<BM/>
booting secure shell...
Available for Freelance & Consulting

Baskar
Mariyappan.

Senior Security Consultant · Offensive Security
Web & API Security Specialist for SaaS & Startups

" Choosing the right path, always. 200 OK "
Hire Me → ⤓ Resume
NMAP BURP FRIDA GHIDRA
// 01 — ABOUT

Engineer by training. Attacker by mindset.

I'm an Application Security Engineer with 4+ years of hands-on experience in offensive security — vulnerability assessment, penetration testing, and secure code review across Web, API, Mobile, Thick Client, and Network environments.

My work centers on simulating real-world attacks — from OWASP Top 10 exploitation and authentication abuse to full adversary-emulation exercises, plus AI / LLM security testing against the OWASP Top 10 for LLMs and the ASI01–ASI10 agentic framework. I translate findings into clear, prioritized remediation that engineering teams can ship without guesswork.

I published CVE-2025-54592 against FreshRSS and have been recognized by the security programs at Zoho, TECNO, OPPO, OnePlus, and private bug-bounty programs. Currently ranked #21 globally on TECNO SRC.

Beyond full-time consulting, I take on freelance security engagements for SaaS & startups. Flexible scoping, fixed-price or retainer.

Freelance Services
01
Web Application Pentest

OWASP Top 10, auth & business-logic abuse

02
Mobile Application Pentest

Android & iOS — MobSF, Frida, Jadx

03
API Security Testing

REST & GraphQL — BOLA, BFLA, mass assignment

04
Secure Code Review (SCR)

SAST-driven + manual review across stacks

When I'm not testing, I'm automating — Python-first — building recon pipelines, custom Burp extensions, and threat-intel workflows that stitch together tools like Shodan, Amass, and theHarvester.

0
Years Exp.
0
CVE Published
0
HOF Programs
0
TECNO SRC Rank
// 02 — SERVICES

What I break (and help you fix).

Web Application Pentest

End-to-end testing of web apps against OWASP Top 10 and beyond — authentication, authorization, injection, SSRF, business logic.

OWASPBurp ProManual PoC

API Security Testing

REST & GraphQL APIs — broken auth, excessive data exposure, mass assignment, rate limiting, and business-flow abuse.

RESTGraphQLPostman

Mobile App Security

Android & iOS — static + dynamic analysis with MobSF, Frida, Jadx-GUI, apktool. Certificate pinning bypass, storage abuse, IPC flaws.

AndroidFridaMobSF

Network VAPT

Internal & external network assessments — service enumeration, privilege escalation paths, lateral movement, AD weaknesses.

NmapNessusResponder

Secure Code Review

SAST-driven + manual review across Node, Python, Java, PHP. Focus on auth logic, deserialization, SSRF sinks, crypto misuse.

SASTDASTManual

Red Team & Phishing

Adversary simulation, spear-phishing campaigns, C2 infrastructure, initial access operations. Built with Havoc, Evilginx, GoPhish.

Havoc C2EvilginxGoPhish

AI / LLM Security

Testing LLM-powered products against OWASP Top 10 for LLMs & the ASI01–ASI10 agentic framework — prompt injection, data exfiltration, RCE via tools, system-prompt extraction, chatbot IDOR.

Prompt InjectionOWASP LLMAgentic AI
// 03 — EXPERIENCE

4+ years. Across consultancies & enterprises.

Senior Security Consultant

EY (Ernst & Young) Dec 2025 — Present
  • Lead web & API security engagements for SaaS and enterprise clients.
  • Threat modeling and secure design reviews for cloud-native applications.
  • Deliver executive-level risk reports alongside developer-focused remediation guidance.
  • Drive internal tooling & methodology improvements across assessment teams.

Security Engineer

Vault Infosec Feb 2024 — 2025
  • Conducted VAPT for Web, API, Mobile & Thick Client applications — identifying and mitigating high-severity flaws.
  • Executed network-level VAPT that measurably improved client security posture.
  • Led application security engagements, simulating external and internal attacker scenarios to assess organizational resilience.
  • Ran spear-phishing campaigns during adversary-simulation engagements to achieve initial access.
  • Built automation tools and testing scripts that cut manual assessment effort.
  • Authored comprehensive VAPT reports with actionable insights for internal and client stakeholders.

