Akash Bhavsar

I’m an OSCP+ certified Application Security Engineer with 8+ years of experience spanning full-stack development, penetration testing, and DevSecOps. Currently at Sydney Tools, I identify and exploit security vulnerabilities in business-critical applications while leading secure development practices across the engineering team.

My journey from Senior Full Stack Developer to Security Engineer gives me a unique perspective. I understand how developers think, which makes me effective at both finding vulnerabilities and providing practical remediation guidance.

🎯 What I Do

Offensive Security

• Web Application & API Penetration Testing (Burp Suite Pro, Metasploit, SQLMap, Nuclei, Nikto, Wfuzz, Postman, Caido)
• Active Directory Attacks & Privilege Escalation (BloodHound, Mimikatz, Rubeus, Impacket, CrackMapExec, Evil-WinRM)
• Windows & Linux Exploitation (Nmap, Rustscan, Gobuster, ffuf, Hashcat, John the Ripper, Hydra, LinPEAS, WinPEAS)
• CVE Research & Exploitation (Hack The Box practitioner)

Security Engineering

• Led secure code review initiatives as the final security gatekeeper, preventing SQLi, XSS, and IDOR vulnerabilities from reaching production (Semgrep, CodeQL, Bandit, ESLint Security, Brakeman, SpotBugs, Checkmarx)
• Architected DevSecOps pipelines integrating SAST/DAST tools (Snyk, SonarQube, OWASP ZAP, Trivy, Checkov, Gitleaks, TruffleHog) into GitHub Actions workflows
• Hardened cloud environments across AWS & GCP, secured IAM policies, container runtimes, and Kubernetes RBAC (ScoutSuite, Prowler, Falco, kube-bench)
• Designed security architectures for microservices, implementing OAuth2/OIDC flows and secrets management with HashiCorp Vault

Development Background (What makes me effective at AppSec)

• 5+ years building production systems in Python, Node.js, React, Vue.js, and Next.js. I know where developers cut corners
• Orchestrated cloud-native infrastructure with Docker, Kubernetes, Terraform, Ansible, and CI/CD (Jenkins, Buildkite, GitHub Actions)
• Designed high-availability database schemas (PostgreSQL, MongoDB) and secure API patterns (REST, GraphQL) with monitoring (Prometheus, Grafana, Splunk)

🏆 Highlights

• OSCP+ Certified Verify Credential (Issued Dec 2025)

• Hack The Box View Profile

  Active practitioner (Era, Mirage, Outbound, Faraday, Voleur, Sorcery)

• Security Leader: Mentor developers, conduct security training, lead incident response
• Full-Stack to Security: Unique perspective bridging development and security

💡 My Approach

I don’t just find vulnerabilities. I understand the developer mindset and provide actionable remediation guidance. Having built production systems myself, I know what’s realistic to fix and how to prioritize security work alongside feature development.

“Security isn’t about saying no. It’s about finding ways to say yes, securely.”

🛠️ Toolkit

Penetration Testing & Exploitation

• Web/API: Burp Suite Pro, Caido, OWASP ZAP, Postman, Nuclei, SQLMap, Nikto, Wfuzz
• Network & Recon: Nmap, Rustscan, Masscan, ffuf, Gobuster, Amass, Subfinder
• Exploitation: Metasploit, CrackMapExec, Impacket, Evil-WinRM, Chisel, Ligolo-ng
• Password Attacks: Hashcat, John the Ripper, Hydra, CeWL

Active Directory & Windows

• BloodHound, Rubeus, Mimikatz, PowerView, SharpHound
• Kerberoasting, AS-REP Roasting, Pass-the-Hash, DCSync
• Privilege Escalation: WinPEAS, PowerUp, Seatbelt

Code Review & SAST/DAST

• Static Analysis: Semgrep, CodeQL, Bandit, ESLint Security, Brakeman, SpotBugs
• Secret Detection: Gitleaks, TruffleHog, git-secrets
• CI/CD Integration: Snyk, SonarQube, Checkmarx, OWASP Dependency-Check

Cloud & Container Security

• AWS/GCP: ScoutSuite, Prowler, CloudSploit, Pacu, AWS CLI
• Container: Trivy, Falco, kube-bench, Docker Bench, Anchore
• IaC Security: Checkov, tfsec, KICS

Scripting & Automation

• Python, Bash, PowerShell, JavaScript/Node.js, Go
• Custom tool development for recon, exploitation, and reporting automation