Shantanu Ghumade

Cyberjaya, Malaysia

OSCP & OSWE Certified

Contact Information

Summary

Senior Application Security Engineer with 6+ years of hands-on experience across AppSec, Cloud Security, and DevSecOps. Proven track record of embedding security into SDLC via secure code reviews, CI/CD automation, and cloud hardening at scale. Builder mindset with strong experience developing custom security tooling and AI-driven automation to improve detection, triage, and operational efficiency.

Certifications

OSWE

OffSec Web Expert • Jan 2026

OSCP

OffSec Certified Professional • Jul 2021

Work Experience

Deriv, Malaysia

Senior Security Engineer

Jan 2023 – Present

Led end-to-end security assessments across web, mobile, API, network, and cloud products, including secure code and architecture reviews.
Improved cloud security posture by implementing CIS-aligned hardening across 20+ AWS accounts and 20+ GCP projects.
Conducted secure code reviews for Perl, Node.js, Python, Go, React.js, and Flutter, enabling early vulnerability detection.
Owned and scaled DevSecOps adoption, including pre-commit hooks and org-wide secret prevention controls.
Built and maintained CI/CD security pipelines integrating SAST, SCA, IaC scanning, and secret detection.
Managed Deriv’s HackerOne bug bounty program end-to-end, optimizing triage workflows and researcher engagement.
Leveraged EDR solution(CrowdStrike) and SIEM(datadog) for advanced threat detection, incident response, and proactive threat hunting.
Owned incident response and investigations, including correlating logs from various platforms, conducting root-cause analyses, and implementing preventative safeguards to minimize recurrence.
> AI & Security Automation
- Threat Feed Automation: Built an AI-driven threat intelligence feed tailored to internal tech stack for proactive risk identification.
- Security Assistant: Developed an internal RAG-based security assistant to answer employee security queries using Information Security policies, internal processes as knowledge bases.
- HackerOne Triage Bot: Designed an automated HackerOne prescreening agent, reducing manual triage effort and improving initial response time.
- Vendor Prescreening: Automated third-party vendor risk prescreening using LLM-based research and risk flagging.
- Compliance Gap Analysis Framework: Created an AI-powered compliance gap analysis framework to compare internal policies against regulatory requirements.
> Detection & Incident Response
- Performed threat detection and hunting using CrowdStrike (EDR) and Datadog (SIEM).
- Led incident response investigations, root-cause analysis, and preventive control implementation.
- Malware Reversing of a sophisticated campaign where a fake AI recruiter on LinkedIn lures developers into a private GitHub repository.
  Read Article

SecureLayer7, Pune, India

Lead Security Consultant

Feb 2022 – Jan 2023

Led end-to-end security testing engagements for a diverse portfolio of global clients across the finance, technology, and payment solutions industries.
Selected for critical on-site international engagements to conduct comprehensive infrastructure penetration tests for high-value clients.
Communicated complex vulnerability details and strategic remediation plans to executive-level stakeholders.
Earned two promotions within three years due to consistently delivering high-quality security assessments and exceptional client outcomes.
Conducted Webinar on Mobile Application Security
Watch Webinar

Security Consultant

Feb 2021 – Feb 2022

Performed in-depth source code analysis and mobile application penetration tests (Android/iOS).
Conducted sessions on topics such as "Fuzzing HTTP Requests" and "HTTP request smuggling."

Associate Security Consultant

Feb 2020 – Feb 2021

Conducted over 50+ web application, API, and network vulnerability assessments.
Systematic reporting of vulnerabilities found during VAPT engagement through manual and automated testing.

Technical Skills

Application Security & Pentesting

Comprehensive security assessments: Web, Mobile (Android/iOS), API, Network, Cloud.
Tools: Burp Suite, Postman, MobSF, Frida, Nmap, Metasploit.
Secure Code Review & Architecture Review.

Cloud Security

AWS, GCP, Alibaba Cloud hardening & config review.
Implementing SCP policies & reducing public exposure.
Automated Cloud Security Posture Management (CSPM).

DevSecOps & Automation

CI/CD Integration: SAST, DAST, IaC, Secret Scanning.
Custom Tooling: Nuclei templates, Subdomain monitoring.
AI Automation: LangChain workflows for threat intel & triage.

Enterprise Security Platforms

Vulnerability Management: Qualys, Upguard.
Endpoint Security: CrowdStrike, Jamf, Kandji.
SIEM & Observability: Datadog.
WAF & Network: CloudFlare.

Open Source Contributions

JSScanner

Tool for scanning JavaScript files to identify exposed endpoints and secrets, enhancing reconnaissance capabilities.

View Project

ffufplus

Enhanced the FFUF tool with additional features and automation for advanced web fuzzing

View Project

CVENotifier

A CVE feed notifier for targeted technology or the products

View Project

Bug Bounty

Synack

Red Teamer

Level 2

HackerOne

BugCrowd

CTF Profile

HackTheBox

app.hackthebox.com/users/147927

CTF Profile

ctf.hackthebox.com/user/profile/3774

Publications

How a Fake AI Recruiter Delivers Five-Staged Malware Disguised as a Dream Job

Deep dive into a sophisticated campaign where developers are lured via LinkedIn into a private GitHub repository for a "coding assessment" that installs multi-stage malware.

Read full article on Medium

Education

Government College of Engineering, Jalgaon, India

B. Tech in Computer Engineering

2015 – 2019

Resume GitHub