Shahid Hakim
Verified Expert in Engineering
Security Engineer and Software Developer
Bengaluru, Karnataka, India
Toptal member since November 16, 2022
Shahid is a skilled cybersecurity professional who thrives on challenges, specializing in offensive security, red teaming, threat modeling, and incident response. He is certified in ethical hacking and blockchain security and excels in strategic threat mitigation. He has documented success in creating robust security frameworks and enjoys mentoring others. With each vulnerability, Shahid uncovers advanced cybersecurity for a safer digital world.
Portfolio
Experience
Availability
Preferred Environment
Penetration Testing, Certified Ethical Hacker (CEH), DevSecOps, IoT Security, Access Control, Vulnerability Management, Threat Modeling, Unified Threat Management (UTM), Red Teaming, Security Architecture
The most amazing...
...project I've authored is a CVE, CVE-2023-27290, for IBM Instana, with a CVSS score of 9.1.
Work Experience
Principal Product Security Engineer
JumpCloud
- Handled security architecture of authentication standards (OAuth 2.0, Open ID Connect, SAML, JWT, Federated login), cryptography (TLS, X.509), and access control (RBAC, ABAC).
- Integrated SAST, DAST, and IAST tools established a security-centric DevSecOps workflow and ensured daily AWS and GCP container security monitoring, including dynamic aspects like mTLS.
- Introduced threat modeling as code with templates, incorporated OWASP risk rating, facilitated risk-based engineering decisions, and implemented gamified threat modeling using tools like Threatspec and LINDDUN GO.
- Spearheaded a PSIRT operation, reduced incident tickets, and provided weekly updates to team leaders on security initiatives, threat models, VDP reports, DevSecOps procedures, and incident management for enhanced product security.
- Led a comprehensive external penetration testing program to bolster product security, championed a "Secure by Design" culture, and integrated proactive security measures into the product engineering process.
- Specialized in Kubernetes container security and cloud-native concepts, operating enterprise solutions, collaborating on requirements, and ensuring security standards, with an IT or computer science background and a customer-centric approach.
Security Engineering Lead
6sense
- Performed threat hunting on endpoints by exploring and correlating large data sets, resulting in timely customer alerts.
- Uncovered novel attack techniques and monitored and cataloged changes in activity group tradecraft.
- Acquired new and leveraged existing knowledge of attacker tools, tactics, and procedures to improve customers' security posture.
- Investigated threats and created and maintained high detection rules while engaging and collaborating with the infra, data science, and engineering teams. Developed custom indicators of compromise (IOCs) for each group based on criticality.
- Used CrowdStrike, Jamf, JumpCloud, Office 365, Wazuh, and Rapid7 InsightVM to implement endpoint security for each user, as well as automated remediation and real-time response for each IOC and indicator of attack (IOA).
- Created threat modeling for data in transit and implemented best security practices for each microservice.
- Made maturity models and specialized security architecture add-ons for each of the 6sense vendors. Used Jira to track my work to create smooth transitions. Confluence and Slack were used to create a knowledge base for each input.
- Performed penetration testing for internal and external networks, applications, APIs, cloud assets, and red and purple team assessments. Headed s bug bounty program with a one-day or less turnaround time.
- Integrated in-depth logging and monitoring platforms and created alerts using Splunk, Sumo Logic, and CrowdStrike as threat intelligence sources. This reduced incident response time to less than seven days, thus saving money by decreasing data costs.
- Ensured timely resolution, necessary communication, and escalation of obsolete and critical infrastructure tickets by conducting QA of incidents.
Red Team Lead
Mindtree
- Started a cybersecurity center of excellence team in Mindtree and reported directly to the CTO.
- Established a research and development group with the goal of developing signature-based attacks through hypothesis-based red teaming. This process was carried out to develop IoCs for Apache Metron.
- Created security tools for SIEM, vulnerability assessment, and penetration testing with my team over the course of 3.5 years.
- Contributed to DevSecOps solutions to integrate proactive security in the CI/CD pipeline for each and every project Mindtree built.
- Developed tools that used Terraform, Qualys, and Faraday to automate red teaming solutions and DevOps processes.
- Reported vulnerable microservice configurations to more than 50 clients, including organizations with bug bounty programs.
- Received the employee of the year award for two consecutive years.
- Completed different certifications, including Computer Hacking and Forensics Investigation, Certified Data Science with SAS, and Blockchain Professional Developer.
- Developed six case studies on red teaming that were used in publications and websites. It demonstrated how Mindtree was able to stop business losses of more than $100 million by securing zero-day vulnerabilities.
- Focused on offensive cloud security, application security, IoT security, DevSecOps, cloud security, security architecture design, and secure coding practices.
