided remedies.
• Developed in-house fuzzers for automated vulnerability or bypass detection in RASP agents.
• Performed vulnerability analysis and reverse engineering of interesting Zero Days or CVEs and published detailed technical blogs.

Jan 2012 – May 2015 · 3 yrs 4 mos

• We do quality pentests, code review, online and live security trainings, security engineering and tool development.
• Application Security Services Offered
• Web Application Penetration Testing
• Application Server and Database Security
• Hardening and Malware Removal Services
• Mobile Application (Android, iOS, and Windows) Security Assessment
• Secure Source Code review of Desktop, Web and Mobile Applications
• Infrastructure and Application Stack Security Assessment
• Cloud & Serverless Security Assessment
• Secure Architecture design and implementation assistance
• Evaluation of custom Security implementations & protocols
• Application Security Automation & Scripting
• Security Engineering and Security Tool Development
• More: https://opensecurity.in

Jan 2012 – Mar 2015 · 3 yrs 2 mos

• X0RC0NF previously known as DEFCON DCG Kerala is an annual international security conference conducted in God's Own Country, Kerala. It is a platform for security researchers, hackers, enthusiasts, professionals and students. We promote security research and provide deep technical trainings on various security domains. We do not compromise on quality and show our best efforts to keep the talks 100% technical.