Skip to main content
Susovan Garai

5+ years operationalizing security across web, API, mobile, cloud, and AI/LLM systems. 200+ assessments delivered. Approximately 40% reduction in client security incidents. Public bug bounty recognition: Dell Technologies, Government of India.

01 / 06 — AI / AGENTIC SECURITY

Adversarial testing for LLMs and agents.

MAESTRO threat modeling and OWASP LLM Top 10 applied to production AI features. Proof-of-concept exploits validating prompt injection, indirect injection, RAG pipeline weaknesses, model abuse, and agentic tool-use risks before production. AI security tooling evaluated and integrated into CI for continuous posture validation.

  • OWASP LLM Top 10
  • MAESTRO
  • MCP Security
  • Prompt Injection Testing
  • RAG Security Review
  • AI Posture Management
  • Agentic Threat Modeling

02 / 06 — DEVSECOPS + INFRASTRUCTURE AS CODE

Security checks where code lives.

SAST, SCA, secret scanning, and AI security checks embedded into CI/CD via GitHub Actions and Jenkins. Paved security standards built into feature delivery. Security gates that ship without slowing sprint velocity. Approximately 15% reduction in SCA false positives through CVSS-based prioritization. IaC and pipeline hardening practices keep configuration drift and supply-chain risk visible at PR time.

  • CI/CD Security
  • SAST
  • SCA
  • Secret Scanning
  • AI Security in CI
  • GitHub Actions
  • Jenkins
  • Pipeline Hardening
  • Shift-Left

03 / 06 — APPLICATION SECURITY

Manual + automated. Web, API, mobile.

200+ assessments delivered across Banking, E-commerce, Healthcare, and Enterprise verticals — approximately 40% client incident reduction. 50+ secure code reviews across Java, Python, JavaScript, and Ruby. OWASP Top 10, OWASP API Security Top 10, and ASVS-driven testing, validated manually with PoC exploits — not scanner output forwarded.

  • Web Pentest
  • API Pentest
  • Mobile Pentest (Android/iOS)
  • OWASP Top 10
  • OWASP API Top 10
  • ASVS
  • Secure Code Review
  • PoC Exploit Development
  • WebSocket Security
  • Webhook Security
  • Business Logic Testing

04 / 06 — CLOUD SECURITY

Cloud-native + WAF + CNAPP. Findings validated.

Hands-on with AWS-native security services, IAM privilege escalation review, S3 misconfiguration analysis, EKS hardening, ACM certificates, and Secrets Manager. Led WAF vendor evaluation across four platforms; led CNAPP evaluation across 5+ vendors. Cloud findings are manually validated — false positives stop here, not at the engineer's desk.

  • AWS Security Services
  • Cloud-Native Security Monitoring
  • Threat Detection
  • IAM Privilege Escalation
  • S3 Misconfig Analysis
  • EKS Hardening
  • WAF / Edge Security
  • CNAPP
  • Secrets Management
  • ACM Certificate Management

05 / 06 — VULNERABILITY MANAGEMENT + RISK

From scanner output to risk-ranked action.

End-to-end vulnerability lifecycle across SAST, SCA, secret scanning, CNAPP, cloud, WAF, and AI scan findings. Manual validation. CVSS-based prioritization. Remediation coordinated with engineering — not thrown over the wall. Internal VAPT and risk assessments across applications and APIs, with PoC evidence and structured remediation guidance.

  • CVSS
  • Risk-Based Prioritization
  • False-Positive Reduction
  • Internal VAPT
  • Risk Assessment
  • Remediation Tracking
  • PoC Evidence
  • Compliance Evidence

06 / 06 — THREAT MODELING

STRIDE for systems. MAESTRO for agents.

Threat modeling on product architecture and FSD documents — catching defense-in-depth, secure data handling, and cryptographic issues before they ship. STRIDE for traditional services. MAESTRO for LLM and agentic systems. Architecture and design review built into feature delivery to prevent high-severity issues from reaching production.

  • STRIDE
  • MAESTRO
  • Architecture Review
  • FSD Review
  • Secure-by-Design
  • Defense-in-Depth
  • Data Flow Diagram
  • Trust Boundary Analysis