Open to research & collaboration

I'm Madhurendra

>  

Security consultant and researcher with 50+ assigned CVEs. I test web apps, APIs, mobile, thick clients, cloud and networks, then report findings teams can act on.

Get in touch GitHub LinkedIn
root@m14r41 · zsh
root@m14r41:~# id
uid=0(root) groups=offsec,research
root@m14r41:~# specs /Fake
Ryzen 11 · 16GB GPU · 128GB DDR6 RAM
root@m14r41:~# find / -name '*.bug'
[+] 50+ found · all reported responsibly
root@m14r41:~#  
0+
CVEs Assigned
0+
NCIIPC Acknowledgements
0+
Hall of Fame Listings
0+
Certifications
whoami

About Me

I'm Madhurendra, a security consultant based in Bengaluru. I've spent the last few years doing penetration testing and vulnerability research full-time, with 50+ CVEs assigned along the way. I hold the eWPTXv3, CAP and CEH Master certifications, plus an MCA degree.

I work across web, API, Android, iOS, thick-client, network and cloud testing, along with secure source-code review. Most of my tooling is in Bash and Python, and I'm comfortable across the common stacks and operating systems.

Outside of client work I hunt bugs, play CTFs on Hack The Box and TryHackMe, and write up what I find on Medium. Always happy to talk shop with people working in security.

Based in
Bengaluru, India
Currently
Senior Security Consultant
Education
MCA · Master of Computer Application
Disclosures
50+ CVEs · 350+ NCIIPC acks
What I do

Skills & Arsenal

The domains I work across.

Vulnerability Assessment

Web Security

Mobile Application (Android / iOS)

API Security

Thick Client

SAST & SCA

Threat Modeling

Design / Idea Review

Cloud Security

Network Security

Automation & Scripting

Security Research

Career

Experience

Where I've worked.

Senior Consultant Current
Confidential
Feb 2026 – Present Bengaluru, India
  • End-to-end VAPT across web, mobile, API and thick-client targets.
  • SAST and DAST reviews, OWASP-aligned testing and CVSS-scored reporting.
VAPTSASTDASTWeb App PentestingMobile PentestingThick ClientAPI PentestingOWASPCVSSReport Writing
Product Security Engineer
Traveloka
Jul 2025 – Feb 2026 Bengaluru, India · On-site
  • Penetration testing across web, mobile and API, with SAST (manual and AI-assisted).
  • Threat modeling and design reviews to catch risks early in the SDLC.
Web App PentestingMobile PentestingAPI PentestingSASTAI-Assisted SAST (Copilot)Threat ModelingArchitecture & Design ReviewSDLC SecurityRemediation SupportStakeholder CoordinationReport Writing
Senior Information Security Consultant (L1)
eSec Forte® Technologies
Apr 2024 – Jul 2025 Noida, India · Hybrid (deployed at EXL Service SEZ)
  • DevSecOps team running penetration testing for web, mobile, API and thick-client apps, plus SCA.
  • SAST with Fortify SSC and Prisma Cloud, integrated into Jenkins CI/CD pipelines.
DevSecOpsWeb App PentestingMobile PentestingAPI PentestingThick ClientSCASASTFortify SSCFortify Audit WorkbenchPrisma CloudJenkins CI/CDReport Writing
Information Security Analyst
Global Technology & Information Security (GTIS)
Apr 2022 – Apr 2024 Gurugram, India
  • VAPT across web, mobile, API and thick-client targets.
  • Secure source-code review, cloud security assessments and vulnerability research.
SASTDASTWeb App PentestingMobile / iOS PentestingThick ClientAPI PentestingSecure Code ReviewCloud SecurityVulnerability ResearchReport Writing
Independent Security Researcher Current
Bug Bounty & Responsible Disclosure
Jul 2022 – Present Remote
  • 350+ NCIIPC acknowledgements, plus multiple Hall of Fame and appreciation letters.
  • Ongoing responsible disclosure and vulnerability research.
Bug BountyVulnerability ResearchResponsible DisclosureHall of FameWeb App PentestingAPI Pentesting
Cyber Security & Digital Forensics Intern
Cyber Secured India
Jan 2022 – Mar 2022 Remote
  • Web and mobile application penetration testing.
  • IoT and hardware pentesting, with documentation and reporting.
Web App PentestingMobile PentestingIoT SecurityHardware SecurityAutomotive SecurityRF SecurityDigital ForensicsReport Writing
Cyber Security Intern
SISTMR, Australia
Feb 2022 – Mar 2022 Remote
  • Web pentesting on Metasploitable2 and OWASP Broken Web Apps.
  • CTF challenges and hands-on labs with virtualization.
CTFWeb App PentestingVirtualizationMetasploitable2OWASP BWANetworking (OSI / TCP-IP)
Open source

Featured Projects

Open-source tools I build and maintain.

PentestingEverything

Comprehensive repository of 15+ types of pentesting tools, resources and methodology. A one-stop reference for offensive security.

MethodologyToolkit
1.7k 388 Code Live

PentestingChecklist

A practical, repeatable security testing checklist covering web, API, mobile and network engagements end to end.

