Harshil

Penetration Tester and offensive security professional with hands-on experience in web application penetration testing, vulnerability assessment, and ethical hacking across web applications, REST and GraphQL APIs, and network infrastructure. Primary focus is server-side vulnerability research, with a track record of responsible disclosure across Bugcrowd, Intigriti, and open-source programs. Skilled at communicating complex technical risk to both technical teams and non-technical stakeholders through clear, structured reporting.

Seeking an entry to mid-level offensive security role where deep web application and API testing expertise can be applied to real-world security programs.

Independent Security Researcher - Bugcrowd, Intigriti, Open-Source VDPs

(2020-01)

Conducted continuous black-box vulnerability research across private bug bounty programs on Bugcrowd and Intigriti, with accepted disclosures spanning Critical, High, Medium, and Low severity findings.

• Focused on deep manual testing of authentication mechanisms, authorization logic, session handling, and backend data flows — surfacing complex server-side and business-logic vulnerabilities that automated scanners routinely miss.
• Reverse-engineered single-page application JavaScript bundles to reconstruct hidden API routes, uncover client-side logic flaws, and extract sensitive data embedded in frontend code, consistently expanding the attack surface beyond documented endpoints.
• Built and maintained custom reconnaissance automation in Go and Python — including a Certificate Transparency monitor that streams newly issued certificates across active CT logs and delivers real-time Discord and Slack alerts the moment a target registers a new subdomain, providing a first-mover advantage on fresh attack surface.
• Produced structured disclosure reports for every accepted finding, covering full attack narrative, step-by-step reproduction, CVSS v3.1 rationale, business impact assessment, and OWASP-aligned remediation guidance.

Penetration Tester - OneKnotOne Technologies - Vadodara, India

(2023-04 - 2023-11)

Delivered web application penetration testing and black-box / grey-box network assessments across multiple client engagements spanning external web applications, internal network infrastructure, and Active Directory environments, owning scope definition, testing, and client debriefs end-to-end.

• Executed Active Directory assessments covering Kerberoast extraction, weak GPO review, SMB relay opportunities, and lateral movement path mapping — translating raw findings into realistic privilege escalation narratives for client remediation teams.
• Led API security assessments against REST and SOAP endpoints, testing for BOLA, excessive data exposure, rate-limit bypass, and authorization enforcement gaps across integration layers and third-party service boundaries.
• Designed and executed spear-phishing and pretexting campaigns for social engineering engagements, assessing susceptibility across credential submission and endpoint execution vectors to quantify human-layer risk alongside technical findings.
• Authored client-facing penetration test reports with executive summaries, CVSS-rated technical findings, and prioritized remediation roadmaps, then delivered findings in debrief sessions to both engineering teams and business stakeholders.

Penetration Tester Intern - Cyber Sapiens - Mangalore, India

(2022-06 - 2022-07)

• Supported grey-box web application and REST/SOAP API assessments, contributing manual test cases for input validation, session handling, and authentication logic across assigned modules.
• Performed authenticated vulnerability scans with Nessus, documented reproduction evidence, and escalated high-severity findings to senior consultants for client reporting.

Post-Graduate Diploma - Cyber Security - Durham College (2025-01 - 2025-08)

Post-Graduate Diploma - Cyber Security Response Planning - Conestoga College (2024-01 - 2024-08)

Bachelor's - Bachelor of Information Technology - Gujarat Technological University (2019-07 - 2023-04)