shreyas@root: ~
About

Who I Am

Not a theoretical learner — a hands-on security professional.

I'm Shreyas K U, a final-year engineering student and Application Security Intern at Accenture. I specialize in finding and documenting vulnerabilities in web applications.

My daily work involves conducting DAST assessments using Burp Suite Pro, identifying OWASP Top 10 vulnerabilities, and producing professional-grade security reports. I've documented 25+ vulnerabilities across multiple applications — with real Burp screenshot evidence.

A full-stack development background (React, Node.js, MongoDB) gives me a builder's eye for how these apps actually work — and where they break. Contributor to Equifax's Vulnerability Disclosure Program (VDP).

I'm based in Bangalore, Karnataka, India and actively looking for full-time AppSec roles, freelance penetration testing engagements, and security consulting opportunities.

0+
Vulnerabilities Documented
0+
Vulnerability Types Exploited
0+
Professional Reports Delivered
0
High-Severity Findings
Experience

Where I Work

Currently doing real-world application security at a Big 4 firm.

case file — 001
Application Security Intern
Accenture Solutions Pvt. Ltd. · Bangalore
Feb 2026 — Jun 2026
Focus Areas
  • DAST on an enterprise insurance platform (ALIP NYL) using Burp Suite Pro — 5 OWASP Top 10 vulnerabilities identified and documented with CVSS ratings and remediation steps
  • IDOR via account ID parameter tampering, SQL injection login bypass, WEB-INF path traversal, outdated Apache Tomcat (CVE-2005-2090), missing HSTS/CSP headers
  • 6-phase internal penetration tests in an isolated Kali Linux lab — recon (Nmap, Maltego, theHarvester), scanning (Nikto, dirb), exploitation (Metasploit, Hydra), post-exploitation (LinPEAS, Meterpreter)
  • Phishing simulations (GoPhish, SET), ARP poisoning (Bettercap), and payload generation (MSFvenom) in a controlled lab environment
Tools
Burp Suite ProNmapMetasploitHydraGoPhishBettercap
on fileAccenture AppSec DAST assessment report — OWASP Top 10 mapped
case file — 002
Full Stack Engineer Intern
Innovate Intern · Remote
Aug 2024 — Apr 2025
Focus Areas
  • Developed and deployed full-stack web applications using React, Node.js, Express, and MongoDB
  • Secure REST API design — input validation and JWT-based authentication
  • Built reusable UI components and backend services; collaborated across design, development, and QA phases of the SDLC
Tools
ReactNode.jsExpressMongoDBJWTREST APIs
Projects

Proof of Work

Real assessments, real vulnerabilities, real reports — not just CTF writeups.

file no. 001

Altro Mutual — DAST Assessment

Completed
Professional Penetration Test

Full dynamic application security assessment of a banking/financial web application. Identified 6 vulnerabilities with OWASP 2025 mapping, detailed impact analysis, and remediation recommendations.

Banking/Financial application scope
6 vulnerabilities documented with Burp evidence
Accenture-grade professional report
OWASP 2025 mapped findings
Burp Suite ProWebInspect
3H2M1L
View Report
file no. 002

USociety / VulnWebApp — Security Audit

Completed
Web Application Security Audit

Comprehensive security audit of an intentionally vulnerable web application. Combined dynamic testing with Burp Suite and static analysis using Bandit on Python source code.

13+ vulnerabilities documented
OWASP Top 10 mapping
Static + Dynamic analysis
Automated PPTX report generation
Burp SuiteBandit
file no. 003

PJ Bank — Udacity Pentest

Completed
Course Penetration Test

Capstone penetration test for Udacity's Application Security course. Full-scope 6-phase pentest across 4 targets — OSINT, RCE via a vulnerable WebDAV module, SSH key exfiltration via directory brute-forcing, and SSH brute force on a payroll server.

Udacity AppSec course capstone
Structured 6-phase pentest methodology
CVSS-rated findings + 3 executive recommendations
Full exploitation documentation
Burp SuiteMetasploitHydradirb
View Report
file no. 004

OWASP Juice Shop — Vulnerability Analysis

Completed
Security Assessment

Comprehensive vulnerability analysis of the OWASP Juice Shop — an intentionally insecure web application. Documented multiple OWASP Top 10 vulnerabilities with exploitation proof and remediation guidance.

OWASP Top 10 full coverage
XSS, SQLi, broken auth documented
Professional analysis report
Remediation recommendations included
Burp SuiteManual TestingSQLmap
4H4M2L
View Report
file no. 005

devhance.in — Repo to Case Study Tool

Completed
Web Product / Developer Tool

Live SaaS tool that converts GitHub repositories into VC-style technical case study reports. Implemented authentication, rate limiting, input sanitization, and secure API key handling.

Shipped and live at devhance.in
Authentication + rate limiting + input sanitization
Secure API key handling
Full-stack development capability
Next.jsNode.jsREST APIs
file no. 006

ExampleCorpNet — Home Pen Testing Lab

Active
Personal Cybersecurity Lab

Self-built penetration testing lab on VirtualBox with a custom network (10.10.10.0/24). Used for hands-on ethical hacking skill development and Linux exploitation practice.

