Skip to content

Shantanu Ghumade

Application Security Engineer | OSCP

Cyberjaya, Malaysia

Contact

shantanu.ghumade@gmail.com+91-8626052714LinkedInGitHubSecurityJunkySubstackHack The Box
Cyberjaya, Malaysia

Summary

Security Engineer with over 5 years of experience driving security initiatives in Penetration Testing, DevSecOps, and Cloud Security, holding an OSCP certification. I have experience in conducting in-depth security assessments, complemented by secure code and architecture reviews. My expertise includes automating security within CI/CD pipelines for SAST, SCA, IAC security checks and secret scanning, effectively embedding a shift-left approach into the SDLC. I also build custom tools and AI agents to identify misconfigurations and streamline daily security tasks, significantly boosting team effectiveness.

Technical Skills

Application Security & Penetration Testing

  • Performed comprehensive security assessments across web, mobile (Android/iOS), API, network, and cloud environments.
  • Proficient with various tools for penetration testing, including Burp Suite, Postman, MobSF, Frida, and Nmap.
  • Experienced in secure code review, architecture reviews, and system configuration reviews.

Cloud Security

  • Hands-on experience securing cloud infrastructures on AWS, GCP, and Alibaba Cloud through robust configuration reviews and hardening, utilizing both manual and automated tools.
  • Experienced with reducing public resource exposure by implementing SCP policies, enforcing standard best practices, and regularly flagging public resources across multiple cloud services.

DevSecOps & Automation & AI

  • Integrated security into CI/CD pipelines via automated SAST, DAST, IAC security checks and secret scanning.
  • Developed custom tooling to automate various security checks, such as Nuclei scanning and subdomain takeover detection.
  • Developed AI-driven bots and workflows using frameworks like Langchain to enhance security operations, including threat intelligence and triage automation by automating manual tasks.

Enterprise Security Platform Experience

  • Hands-on experience with tools for vulnerability management, EDR, SIEM, security awareness training, and WAF services (e.g. Qualys, CrowdStrike, Jamf, Kandji, JumpCloud, Datadog, CloudFlare, Github, HackerOne, Upguard, etc)

Work Experience

Deriv, Malaysia

Senior Security Engineer

Jan 2023- Present
  • Led comprehensive security assessments, performing penetration tests across web, mobile, network, and cloud products, complemented by secure code and architecture reviews.
  • Significantly increased cloud security posture by implementing CIS-compliant hardening baselines and diligent configuration reviews across 20+ AWS accounts and 20+ GCP projects.
  • Conducted secure code reviews for backend (Perl, Node.js, Python, Go), frontend (React.js), and mobile (Flutter) applications, embedding security early in the development lifecycle.
  • Engineered and maintained automated security pipelines for GitHub repositories, integrating SAST, SCA, and secret detection to streamline security workflows.
  • Developed and enforced secure Infrastructure as Code (IaC) practices for cloud deployments, ensuring secure configurations for services provisioned via Terraform and CloudFormation templates
  • Championed DevSecOps principles by leading architecture reviews, enforcing security checks in CI/CD pipelines, and deploying pre-commit tooling organization-wide to prevent the exposure of hardcoded secrets.
  • Managed Deriv’s end-to-end HackerOne bug bounty program, overseeing submissions, impact assessment, researcher engagement, and metrics tracking to drive continuous security improvement and external validation.
  • Developed and deployed advanced AI-driven security agents, leveraging AI/ML to enhance operational efficiency across key security functions:
    • Threat Feed Automation: Created an AI-powered threat intelligence feed that delivers proactive alerts customized to Deriv's specific technology stack, enabling predictive threat management.
    • Need Help Security Agent: Implemented an internal RAG bot, trained on company security policies and knowledge bases, to provide instant and accurate answers to general employee inquiries
    • Hackerone Report Triage Agent: Designed a HackerOne prescreening bot that automates the initial assessment and categorization of incoming reports, significantly optimizing report triage and reducing manual effort.
    • Automated Third Party Vendor Prescreening: Utilized LLMs to build an AI agent for preliminary vendor risk assessments, conducting deep research to identify documented risks and red flags, thereby streamlining third-party risk management.
    • Compliance Gap Analysis Framework: Engineered an AI framework that automates the comparison of policy documents against regulatory requirements, enabling efficient and accurate identification of compliance gaps.
  • Leveraged EDR solution (CrowdStrike) and SIEM (datadog) for advanced threat detection, incident response, and proactive threat hunting.
  • Owned incident response and investigations, including correlating logs from various platforms, conducting root-cause analyses, and implementing preventative safeguards to minimize recurrence.
  • Leveraged enterprise security tools for vulnerability management (qualys), Web Application Firewall (Cloudflare), and security awareness training (knowbe4) ensuring robust organizational defenses.
  • Established and enforced security guidelines for AI agent development, including best practices for prompt injection defenses and secure design. Developed an automated agent to validate adherence to these guidelines, complemented by manual reviews to ensure robust AI security.

SecureLayer7, Pune, India (Feb 2020 - Jan 2023)

Lead Security Consultant

Feb 2022- Jan 2023
  • Led end-to-end security testing engagements for a diverse portfolio of global clients across the finance, technology, and payment solutions industries.
  • Selected for critical on-site international engagements to conduct comprehensive infrastructure penetration tests for high-value clients, including a major national bank in Mongolia and a key payment solutions provider in India.
  • Communicated complex vulnerability details and strategic remediation plans to executive-level stakeholders, ensuring swift resolution of critical security risks.
  • Earned two promotions within three years due to consistently delivering high-quality security assessments and exceptional client outcomes.

Security Consultant

Feb 2021- Feb 2022
  • Performed in-depth source code analysis and mobile application penetration tests (Android/iOS) for enterprise clients, identifying critical flaws before they could be exploited.
  • Conducted sessions on topics such as "Fuzzing HTTP Requests" and "HTTP request smuggling."

Associate Security Consultant

Feb 2020- Feb 2021
  • Conducted over 50+ web application, API, and network vulnerability assessments for a wide range of clients.
  • Systematic, Structured Reporting and Documentation of the vulnerabilities found during VAPT engagement through manual and automated testing.

Education

B. Tech in Computer Engineering

Government College of Engineering, Jalgaon, India

(2015 – 2019)

Certifications

  • Offensive Security Certified Professional (OSCP) [49305706] (Jul 2021)
  • CREST Registered Penetration Tester (CRT) [4617683603] (Jan 2022 - Jan 2025)

Open Source Contributions

  • JSScanner - Tool for scanning JavaScript files to identify exposed endpoints and secrets, enhancing reconnaissance capabilities.
  • ffufplus - Enhanced the FFUF tool with additional features and automation for advanced web fuzzing.
  • CVENotifier - A CVE feed notifier for targeted technologies or products.

Bug Bounty Experience

  • Synack: Synack Red Teamer - Level 2 (Aug 2021 – Present)
  • HackerOne: HackerOne (Aug 2019 – Present)
  • Bugcrowd: Bugcrowd (Oct 2019 – Present)