ChecklistMethodology
51 10 Code Live

Clickjacking-Poc

Instant clickjacking proof-of-concept generator to demonstrate UI-redress vulnerabilities for reports.

PoCWeb
8 1 Code Live

scan4secrets

Lightweight source-code scanner with 400+ detection rules for secrets, tokens and sensitive information.

SASTSecrets
113 32 Code

wordlistForger

Targeted wordlist generator that forges context-aware lists to sharpen fuzzing and brute-force coverage.

ReconWordlists
4 2 Code

Scripting4Hackers

A growing collection of Bash and Python scripts that automate everyday offensive-security tasks.

AutomationScripts
5 4 Code
Disclosures

50+ CVEs Assigned

A sample of CVE IDs credited to me, each verifiable on cve.org.

51+
Publicly assigned CVE identifiers across web, API and application targets.
All independently disclosed and acknowledged.
CVE-2024-48278CVE-2024-48279CVE-2024-48280CVE-2024-48282CVE-2024-48283CVE-2024-48810CVE-2024-48811CVE-2024-50823CVE-2024-50824CVE-2024-50825CVE-2024-50826CVE-2024-50827CVE-2024-50828CVE-2024-50829CVE-2024-50830CVE-2024-50831CVE-2024-50832CVE-2024-50833CVE-2024-50834CVE-2024-50835CVE-2024-50836CVE-2024-50837CVE-2024-50838CVE-2024-50839CVE-2024-50840CVE-2024-50841CVE-2024-48278CVE-2024-48279CVE-2024-48280CVE-2024-48282CVE-2024-48283CVE-2024-48810CVE-2024-48811CVE-2024-50823CVE-2024-50824CVE-2024-50825CVE-2024-50826CVE-2024-50827CVE-2024-50828CVE-2024-50829CVE-2024-50830CVE-2024-50831CVE-2024-50832CVE-2024-50833CVE-2024-50834CVE-2024-50835CVE-2024-50836CVE-2024-50837CVE-2024-50838CVE-2024-50839CVE-2024-50840CVE-2024-50841
CVE-2024-50842CVE-2024-50843CVE-2024-50844CVE-2024-54918CVE-2024-54919CVE-2024-54920CVE-2024-54921CVE-2024-54922CVE-2024-54923CVE-2024-54924CVE-2024-54925CVE-2024-54926CVE-2024-54927CVE-2024-54928CVE-2024-54929CVE-2024-54930CVE-2024-54931CVE-2024-54932CVE-2024-54933CVE-2024-54934CVE-2024-54935CVE-2024-54936CVE-2024-54937CVE-2024-54938CVE-2024-54939CVE-2024-50842CVE-2024-50843CVE-2024-50844CVE-2024-54918CVE-2024-54919CVE-2024-54920CVE-2024-54921CVE-2024-54922CVE-2024-54923CVE-2024-54924CVE-2024-54925CVE-2024-54926CVE-2024-54927CVE-2024-54928CVE-2024-54929CVE-2024-54930CVE-2024-54931CVE-2024-54932CVE-2024-54933CVE-2024-54934CVE-2024-54935CVE-2024-54936CVE-2024-54937CVE-2024-54938CVE-2024-54939
Research

Articles & Writing

Long-form guides on offensive security, published on Medium and my blog.

GraphQL Pentesting: A Beginner's Guide to Advanced

API Medium

Thick Client Pentesting Guide

Thick Client Medium

REST API Pentesting Resources

API Medium

Android Dynamic Penetration Testing

Mobile Medium

Mobile Application Static Analysis

Mobile Medium

Comprehensive Guide to SAST

AppSec Medium
Credentials

Certifications

Credentials in offensive and application security.

eWPTXv3 — Web Application Penetration Tester eXtreme
INE · Aug 2025
ID · 158329824
Verify
CRTP — Certified Red Team Professional
Altered Security
Verify
CEH Practical
EC-Council
Verify
CEH Master
EC-Council
ID · ECC2039745816
Verify
MCRTA — Multi-Cloud Red Team Analyst
CyberWarFare Labs
Verify
CAP — Certified AppSec Practitioner
The SecOps Group · Jan 2023
ID · 6899817
Academics

Education

Master of Computer Application (MCA)
Mangalayatan University, Uttar Pradesh
2022 – 2024
Bachelor of Computer Application (BCA)
BRABU University, Muzaffarpur, Bihar
2018 – 2021
Senior Secondary
Bihar Board, Patna
2015 – 2017
Acknowledgements

Recognition & Hall of Fame

Organisations and bodies that have credited my disclosures.

Top 15 Researchers · NCIIPC India
Newsletter
NASA Acknowledgement
Hall of Fame · BlackBerry
Hall of Fame · Bosch
Hall of Fame · Inflectra
Hall of Fame · Utrecht University
Hall of Fame · Drexel University
Hall of Fame · University of Texas
Appreciation · University of Cambridge
Appreciation · Drexel University
10×
IBM Security Recognitions
350+ NCIIPC India Acknowledgements
Off the clock

Hobbies & Interests

Capture the Flag · HTB & THM
Writing & reading security writeups
Security research
Open-source contributions
Programming & automation
Get in touch

Let's build something secure

Open to consulting and research work. Reach me on any of these.