Payatu — Senior Security Consultant
Carries out research-driven black-box and grey-box penetration tests for web, API, and Android applications.
// whoami
Devansh Gandhi
Security Consultant · Penetration Tester · CRTP · CEH · CAP
4+ years breaking web apps, APIs, and Android applications professionally — from SIEM work at Accenture to offensive engagements at KPMG and Payatu. I combine attacker thinking with communication that developers can actually act on.
Background
Master's in Cyber Security. CRTP, CEH and CAP certified. I work with startups, SaaS and product teams that need serious security testing without enterprise-level overhead — and I write it up in plain language your developers can act on.
Expertise
Web Application Penetration Testing · API Penetration Testing · Android Penetration Testing · Secure Code Reviews · Red Team Support
Availability
Currently taking on Web, Android, and API pentesting projects. Every engagement ends with a clear, actionable report. When I'm not hacking, you'll find me experimenting — mostly with new food.
Contact
Reach out at [email protected] — I usually reply faster than most firewalls.
Tools
Industry-standard tools for reconnaissance, exploitation, and remediation — scanners, reverse-engineering suites, fuzzers, and custom scripts to deliver accurate findings and practical fixes.
- Burp Suite
- Nmap
- Python
- Frida
- Jadx
- Postman
- ZAP
- Wireshark
- Metasploit
- SQLMAP
- MobSF
Experience
4+ years on the field — from defensive monitoring to offensive engagements at leading firms. Every role has sharpened how I find and communicate real-world vulnerabilities.
KPMG India — Associate Consultant
Conducted black-box and grey-box penetration testing for web, API and Android applications; performed firewall reviews, IP-based assessments, supported red team operations, and delivered source code reviews.
Accenture — Security Delivery Associate
Monitored SIEM alerts, conducted phishing email analysis, and correlated threat intelligence to enhance incident response processes.
Wipro — Cyber Security Intern
Developed an automated tool for web and API penetration testing to scale security assessments and improve coverage efficiency.
Bug Bounty
Responsible disclosure isn't just good practice — it's how I keep my edge sharp. Acknowledgements from Google, Tata Play, Sony LIV, Zivame and others for uncovering real-world vulnerabilities outside of client engagements.
Google VRP
Discovered and reported a rate-limit bypass in a Google subsidiary — triaged and accepted by Google's security team as an abuse-risk issue. The same rigorous methodology I bring to every client engagement.
Tata Play
Reported a Broken Access Control (BAC) vulnerability on the website, earning appreciation and rewards for the high-impact discovery. Hall of Fame
Sony LIV
Discovered a business logic bypass vulnerability in the Sony LIV Android application via HackerOne — received recognition and swag for the responsible report.
Zivame
Identified server misconfigurations across subdomains, leading to Hall of Fame inclusion. Disclosure page
RVDP Submissions
Submitted reports on Account Takeover, leaked files, authentication bypasses, OTP leaks, and misconfigured admin panels through coordinated vulnerability disclosure programs.
Certifications
I don't just hack — I have the paperwork to prove it, from three different certifying bodies.
Achievements
Awards and recognitions for consistent delivery, high-impact findings, and standout contributions across engagements.
KPMG Super Team Award · Dec 2025 · Received for exemplary team spirit and collaboration that led to collective success.
KPMG KUDOS Award · Jul 2025 · Recognized by client for identifying high-severity vulnerabilities and delivering actionable remediation insights.
KPMG Rising Star Award · Sep 2024 · Awarded for outstanding performance and contributions.
Client Recognition — Accenture · May 2023 · Honored for exceptional delivery and commitment to project success.
Publications
Published research on steganography and penetration testing frameworks, peer-reviewed by IEEE.
- "Efficient Data Hiding Method in Image Based on Modified LSB" · IEEE · Feb 2023 (View)
- "Penetration testing frameworks for web applications and APIs" · LAP Book · May 2022 (View Book)
- "Stego Dog: Image Steganography Tool for Confidentiality and Integrity" · IEEE · May 2022 (View)
Ready to Work Together?
If you're building something that handles real user data, customer trust, or financial transactions — it's worth getting a second pair of adversarial eyes on it before someone else does.