Shantanu Ghumade

• Led comprehensive security assessments, performing penetration tests across web, mobile, network, and cloud products, complemented by secure code and architecture reviews.
• Significantly increased cloud security posture by implementing CIS-compliant hardening baselines and diligent configuration reviews across 20+ AWS accounts and 20+ GCP projects.
• Conducted secure code reviews for backend (Perl, Node.js, Python, Go), frontend (React.js), and mobile (Flutter) applications, embedding security early in the development lifecycle.
• Engineered and maintained automated security pipelines for GitHub repositories, integrating SAST, SCA, and secret detection to streamline security workflows.
• Developed and enforced secure Infrastructure as Code (IaC) practices for cloud deployments, ensuring secure configurations for services provisioned via Terraform and CloudFormation templates.
• Championed DevSecOps principles by leading architecture reviews, enforcing security checks in CI/CD pipelines, and deploying pre-commit tooling organization-wide to prevent the exposure of hardcoded secrets.
• Managed Deriv's end-to-end HackerOne bug bounty program, overseeing submissions, impact assessment, researcher engagement, and metrics tracking to drive continuous security improvement and external validation.
• Developed and deployed advanced AI-driven security agents, leveraging AI/ML to enhance operational efficiency across key security functions:

  Threat Feed Automation

  Created an AI-powered threat intelligence feed that delivers proactive alerts customized to Deriv's specific technology stack, enabling predictive threat management.

  Need Help Security Agent

  Implemented an internal RAG bot, trained on company security policies and knowledge bases, to provide instant and accurate answers to general employee inquiries.

  HackerOne Report Triage Agent

  Designed a HackerOne prescreening bot that automates the initial assessment and categorization of incoming reports, significantly optimizing report triage and reducing manual effort.

  Automated Third Party Vendor Prescreening

  Utilized LLMs to build an AI agent for preliminary vendor risk assessments, conducting deep research to identify documented risks and red flags, thereby streamlining third-party risk management.

  Compliance Gap Analysis Framework

  Engineered an AI framework that automates the comparison of policy documents against regulatory requirements, enabling efficient and accurate identification of compliance gaps.

• Leveraged EDR solution (CrowdStrike) and SIEM (Datadog) for advanced threat detection, incident response, and proactive threat hunting.
• Owned incident response and investigations, including correlating logs from various platforms, conducting root-cause analyses, and implementing preventative safeguards to minimize recurrence.
• Leveraged enterprise security tools for vulnerability management (Qualys), Web Application Firewall (Cloudflare), and security awareness training (KnowBe4) ensuring robust organizational defenses.
• Established and enforced security guidelines for AI agent development, including best practices for prompt injection defenses and secure design. Developed an automated agent to validate adherence to these guidelines, complemented by manual reviews to ensure robust AI security.

• Led end-to-end security testing engagements for a diverse portfolio of global clients across the finance, technology, and payment solutions industries.
• Selected for critical on-site international engagements to conduct comprehensive infrastructure penetration tests for high-value clients, including a major national bank in Mongolia and a key payment solutions provider in India.
• Communicated complex vulnerability details and strategic remediation plans to executive-level stakeholders, ensuring swift resolution of critical security risks.
• Earned two promotions within three years due to consistently delivering high-quality security assessments and exceptional client outcomes.

Notable CTF Event Rankings