available for engagements // Pune, IN

Gaurav Ahire_

Pentester / Red Teamer / Product Security Engineer / Bug Bounty Hunter

5+ years breaking and securing web, mobile, network, thick-client, and cloud systems. I find what shouldn't be there, document the impact, and help teams ship safer.

$ get in touch view work →
01

# about

I'm a Pentester and Product Security Engineer with over five years of hands-on experience in vulnerability assessment, penetration testing, and cloud security across web, mobile, network, and thick-client environments. I'm proficient in secure code review and identifying logic flaws and insecure coding patterns.

I'm experienced in securing cloud infrastructures across AWS, Azure, and GCP, and assessing them against real-world attack scenarios. I'm known for delivering actionable security findings, supporting remediation, and contributing to the development of secure systems.

02

# skills & toolkit

offensive

  • Penetration Testing
  • Vulnerability Assessment
  • Red Teaming
  • VAPT
  • Adversary Emulation

application

  • Web Application Security
  • API Security (REST / GraphQL)
  • Android Security
  • iOS Security
  • Thick Client Security
  • Source Code Review

infrastructure

  • Network Security
  • AWS Security
  • Azure Security
  • GCP Security
  • Cloud Workload Assessment

engineering

  • SAST / DAST
  • Threat Modeling
  • Risk Assessment
  • Secure Code Review
  • AI / LLM Security
  • Report Writing
// tooling Burp Suite Nmap Nessus Metasploit Wireshark Hydra MobSF Frida Objection BloodHound Ligolo Mimikatz Semgrep Fortify MITRE ATT&CK
03

# work & specializations

/01

Web & API Security

Testing web applications and APIs against OWASP Top 10 and SANS 25, including SQLi, XSS, RCE, IDOR, CSRF, authentication flaws, LFI/RFI, and business-logic issues. Proficient in REST and GraphQL assessments, with custom Bash/Python automation for repeat checks.

  • OWASP Top 10
  • SANS 25
  • GraphQL
  • Bash / Python
/02

Network Infrastructure

Internal and external network penetration testing — surfacing open ports, misconfigurations, weak credentials, and exposed services. Hands-on with SMB, FTP, RDP, and SNMP; simulating real-world adversaries from initial foothold through lateral movement.

  • Nmap
  • Nessus
  • Wireshark
  • Metasploit
/03

Mobile (Android & iOS)

Static and dynamic analysis of Android and iOS apps. Identifying insecure storage, weak authentication, insecure communication, and reverse-engineering risks. Aligned to OWASP Mobile Top 10.

  • MobSF
  • Frida
  • Objection
  • Burp Suite
/04

Source Code Review

Manual and automated reviews to surface logic flaws, hardcoded secrets, and unsafe coding patterns. Codebases across Java, Python, JavaScript, and PHP — focusing on input validation, auth flows, access control, and error handling.

  • Semgrep
  • Fortify
  • Custom scripts
/05

AI / ML Security

Assessing AI/ML systems — training pipelines, deployments, and inference APIs. Testing for model poisoning, adversarial evasion, data leakage, and model extraction. Standards-aligned reporting that maps technical issues to business impact.

  • C-AI/MLPEN certified
  • LLM red teaming
/06

Red Teaming

Full-scope red team engagements simulating real-world adversaries to test detection and response. Adversary emulation across the attack lifecycle using MITRE ATT&CK; proficient with C2 frameworks and post-exploitation tooling.

  • MITRE ATT&CK
  • BloodHound
  • Ligolo
  • Mimikatz
/07

Cloud Security

Assessing the security posture of IaaS, PaaS, and SaaS environments. Surfacing misconfigurations, insecure data storage, weak access controls, and IAM flaws. Testing cloud workloads, APIs, and deployment pipelines.

  • AWS
  • Azure
  • GCP
  • AWS Security Specialty
/pub

Published Research — Pentest Magazine

Researched and documented an Android SDK 23 behavior affecting the Auto-Verify feature, where deep links may fail with multiple domain hosts. Highlighted security and UX risks from improperly handled intent filters, including excessive redirects and prompts.

  • Pentest Magazine
  • Mobile deep links
  • Intent-based attacks
04

# experience

  1. Product Security Engineer II

    Tracelink Nov 2025 — Present · Pune
    • Conducting internal and external penetration testing across web, mobile, API, network, and cloud environments.
    • Performing High-Level Design (HLD) reviews to evaluate security architecture and surface design-level risks early in the SDLC.
    • Running threat modeling and risk assessments to proactively identify attack surfaces and recommend mitigations.
    • Executing SAST and DAST assessments to detect vulnerabilities in source code and runtime environments.
    • Triaging and managing security issues, coordinating remediation with engineering and product teams.

  2. Core Pentester

    Cobalt Labs Feb 2026 — Present · Remote
    • Performing penetration testing across web, mobile, network, internal/external, and thick-client environments for global clients.
    • Preparing detailed, actionable security reports documenting findings, risk impact, and remediation guidance.
    • Handling client queries through the engagement lifecycle, ensuring clear communication of technical details.
    • Conducting debrief calls and report read-outs to walk clients through findings and recommended remediation steps.

  3. Product Security Engineer

    BMC Software India Pvt Ltd Nov 2022 — Oct 2025 · Pune
    • Conducted security assessments on web, mobile, thick-client applications, network infrastructure, and cloud environments.
    • Performed static code reviews (SAST), collaborating with development teams on remediation.
    • Validated, reproduced, and triaged security issues reported by researchers and customers.
    • Ran threat modeling and risk assessments to prioritize vulnerabilities and recommend mitigation strategies.
    • Maintained vulnerability reports, risk analysis, and remediation tracking artifacts.
    Bug Basher Award (multiple times) — reporting the highest number of vulnerabilities, including critical and high-severity issues.

  4. Application Security Engineer

    Securityboat Cybersecurity Solutions Jan 2021 — Oct 2022 · Pune
    • Conducted penetration testing on web, mobile, API, and network applications across diverse client environments.
    • Delivered 40+ security assessment projects covering OWASP Top 10, SANS 25, and business-logic flaws.
    • Partnered with client development and security teams to reproduce, explain, and remediate vulnerabilities.
    • Maintained detailed reports, risk analysis, and remediation tracking for compliance and audit purposes.

  5. Independent Security Researcher

    Freelance / Synack Jun 2020
    • Performed penetration testing on web, mobile, and API applications, discovering critical vulnerabilities.
    • Documented vulnerabilities with clear reproduction steps, risk impact, and actionable remediation guidance.
    • Actively participated in bug bounty programs and continuous security research.
05

# certifications & education

// certifications

  • CREST CRTCREST Registered Penetration Tester · 2025–2028
  • CREST CPSACREST Practitioner Security Analyst · 2025–2028
  • AWS Certified Security — Specialty2025–2028
  • OSCP+OffSec Certified Professional+ · 2025
  • C-AI/MLPENSecOps Group AI/ML Pentester · ID 10492478 · 2025
  • eMAPTeLearnSecurity Mobile Application Pentester · 2023
  • eCPPTeLearnSecurity Certified Professional Pentester · 2023
  • eWPTXv2eLearnSecurity Web App Pentester Xtreme · 2022

// education

Bachelor of Engineering — Computer Engineering

Gokhale Education Society R. H. Sapat College of Engineering

2018 — 2021 · Nashik, Maharashtra, India

// interests

Writing Reading Exploring Tech
06

# contact

$ echo "let's talk about security."

Whether you need a pentest, a second pair of eyes on architecture, or just want to chat about something interesting you found — I'm reachable below.