May 2024 – Oct 2024 · 5 mos · Kolkata, West Bengal, India

• Conducted red teaming projects for clients at PwC, performing vulnerability assessment and penetration tests for 17+ clients and covering more than 5000 IPs, using tools such as Nessus, Tenable One, Burp Suite Enterprise, OWASP ZAP, Metasploit, Cobalt Strike, Covenant, Sliver C2 and Nmap. Collaborated with development teams and stakeholders for successfully identifying and remediating critical vulnerabilities.
• Proficient in application security assessment, conducted web application pentesting for 7+ clients in EMEA and US region and successfully identified critical vulnerabilities such as privilege escalation, remote code execution, SQL Injection, authentication bypass, XSS and business logic issues, while adhering to OWASP top 10, NIST, PCI/DSS and ISO/IEC 27000 standards.
• Skilled in android application security testing, conducted assessments for 3+ clients, successfully identified high severity bugs based on OWASP standards such as privilege escalation, insecure local storage, authentication bypass and IDOR attacks.
• Experienced in managing effort sheets for various clients, probing technical questions to ensure the initial aspects of pentesting projects are met, while maintaining excellent client communication and delivering projects on time.
• Proficient in creating the scope of work for clients to fulfill the gap of project requirements and ensure project scope and objectives are clearly defined and met.
• Adept at working in a dynamic environment, with a strong understanding of security concepts, frameworks, and compliance requirements. Excellent problem-solving skills, with a strong ability to analyze complex security issues and develop effective mitigation strategies.

Jul 2023 – May 2024 · 10 mos · Kolkata, West Bengal, India

• Part of the GDC Threat and Vulnerability Management team. Has performed 100+ successful penetration testing assessments.
• Security Testing and Assessments
• Collaborated on a Red Team assessment of Azure Active Directory for a major power company, identifying critical vulnerabilities.
• Conducted black box network and web assessments for a leading automotive company, developing proof of concepts to demonstrate security flaws.
• Performed black box web application security assessment for a private bank’s vendor, successfully decrypting sensitive data.
• Led a grey box web application security assessment for a pharmaceutical company, identifying critical issues and securing Azure infrastructure.
• Client Collaboration and Training
• Worked closely with developer teams to remediate security issues, improving security measures across various technologies.
• Guided DevOps and Developer teams to mitigate risks in Azure environments, ensuring best security practices.
• Achievements and Awards
• Received multiple awards including Advisory Team Excellence Award, STAR&R: Dazzling Debut, and Above and Beyond Award for exceptional delivery of penetration testing services.
• Skills and Contributions
• Identified and exploited vulnerabilities across web applications, network infrastructure, and cloud environments.
• Created detailed reports and documentation for clients, communicating vulnerabilities and remediation steps effectively.
• Provided security recommendations and enhancements, improving overall security posture.
• Trained staff on network and information security procedures, enhancing their security awareness and capabilities.

Jan 2023 – Jul 2023 · 6 mos · Kolkata, West Bengal, India

• Financial Institution Network Security Assessment:
• Conducted network security assessments on a prominent financial institution’s internal VPC network
• Discovered misconfiguration in their desktop jumphost interface (thick client), leading to a foothold and identification of 2 critical privilege escalations.
• Automotive Industry Security Assessments:
• Conducted comprehensive security assessments of web, Android, and iOS applications, identifying vulnerabilities and proposing remediation strategies.
• Collaborated with cross-functional teams to design, implement, and deploy secure features that enhanced application security and user data protection.
• Building Custom Security Tools:
• Assisted in the development of automated vulnerability detection tools, improving the efficiency of the vulnerability assessment process.

May 2022 – Sep 2023 · 1 yr 4 mos

• Worked on Zed Attack Proxy (ZAP), formerly known as OWASP ZAP, a former OWASP Foundation’s flagship project and current Software Security Project (SSP). Develop the parameter digger add-on for ZAP which can find 25000+ vulnerable parameters in under a minute. Develop cache poisoning detection at scale with heuristic methods for comparison of responses and reporting vulnerable parameters. Incorporate a carpet bombing attack option for users to carry out cache poisoning DDoS attacks.
• Improve ZAP’s Active Scanning and XSS scan rule by adding 3 new reflected XSS checks, 2 new stored XSS checks and SSTI checks.
• Enhanced ZAP’s automation framework by creating new job rules and URL presence tests. Implemented URL presence tests within the framework to trigger conditional workloads and tests.

May 2022 – Sep 2022 · 4 mos · Remote

• Created the parameter digger ZAP addon that can be used to find hidden, unlinked parameters thereby increasing the attack surface. The Param Digger addon can be useful for finding web cache poisoning and related vulnerabilities.
• link:
• 1. https://www.zaproxy.org/docs/desktop/addons/parameter-digger
• 2. https://summerofcode.withgoogle.com/archive/2022/projects/XDtc6Ero