Click here to check my new App to find my notes and blogs -
notes.advaitpathak.com
About
A little something about me!
I am an Offensive Security professional based out of Boston. With an MS in Cybersecurity from NYU and 3+ years of experience in the field, I specialize in Cloud Security, Network PenTesting, Web/API security. Looking to transition into Red Teaming and emerging Security domains
My technical journey has led me to conduct over 90 high-stakes assessments, where I’ve focused on unmasking critical vulnerabilities like SSRF, SQLi, RCEs, IAM misconfigurations, more. I think that security is not just about finding flaws, but about creating resilient, secure architectures.
When I’m not deep in a terminal, I'm producing music, hitting some weights, catching a sport.
Here are a few things I've done!
Work
Experience
Assocaite Consultant, Synopsys/Black Duck/Ultraviolet Cyber June '23 - Present
- Executed 90+ offensive security engagements (Cloud, APIs, Web Apps, Networks) for Fortune 500 clients; identified critical vulnerabilities (HTTP Request Smuggling, SSRF, AuthN/AuthZ bypasses, session flaws, cloud misconfigs) using Burp Suite Pro, Nessus, NMAP, Semgrep SAST with manual code review, automated scanners.
- Transitioned to Cloud Security team; led 30+ AWS-specific pentesting engagements with 100% on-time delivery, uncovering high-severity issues (IAM privilege escalation, service misconfigs, CloudWatch log poisoning), and VPC exposure, via threat modeling, IAM policy/account reviews, source code reviews (Semgrep), and log analysis.
- Led end-to-end penetration testing for 30+ engagements, managing the full lifecycle from scoping calls to client readout sessions with Service Owners, Senior Engineers to explain findings and remediation plans; independently resolved escalations/roadblocks (WAF blocks, API documentation gaps, hardware integration).
- Developed Python automation scripts and internal documentation to streamline deliverable uploads, knowledge transfer, and team processes - saving ~40 minutes per engagement across 50+ engagements.
- Acted as Technical Oversight (TO) on ~12 engagements, ensuring client communication, technical guidance, and quality standards; mentored 10+ assessors on methodologies/tooling/reporting. Contributed to training materials; delivered internal training sessions on HTB boxes, CPTS journey.
- Ranked 1st out of 110 participants in the internal hacking competition, presented a walkthrough to Consultants and Interns.
Security Intern, Synopsys May '22 - August '22
- Performed network penetration testing on a financial company's internal infrastructure manually using tools like NMAP, ldapsearch, Responder and with Nessus for automated testing. Assisted in report writing for the vulnerabilities found.
- Scanned for vulnerabilities on a web application by performing manual testing methods based on the OWASP checklist and automated testing using Netsparker & Burp Suite Pro. Triaged the scan results and found a DNS exfiltration vulnerability.
- Contributed, by finding a null byte vulnerability, in the HTB Business CTF 2022 (Ranked 26th/326).
- Deployed a Jenkins pipeline to integrate various tools - Truffle hog, OWASP dependency checker, SonarQube, OWASP ZAP, in the build process to secure the application with DevSecOps.
- Encrypted S3 buckets using KMS with key rotation and set up CloudTrail to log all data events for the S3 bucket. Setup the AWS secrets engine in hashicorp vault on an EC2 instance to manage keys. Configured Amazon GuardDuty and Lambda to update the AWS WAF WebACLs and VPC Network ACLs in response to GuardDuty findings and alarm with AWS SNS.
New York University
Course Assistant, Operational Technology Security Sept '22 - Dec '22- Graded assignments based on MATLAB, CODESYS and provided feedback to students for better conceptual understanding.
Course Assistant, Network Security Oct '21 - Dec '21
- Graded assignments based on Wireshark, mitmproxy and provided feedback to students for better conceptual understanding.
Cyber Fellow, Offensive Security, Incident Response, and Internet Security Lab (OSIRIS Lab)
- Monitored the 18th Annual CSAW '21 Capture the Flag competition hosted by OSIRIS and participated in by 1200+ teams.
- Ranked in the top 8% out of 1550+ players by completing OSIRIS web-exploitation CTF track.
Intern, LeadLife
- Analyzed, translated user requirements for the web application & its security to the developers & proposed a cost-time estimate.
- Strategized the process and workflow changes to streamline and reduced the site's accessing time by 20%.
- Content writing and development for go-to-market readiness
Certifications and Training
- Google x Hack The Box - AI Red Teamer Path (IN PROGRESS)
- PWNEDLabs - Google Cloud Red Teaming (IN PROGRESS)
- Hack The Box - Certified Penetration Testing Specialist (CPTS)
- Hack The Box - DANTE - Pro-Lab
- Hack The Box - BlackSky: HailStorm Pro-Lab (AWS Red Teaming)
- Hashicorp Certified Terraform Associate - HCTAO-003
- AWS Certified Solutions Architect - Associate
- AWS Certified Cloud Practioner
- CompTia PenTest+
Hack The Box
Details: My Hack The Box Profile
- Completed over 50 machines on Hack The Box.
