I build security that moves with the business, not against it. Seven years across product security, application security, and the messy human edges where engineering meets risk.
Security shouldn't slow the build — it should make the build trustworthy. That's the bet I keep making, and so far it keeps paying off.
I'm a security architect with seven-plus years across the stack — application security, product security, infrastructure, cloud, and the secure SDLC work that quietly holds it all together. My day-to-day lives at the intersection of offensive testing and defensive architecture: breaking things to understand them, then designing systems that don't break the same way twice.
I started in the trenches doing penetration testing for banks and fintechs — networks, web apps, mobile, the full PCI-DSS gauntlet. That work taught me what most security advice misses: the gap between a finding in a report and a fix in production is enormous, and bridging it is mostly about relationships, not tools.
Today I lead product security advisory across multiple business units in a global enterprise environment. I drive threat modeling sessions with engineering teams, manage SAST/SCA remediation workflows, advise on penetration testing outcomes, and partner with DevSecOps, cloud, and infrastructure teams to scale practices that actually stick.
I care about the work that doesn't show up on a dashboard — the conversation that turns a "no" into a "yes, but here's a safer way", the threat model that quietly kills a bad idea before it ships, the developer who reaches out months later because the security review actually helped. That's the bar I keep moving toward.
When I'm not in code or in a threat model, I'm reading Stoic philosophy, the Bhagavad Gita, or anything on peak performance — the same disciplines that make a good security program also make a good life. Defense in depth applies to both.
Security earlier in the SDLC only works if developers actually adopt it. I optimize for adoption, not theatre.
A threat model is only as useful as the engineering decisions it changes. I run them as workshops, not audits.
Compliance is a side-effect of doing the right thing. Lead with risk, the certifications follow.
Security insights are useless if engineers and execs can't act on them. Clarity is the deliverable.
Security leadership isn't about being the loudest voice in the room — it's about making the right call easier for everyone else. After seven years across product teams, banks, and enterprise security, here's the leadership I bring.
Bridging engineering, product, security, and leadership so insights translate into decisions that ship. The deliverable isn't the report — it's the alignment that follows it.
Coaching early-career security folks, running threat modeling workshops with developers, and treating every engagement as a chance to leave a team more capable than I found it.
Driving security programs end-to-end — discovery, prioritization, remediation, reporting. Turning ambiguous risk into a roadmap with clear owners and measurable outcomes.
Translating technical findings into business-grade narratives. Helping leaders see what risk looks like in their context — and what doing nothing actually costs.
Security work rarely has clean answers. I lead by anchoring on principles, weighing trade-offs honestly, and committing — clarity beats consensus when the clock is running.
Security is a habit, not a checkpoint. I focus on rituals, champions, and friction-reduction — the unglamorous infrastructure that makes secure-by-default the path of least resistance.
From the application layer down to the cloud control plane, here's the ground I've covered — and continue to cover — in production environments.
Web, mobile, and API security testing aligned to OWASP frameworks. From scoping to reporting to working with developers on remediation that ships.
Embedding security into product engineering — advisory across multiple business units, prioritizing what matters, killing what doesn't.
STRIDE, PASTA, attack tree analysis — running threat models as collaborative engineering exercises that produce real architectural decisions.
Pipelines that catch issues without blocking releases. SAST, SCA, secret scanning, container security — wired into Jenkins, GitHub Actions, and the rest.
Cloud-native security across AWS — IAM hardening, network architecture, security services, and configuration review against CIS benchmarks.
VAPT across servers, networks, and on-prem environments. Configuration reviews for Windows and Linux, internal/external network testing.
Implementing and tuning VM programs end-to-end — discovery, prioritization, tracking, and the unglamorous remediation follow-through that actually moves metrics.
Hands-on with PCI-DSS, ISO 27001, NIST CSF, and Indian regulatory context — RBI guidelines, CERT-In, and the DPDP Act. Compliance as an outcome of good security, not the goal.
Leading product security advisory across multiple business units in a global enterprise environment. Driving threat modeling and secure SDLC activities with engineering teams, partnering with DevSecOps, cloud, and infrastructure teams to scale secure practices, and managing SAST/SCA remediation workflows. The work is increasingly about translation — turning security findings into engineering decisions that ship.
Three years deep in VAPT across infrastructure, web, mobile, and cloud. Conducted Android and iOS application security testing using OWASP MASVS and MASTG, performed web application pentesting against the OWASP Top 10, and ran configuration reviews on Windows and Linux servers in on-prem and cloud environments. Implemented vulnerability management tooling end-to-end and integrated SAST into Jenkins pipelines using SonarQube — early proof that DevSecOps lives or dies on developer experience.
Where it really started. Managed end-to-end web application penetration testing projects from scoping through reporting. Led infrastructure, web, and mobile security engagements across multiple domains. Conducted on-site vulnerability assessments for major banking organizations and ran security projects for PCI-DSS compliance — both external and internal networks. The pace was relentless, and so was the learning curve.
Bachelor of Computer Applications, with the kind of late-night curiosity about how systems break that eventually became a career. The formal foundation — but most of what I do now I learned in production.
Cloud architecture, security services, and well-architected design across AWS.
Specialized cloud security — IAM, data protection, incident response, and infrastructure security on AWS.
Hands-on threat modeling using STRIDE, PASTA, and attack tree methodologies in real engineering contexts.
Foundational cybersecurity principles, security operations, network security, and access controls.
Comprehensive information security consulting — risk, governance, and program design.
Foundational AWS concepts and cloud-native architecture principles.
Comprehensive CISSP preparation across all eight domains of the (ISC)² Common Body of Knowledge.
End-to-end security architecture: design patterns, zero trust, identity, data protection, and architecture review boards.
Active study across cloud-native security, AI/ML security, supply-chain attacks, and emerging threat landscapes.
Design and stand up AppSec programs that engineers don't dread — security champions, security reviews, design reviews, and the operational rituals that make security a habit instead of a checkpoint.
Run threat modeling sessions for individual features, full products, or entire architectures. STRIDE, PASTA, attack trees — whichever fits the team. The output is always: clearer architecture, fewer surprises, better security decisions.
Penetration testing across every surface that matters. Web apps against OWASP Top 10, mobile against MASVS/MASTG, APIs against the OWASP API Top 10, internal and external network testing for compliance and assurance.
SAST, SCA, secret scanning, container scanning, IaC scanning — wired into your CI/CD without turning every build red. Tooling matters less than thresholds, triage, and developer feedback loops.
AWS-focused cloud security audits — IAM hygiene, network segmentation, logging and detection coverage, configuration against CIS benchmarks, and architecture reviews against the AWS Well-Architected Security Pillar.
Building or fixing VM programs that move from "scan and forget" to actual remediation — discovery, prioritization, SLAs, dashboards, and the cross-functional choreography that closes findings.
Architecture-level reviews for new products, major refactors, or M&A integrations. Identifying weak assumptions, control gaps, and the kind of structural issues that get expensive in production.
Available for mentoring early-career security folks, guest sessions on AppSec / threat modeling / DevSecOps, and conversations about how to break into product security from a pentesting background.
Open to conversations on AppSec, DevSecOps, cybersecurity leadership, threat modeling, or anything where security has to actually ship.