Jun 2024 – Dec 2024 · 6 mos · Canada · Remote

• Conduct comprehensive pentests on web apps, APIs, and infrastructure, identifying critical vulnerabilities like RCE, SSRF, RFI, LFI, and business logic flaws.
• Lead cloud pentesting efforts across AWS, GCP, and Azure, identifying misconfigurations, insecure IAM roles, S3 bucket exposures, and cloud-specific vulnerabilities.
• Execute advanced manual and automated testing techniques, including exploitation of zero-day vulnerabilities, logic flaws, and chained attacks.
• Develop custom scripts and tools to automate pentesting tasks, improving efficiency and depth of assessments.
• Produce detailed reports with PoC exploits and risk assessments, ensuring clear communication of business impact to stakeholders.
• Spearhead red team exercises and simulate real-world attack scenarios, testing organizational defense capabilities and uncovering hidden attack surfaces.
• Mentor junior team members on identifying and exploiting high-severity vulnerabilities in both traditional and cloud environments.

Jun 2023 – Present · 2 yrs 10 mos · Remote

Jan 2022 – May 2024 · 2 yrs 4 mos · Canada · Remote

Nov 2020 – Dec 2021 · 1 yr 1 mo · Canada · Remote

• As a first security hire, helped build the risk register, processes, policies, and vulnerability management program.
• Started and managed a responsible disclosure program which was later transitioned into a private bug bounty program.
• Helped implement AWS account lifecycle and user access control via gitops in AWS Organization. Coordinated the AWS SSO implementation effort to ensure the use of AWS STS via an internally built CLI tool. The CLI tool helped engineers download the AWS config profiles and kubeconfig.
• Implemented Crowdstrike CSPM for detecting cloud security misconfigurations, asset management, and alerts on real time malicious activities in the AWS accounts.
• Collaborated with SREs to implement container runtime security using crowdstrike in daemonset mode. Triaged the findings and worked with SREs to get the issues fixed.
• Implemented Zscaler Private Access to provide engineers with secure access to the internal infrastructure. The ZPA was tied to the device posture profile to ensure no engineers were using their personal machines to connect to the internal infrastructure.
• Implemented Signal Sciences waf in the containerized microservices workload. Created custom waf rules to tackle new threats.

Jul 2019 – Oct 2020 · 1 yr 3 mos · Toronto, Ontario, Canada

• Implemented static application security testing in CI pipeline (Jenkins) to detect platform-specific vulnerabilities, third-party library analysis, and secret detection. The process breaks the build when a High or Critical finding is detected. The automation also included an exception framework in case there is no patch for the vulnerability or if it is a false positive.
• Improved and automated IAM for provisioning and de-provisioning access in Google Cloud. The implementation involved creating custom and predefined roles and forcing users to impersonate a service account for elevated privileges. Any sensitive operation will generate an alert, and all access can be audited if required.
• Built data classification standards based on the organizational risk matrix to identify potential threats
• Automated detection and removal of secrets, PII, and passwords in version control and storage services
• Built automation and alerts for detecting misconfigurations in Google Cloud and AWS
• Prepared per-service incident response plan and led security incidents
• Performed security assessments of applications & services periodically
• Triage and manage security issues reported from responsible disclosure

Nov 2017 – Jul 2019 · 1 yr 8 mos · Santa Monica

• Identify, triage, and provide remediation steps for application security issues
• Help in design, implementation & assurance of secure software architecture
• Identify common misconfigurations with AWS config and write automation using Lambda to mitigate security issues as soon as detected
• Perform threat modeling for microservices, applications & IoT devices
• Help in running SAST & DAST in CICD
• Perform security assessments of applications & products periodically
• Organize and manage penetration testing program for upcoming products and services
• Triage and manage security issues reported from external sources

Jan 2017 – Nov 2017 · 10 mos · Santa Monica

• Implemented Security Scan in CI/CD Model
• Participated in design & implementation of a Slack chatbot to solve user access issues
• Handled identity and access management for SaaS apps through OKTA
• Gave security guidance on a constant stream of new products and technologies
• Triaged and investigated malicious events in Rapid7 IDR
• Suggest and implement automation of recurring tasks
• Analyze, assess, and respond to various internet threats
• Conduct regular security assessments

Oct 2016 – Dec 2016 · 2 mos · Greater New York City Area

• Identify, triage, analyze and close security incident alerts from splunk
• Implement and manage security policies on Bluecoat proxy
• Performing malware analysis on suspicious attachments, files etc. delivered through social engineering
• Conducting periodic web application and network penetration testing
• Automate common information security tasks using phantom orchestration

May 2016 – Aug 2016 · 3 mos · Bloomington, Indiana, United States · On-site

• Conducted Web app, Web services & Mobile app automated and manual ethical hacks on different platforms and technologies
• Used Burp Suite Pro, DirBuster, IBM Appscan, Nessus, and a variety of internal tools and scanners to perform the assessment
• Discovered various security issues and wrote a report with findings, proof of concept, and remediation
• Interacted with clients to help them understand vulnerabilities and remediation

Jul 2012 – Jul 2015 · 3 yrs · Mumbai, Maharashtra, India · On-site

• Was deployed as Team lead at State Data Center, Mantralaya, Mumbai
• Employed various technical methods to safeguard data storage and handling
• Served as Security Consultant to Maharashtra Government
• Coordinated activities of information security policies
• Handling Application Security testing Part & providing best solutions to clients
• Training Government departments on "secure application development"