Custom network topology
Active exploitation practice
Self-driven learning initiative
VirtualBoxKali LinuxManual Exploitation
Skills

Tools & Expertise

The techniques, tools, and knowledge I bring to every engagement.

AppSec Core
Web App Penetration TestingOWASP Top 10 (2025)DAST AssessmentsVulnerability ReportingCVE Research & MappingHTTP Request/Response Analysis
Vulnerability Expertise
IDORSQL InjectionXSSCSRFCryptographic FailuresSecurity MisconfigurationAuth WeaknessesSession FlawsBusiness Logic VulnsInfo Disclosure
OSINT & Recon
MaltegotheHarvesterWhatWebNetcraftShodandnsreconcrt.sh
Tools & Platforms
Burp Suite ProMetasploit FrameworkNmapHydraNiktoWiresharkKali Linux
Development
PythonJavaScript / Node.jsReact.jsMongoDBExpress.jsREST APIsGitBash
Findings

Real Vulnerabilities Found

Actual security issues identified during professional assessments — with OWASP 2025 mapping.

$ tail -f /var/log/findings.log6 entries
#VulnerabilitySeverityOWASPEndpointTechniqueTool
01Broken Access Control — IDOR on Account ListingHighA01:2025 Broken Access Control/bank/showAccount?listAccounts=800001Parameter tampering to access another user's financial dataBurp Repeater
02SQL Injection — Authentication BypassHighA05:2025 Injection/doLoginClassic auth bypass SQLi via username field — no input sanitizationBurp Repeater
03Plaintext Password TransmissionHighA04:2025 Cryptographic Failures/doLoginPassword visible as plaintext in HTTP request bodyBurp Proxy
04Sensitive Information Disclosure via Verbose ErrorMediumA02:2025 Security Misconfiguration/index.jsp?content=../WEB-INF/web.xmlPath traversal causing verbose error exposureBurp Repeater
05Outdated Apache Tomcat with Known CVEMediumA03:2025 Supply Chain FailuresServer HeaderCVE-2005-2090 — HTTP Request SmugglingBurp Proxy
06Missing Security HeadersLowA02:2025 Security MisconfigurationAll ResponsesAbsent HSTS, CSP, X-Content-Type-Options headersBurp Proxy
Broken Access Control — IDOR on Account ListingHigh
OWASPA01:2025 Broken Access Control
Endpoint/bank/showAccount?listAccounts=800001
TechniqueParameter tampering to access another user's financial data
ToolBurp Repeater
SQL Injection — Authentication BypassHigh
OWASPA05:2025 Injection
Endpoint/doLogin
TechniqueClassic auth bypass SQLi via username field — no input sanitization
ToolBurp Repeater
Plaintext Password TransmissionHigh
OWASPA04:2025 Cryptographic Failures
Endpoint/doLogin
TechniquePassword visible as plaintext in HTTP request body
ToolBurp Proxy
Sensitive Information Disclosure via Verbose ErrorMedium
OWASPA02:2025 Security Misconfiguration
Endpoint/index.jsp?content=../WEB-INF/web.xml
TechniquePath traversal causing verbose error exposure
ToolBurp Repeater
Outdated Apache Tomcat with Known CVEMedium
OWASPA03:2025 Supply Chain Failures
EndpointServer Header
TechniqueCVE-2005-2090 — HTTP Request Smuggling
ToolBurp Proxy
Missing Security HeadersLow
OWASPA02:2025 Security Misconfiguration
EndpointAll Responses
TechniqueAbsent HSTS, CSP, X-Content-Type-Options headers
ToolBurp Proxy
Certifications

Learning & Credentials

Structured formal training alongside hands-on professional work.

TryHackMe
tryhackme.com/p/shreyasku31
Active

Cybersecurity Fundamentals 101 completed — actively climbing the leaderboard

Top 5%Global Rank
96Rooms Completed
13Badges Earned
37Day Streak
eJPT
INE Security
In Progress

Practical junior penetration tester certification — actively pursuing

Certified in Cybersecurity (CC)
ISC2
In Progress

Entry-level security certification — actively pursuing

Integrated Application Security
Accenture
Completed

Internal AppSec training — DAST methodology & OWASP mapping

Progress100%
Application Security
Udacity
Completed

Capstone: PJ Bank penetration test report

Progress100%
B.E.Electronics & Instrumentation Engineering
Siddaganga Institute of Technology, Tumakuru · USN 1SI22EI027 · CGPA 7.43 · Final Year
Oct 2022 — Nov 2026
Contact

Let's Work Together

Looking for a security professional? I'm available for full-time roles, freelance pentesting, and security audits.

Whether you need a penetration test for your web application, a comprehensive security audit, or you're hiring for an AppSec role — I'd love to connect. I bring real-world Accenture experience, professional-grade reporting, and a proof-driven approach to every engagement.

Available for
Full-time AppSec Roles (Remote / Hybrid)
Freelance Penetration Testing
Web Application Security Audits
Security Consulting
Get in Touch

Prefer email? Reach me directly — I typically respond within 24 hours.

Bangalore, Karnataka, India