// application-security-engineer

Full-Stack turned AppSec.

OSCP+ certified engineer at Sydney Tools. I break things, then help teams build them back stronger.

Years in tech

OSCP+

Dec 2025

HTB writeups

50+

Assessments

I’m an OSCP+ certified Application Security Engineer with 8+ years spanning full-stack development, penetration testing, and DevSecOps. I identify and exploit vulnerabilities in business-critical applications while leading secure development practices across engineering teams.

My journey from Senior Full-Stack Developer to Security Engineer gives me a rare perspective: I understand how developers think, which makes me effective at both finding vulnerabilities and providing practical remediation that actually ships.

Currently leading AppSec at Sydney Tools · open to collaborations on CVE research, DevSecOps tooling, and security training.

What I Do

I find vulnerabilities in web, APIs, cloud, and Active Directory — and I write the exploit chain so developers see exactly how it happens.

Web & API

Burp Suite Pro Caido OWASP ZAP SQLMap Nuclei Nikto Wfuzz Postman

Recon & Network

Nmap Rustscan Masscan ffuf Gobuster Amass Subfinder

AD & Windows

BloodHound Rubeus Mimikatz PowerView Impacket CrackMapExec Evil-WinRM

Exploitation

Metasploit Chisel Ligolo-ng LinPEAS WinPEAS Seatbelt

Passwords

Hashcat John the Ripper Hydra CeWL

I sit at the last review gate before production — catching SQLi, XSS, IDOR and auth bugs before they ship, and writing remediation that actually lands.

SAST / Code Review

Semgrep CodeQL Bandit Brakeman SpotBugs Checkmarx ESLint Security

Secret Detection

Gitleaks TruffleHog git-secrets

DevSecOps Pipelines

Snyk SonarQube Trivy Checkov tfsec KICS Dependency-Check

Cloud Hardening

ScoutSuite Prowler Pacu AWS CLI CloudSploit

Container / K8s

Falco kube-bench Docker Bench Anchore

5+ years shipping production systems. I know where developers cut corners because I cut them too — it's why my remediation advice actually ships.

Languages

Python TypeScript Node.js Go Bash PowerShell

Frontend

React Vue.js Next.js HTML/CSS

Backend & APIs

REST GraphQL OAuth2/OIDC HashiCorp Vault

Data

PostgreSQL MongoDB Redis

Infra & CI/CD

Docker Kubernetes Terraform Ansible GitHub Actions Jenkins Buildkite

Observability

Prometheus Grafana Splunk

The Journey

2017

Full-Stack Developer

Started shipping production web apps — Python, Node.js, React, Vue. Cut my teeth on real-world bugs, deploys, and on-call pages.

2020

Senior Full-Stack Developer

Led backend architecture on high-traffic platforms. First serious encounter with OWASP Top 10 during incident response — the pivot started here.

2023

DevSecOps & Code Review

Moved into the security side — SAST/DAST pipelines, secure code review, threat modelling. Started HTB in parallel to sharpen offensive skills.

2025

OSCP+ & AppSec Engineer

Certified OSCP+ (Dec 2025). Now leading application security at Sydney Tools — pentesting, code review, developer training.

Verified Credential

OSCP+

Offensive Security Certified Professional (Plus)

Offensive Security · Issued Dec 2025

Verify on OffSec →

// philosophy

Security isn't about saying no. It's about finding ways to say yes, securely.

I don't just find vulnerabilities — I understand the developer mindset and provide remediation that's realistic to ship. Having built production systems myself, I know what breaks, what gets deferred, and what actually makes it into the next sprint.

Let's Talk

arbhavsar63@gmail.com