Technical Consultant — Cybersecurity

Finstein Jun 2022 — Oct 2023
  • VAPT for Web, API and Mobile applications across multiple client engagements.
  • Automation scanning with Netsparker & Acunetix to catch critical issues early.
  • Network VAPT and phishing campaigns for brand-reputation & exposure analysis.
  • Hardened Linux and Windows environments — baseline configuration & programming.
  • Authored detailed VAPT reports with reproducible PoCs and remediation guidance for developers and stakeholders.
// 04 — ARSENAL

Skills & tooling.

Offensive Security

  • OWASP Top 10 — Web · API · Mobile
  • Penetration Testing (Web / API / Network / Thick Client)
  • Secure Code Review — SAST & DAST
  • Adversary Simulation & Red Team Ops
  • Spear Phishing / Social Engineering

Web & API

  • Burp Suite Professional
  • Netsparker · Acunetix
  • Postman · Swagger / OpenAPI
  • SQLmap · ExploitDB

Network & Recon

  • Nmap · Nessus · Qualys
  • Shodan · Amass · theHarvester
  • Responder · Impacket tooling

Mobile & RE

  • MobSF · Frida
  • Jadx-GUI · apktool
  • Ghidra (reverse engineering)

Red Team / C2

  • Havoc C2 framework
  • Evilginx · GoPhish
  • Custom payload delivery

Cloud & Scripting

  • Cloud security configuration review
  • Misconfiguration mitigation
  • Python — automation & tooling
  • Linux & Windows hardening

AI / LLM Security

  • Prompt injection — direct & indirect
  • OWASP Top 10 for LLMs
  • ASI01–ASI10 agentic AI framework
  • Chatbot IDOR & auth bypass
  • System-prompt extraction
  • Tool / function-call exploitation (RCE)
  • ASCII smuggling & exfil channels
// 05 — METHODOLOGY

How an engagement runs.

01
Scope & Threat Model

Understand the app, auth model, data classification, and attacker goals before touching a single request.

02
Recon & Mapping

Enumerate surface — subdomains, endpoints, JS secrets, parameters. Map the full attack surface.

03
Exploitation

Manual testing backed by automation. OWASP Top 10 first, then business logic and chained vulnerabilities.

04
Impact & PoC

Reproducible PoCs. Every finding includes impact, exploit path, and severity justification.

05
Report & Retest

Developer-ready remediation. Retest cycles until every valid finding is resolved.

// 06 — HALL OF FAME

Recognitions & research.

ZERO-DAY · CVE

CVE-2025-54592

Incomplete Session Termination on Logout in FreshRSS — a session-lifecycle flaw allowing re-use of authenticated context after logout. Disclosed responsibly and credited in the upstream fix.

NVD Entry ↗ GitHub Advisory (GHSA-42v4-65f8-5wgr) ↗

Recognised By

Zoho
TECNO
OPPO
OnePlus
Global
+ Private Programs

Highlights

// 07 — RESEARCH & WRITING

Published work & features.

WRITEUP

Published on TECNO Security Response Center

Technical writeup authored for TECNO SRC — vulnerability research & exploitation walkthrough.

security.tecno.com
PROFILE

TECNO SRC Researcher Profile

Overall global ranking #21 across TECNO's Security Response Center program.

Public profile
FEATURED

Featured by TECNO SRC

TECNO's feature page highlighting researcher experience and contributions to the program.

3rd-of-tecnosrc
PROFILE

HackerOne — @nameisbas

Public bug-bounty profile — reports, thanks & ongoing programs.

hackerone.com/nameisbas
PROFILE

Bugcrowd — @nameisbas

Bugcrowd researcher profile — crowdsourced security programs.

bugcrowd.com/h/nameisbas
CODE

GitHub — @baskar18

Tools, automation scripts, and research code.

github.com/baskar18
// 08 — CONTACT

Let's talk.

Currently taking freelance engagements — penetration tests, secure code reviews, AI/LLM security assessments, and bug-bounty-style audits. Remote, worldwide. Fastest response on email or LinkedIn.

Email baskar.m@nameisbas.com LinkedIn /in/baskarmariyappan GitHub @baskar18 HackerOne @nameisbas Bugcrowd @nameisbas Location Chennai, Tamil Nadu · IN Availability ● Freelance · Open Now