[ init ] establishing secure session...
[ key ] deriving ephemeral keys...
[ net ] tunneling over TLS…
[ ok ] integrity checks passed
Available for new projects

Penetration Tester

Freelance Web, API & Android security testing for startups and product teams.

I find the vulnerabilities in your web apps, APIs, and Android applications before attackers do — then hand you a clear, reproducible report your team can act on fast. CRTP, CEH & CAP certified, with 4+ years hands-on.
(Yes, I break into apps for fun. Then I help you fix them. 😉)

Free, no-commitment scoping call · I usually reply within 24 hours.

CRTP · CEH · CAP 4+ Years Hands-On Web · API · Android Google · Tata Play · Sony · Zivame Remote · Worldwide

What You Get

A pentest is only as useful as its report. You get findings your developers can act on — not a raw scanner dump.

  • Executive summary in plain business language
  • Risk-ranked findings (CVSS / severity)
  • Clear, reproducible steps for every issue
  • Screenshots and request/response evidence
  • Practical, developer-friendly remediation guidance
  • A walkthrough call to discuss findings
  • Free retest to confirm fixes (within scope)
  • NDA and strictly authorized testing only

How I Work

A transparent, low-risk engagement from first call to verified fixes.

01

Scope

A free call to define targets, access, timelines and rules of engagement — then a clear proposal with transparent pricing.

02

Test

Manual, methodology-driven testing across auth, access control, business logic, APIs and the exposed attack surface. Critical issues flagged immediately.

03

Report

A risk-ranked report with reproduction steps, evidence, impact and remediation guidance — plus a walkthrough with your team.

04

Retest

After your team ships fixes, I verify them so you can confirm the issues are genuinely closed.

Run the Numbers

Two quick tools: ballpark what a pentest might cost for your scope, and see what a breach could cost you without one. Both are estimates — exact quotes come after a free 30-min call.

Estimate Your Pentest Cost

Adjust the inputs below. The real quote comes after a free scoping call where I understand your full setup.

Estimate Your Breach Cost

See what a data breach could realistically cost your business — and whether a pentest is worth it by comparison.

Who's Behind This?

4+ Years Breaking Apps. Professionally.

From defensive SIEM monitoring to offensive penetration testing engagements — I've spent 4+ years learning exactly how attackers think and where defences fall short. I bring that perspective to every client pentest.

CRTP, CEH & CAP certified. Recognized by Google VRP, Tata Play, Sony LIV and Zivame for responsible vulnerability disclosures. I work with startups and product teams that need serious security testing — and I write reports your developers can actually act on.

Full Profile & Experience →
4+ Years hands-on
3 Industry certs
4 Companies recognised
2 IEEE publications

Real Findings. Responsible Disclosures.

A sample of vulnerabilities found outside of client work and responsibly reported. Platform names are public record — technical details are sanitised. Full pentest reports available under NDA.

High Severity

Rate-Limit Bypass

Google VRP

Uncovered a rate-limit bypass in a Google subsidiary's API enabling automated user enumeration without throttling — accepted by Google's security team as an abuse-risk finding.

  • API
  • Rate Limiting
  • Abuse Risk
Critical

Broken Access Control

Tata Play · Hall of Fame

Found a BAC vulnerability allowing unauthorised read access to customer account data. Responsibly reported — rewarded and included in the company's Hall of Fame.

  • BAC / IDOR
  • Web
  • Hall of Fame
High Severity

Business Logic Bypass

Sony LIV · HackerOne

Identified a business logic flaw in the Android application enabling bypass of payment restrictions. Disclosed via HackerOne — resolved and recognised by the security team.

  • Android
  • Business Logic
  • HackerOne
Medium

Subdomain Misconfiguration

Zivame · Hall of Fame

Discovered server misconfigurations across multiple subdomains exposing internal assets — responsibly disclosed, fixed, and included in the company's Hall of Fame.

  • Misconfiguration
  • Recon
  • Hall of Fame

Frequently Asked Questions

The questions clients ask most before an engagement.

How much does a pentest cost?

It depends on scope, but security testing shouldn't be priced out of reach for the teams that need it most. I've structured pricing to be accessible for startups and growth-stage teams — not just enterprises with six-figure budgets. Each service page has a transparent starting price, and the estimator above gives a quick ballpark. Still unsure? Reach out and I'll put together a custom scope.

What's the typical timeline?

Most web or API engagements take about 1–2 weeks from scoping to report, depending on complexity. You'll get a clear timeline in the proposal before any work starts.

What do I receive at the end?

A clear report: executive summary, risk-ranked findings with reproduction steps and evidence, business impact, and practical remediation guidance — plus a walkthrough call and a free retest of the fixes within scope.

Do you need access to source code?

Not necessarily. I offer black-box (no access) and grey-box (with credentials/docs) testing. Grey-box usually finds more in the same time — I'll recommend the best fit for your goals.

How do you handle sensitive data and confidentiality?

I sign an NDA before the engagement, test only what's authorized, and securely delete engagement data after report delivery. I can work within your security policies.

What if you don't find anything serious?

That's a good outcome — and rarer than you'd think. You still get a full report documenting what was tested and confirming your controls held up, which is useful evidence for customers, auditors and investors.

Contact

Ready to secure your apps before attackers test them for you? Tell me about your project and I'll reply within 24 hours with next steps, scope and transparent pricing — or start with a free 30-minute consultation.