- CPTS
- Pro-Labs: DANTE
- Pro-Labs: P.O.O
- Pro-Labs: BlackSky: HailStorm (AWS Red Teaming)
Projects
My Resume Challenge + Blog Serverless App
View Portfolio WebsiteView Blog/Notes Website
View GitHub Repository
- Architected a serverless website/blog using Route 53 (custom domain + DNSSEC), ACM/KMS for HTTPS/TLS, S3 (static hosting), and CloudFront (global CDN + security headers); automated deployment via GitHub Actions to S3 + CloudFront
- Built API Gateway + Lambda backend to increment DynamoDB visitor counter; enforced least-privilege IAM roles using IAM Access Analyzer and implemented secure architecture best practices throughout.
CVE-2024-46987
- Camaleon CMS Authenticated Path Traversal / Arbitrary File Read
- Exploit Script created in python that allows a logged-in user (even with low privileges) to read arbitrary files on the server
To Be Continued..
TryHackMe
Paths completed:
- Beginner
- Web Application Hacking
- PenTest+
- Through CTFs, topics like OWASP TOP 10, Juice Shop, Windows/Linux Hacking, OSINT, PrivEsc, Networking and more are learned and experienced
Noteable for me at a time
Paper Publication
- “Secure Authentication using Zero-Knowledge Proof”, IEEE AsiaCon, 2021
- “Bibliometric survey on Zero-Knowledge Proof for Authentication”, DigitalCommons - University of Nebraska, Lincoln, 2021
- “A Survey on Methodologies for Intensifying the Security in the IoT Environment”, Journal of Critical Review, Vol 7, Issue 19, 2020.
Google Cloud Program
- Participated in the ‘Google Cloud Program’ at our college and won Google Merchandise for the same
TryHackMe
- Appeared in the ‘Top 20 – India’ for the month of November 2020
- 45-Day Hacking streak
Music Recognition
- Music supported by international artists like Syzz, R3SPAWN, Maurice West and more
Many more to follow..
Other Certs
GCP Security
- Studied the fundamentals of Google Cloud Platform and performed assignments in the GCP environment relating to security, ACLs, deployment
Practical Hacking by Heath Adams
- Modules like Networking, Scanning, Methodologies, AD, Wireless, Exploitation, Post EXP are taught by the renowned Security Researcher Heath Adams
Hacking with Python
- Created tools for various situations in the security field using Python (used libraries like scapy, optparse, subprocess etc.)
Online Anonymity, Privacy and Security
- Accessing dark net, private communication over the internet, how Cryptocurrencies work and using TailsOS for maximum anonymity
Windows/Linux Server Management
- Studied Kerberos, Active Directory and Access Control pertaining to Windows and Linux
NVIDIA - Fundamentals of Deep Learning
View Certs
What i do
My Skills
Consolidated
Security
- Network/Web/API PenTesting, OWASP Top 10, Active Directory Security, Exploit Development, Privilege Escalation (Linux/Windows), Red Teaming, Adversarial emulation, MITRE ATT&CK, Threat Modeling.
Cloud
- IAM misconfigurations, S3/EC2/Lambda/VPC Hardening, CloudWatch/CloudTrail/GuardDuty Analysis, WAF Bypasses, AWS CLI Techniques, Google Secure AI Framework (SAIF).
Tools
- Burp Suite Pro (DAST), Nmap, BloodHound, bloodyAD, Metasploit, SQLmap, C2 Sliver, Nessus, Ghidra.
Code
- Semgrep (SAST), Python, Bash, PowerShell, Git, Docker, Jenkins, Insomnia, CI/CD Security.
Security
Kali
NMap
Metasploit
Burp Suite
Networks
OSINT
Programming
Data Structures
Python
C++
Bash
C
SQL
CLOUD STUFF
Web Development
HTML5
CSS3
Javascript
Bootstrap
PHP
UI/UX
OS Stuff
Linux
Windows
Android
Tails OS
Fl Studio
Trying to give back
Blogs
Publications
My Blog App
- Living document for my notes and machine writeups.
- Contains notes on Active Directory, OS Pentesting, Wep Application Security. Has writeups for Linux, Windows boxes and other Pro-Labs.
- I enjoy writing notes/writeups/blogs as it gives me clarity on my thoughts. Should have done this earlier.
- Check out a few stories I have written.
- Hope to write more blogs in the future. Do check out.