Director of Security
Hackxpress
- Identified holes in networks and applications through penetration testing. Employing a strategy that differs from that of other organizations that rely on a tool-based approach, Hackxpress has a kill chain approach and stands out in its assessments.
- Reported multiple common vulnerabilities and exposures for the IBM Instana product to IBM. Received the Good Samaritan, A1-Injection, and Injector awards.
- Handled offensive security services, including scanning for vulnerabilities and producing reports to protect systems from potential attacks.
Security Engineer
Opt IT Technologies (I) Pvt
- Received systems used by ransomware attackers and created a methodology for reverse engineering them using memory analysis and signature detection.
- Built a team to handle memory forensics and security analysis and used Excel sheets every day to keep track of their progress. Reported the quarterly progress of the team to the COO and CEO.
- Collaborated with the client success team to secure the largest client ever for cybersecurity services. Billable hours completed in the second and third quarters became profitable.
- Conducted penetration testing and vulnerability assessment, which became essential services for each client during my time at Opt IT.
- Conducted Office 365 offensive security and forensic investigations for each client.
Security Analyst
Techdefence Labs
- Worked on the top ten OWASP vulnerabilities. Despite the company's small size, the staff was of high caliber and had extensive technical knowledge.
- Conducted weekly attacks on more than 100 targets, including VoIP equipment, wifi networks, and web and mobile apps. For each target, I generated a report.
- Got certified as a cybersecurity expert.
- Designed my first security tool called Android Custom ROM for Penetration Testing to do ethical hacking, penetration testing, vulnerability assessments, and command injections on mobile, web, VoIP, wifi networks, and local networks.
- Got my first bug bounty on Whirlpool India's web application.
Experience
Infrastructure and DevOps Security
Registered CVE-2023-27290
https://www.ibm.com/support/pages/node/6959969End-to-end Network Security
Microservices Exploitation Project
IT Security Automation Toolkit
https://github.com/zipponnova/IT-Security-Automation-AppThis tool covers a significant gap in the company's security posture and identifies vulnerable endpoints. It is an automated tool that uses APIs to provide real-time data and actionable items, such as integrating Slack and Jira to automate the process further. The tool also provides metrics in the form of graphs and descriptions to create a detailed report.
In-air Touch Sensor
Worked on MIDI and touch-based technologies to create innovative advertisements, instruments, home automation, and sports decision systems.
Demonstrated a white paper on animal language study through ECG interception and proximity.
Education
Bachelor's Degree in Information Technology
BMS Institute of Technology and Management - Bangalore, India
Certifications
Certified Threat Modeling Professional (CTMP)
Practical DevSecOps
Red Team Ethical Hacking
Udemy
Certified Red Team Professional
Pentester Academy
IELTS
British Council
Blockchain Essentials
IBM
Blockchain Professional Certificate
Global Skill Development Council
Computer Hacking and Forensics Investigator
EC-Council
Certificate in Data Science and SAS
Imarticus Learning
Certified Ethical Hacker
EC-Council
Certified Cyber Security Expert
Techdefence
Skills
Libraries/APIs
Java Security, Redis Queue, Spark ML, Slack API, Web MIDI, NVD3, Amazon API
Tools
Amazon EKS, Amazon CloudWatch, Amazon Athena, Amazon CloudFront CDN, SAP Security, GitHub, Confluence, Jira, Ansible, Terraform, Jenkins, Sumo Logic, Sqlmap, Checkmarx, Accunetix Vulnerability Scanner, Retina Vulnerability Scanner, Kafka Streams, Apache ZooKeeper, Bro Network Security Monitor, JavaScript Testing, VPN, Splunk, SonarQube, OWASP Zed Attack Proxy (ZAP), Amazon Elastic Container Service (ECS), Slack, Zoom, Shell, AWS CLI, Boto 3, Logging, IBM BPM, Instana, Grafana, Jamf Pro, Microsoft Intune, Amazon Virtual Private Cloud (VPC), Secure Web Gateways (SWG)
Paradigms
Penetration Testing, DevSecOps, Microservices, Microservices Architecture, API Architecture, Azure DevOps, Server Side/Client Side Object Model (SharePoint), Testing, DevOps, Secure Code Best Practices, HIPAA Compliance, Business Intelligence (BI), Automation, REST, Security Orchestration, Automation, and Response (SOAR)
Platforms
AWS Lambda, Burp Suite, CrowdStrike, Rapid7, Docker, Kubernetes, Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Blockchain, Apache Kafka, Wazuh, Kali Linux, Linux, QualysGuard, Blockchain Platforms, Microsoft Dynamics 365
Storage
Amazon S3 (AWS S3), Data Lake Design, Data Lakes, Google Cloud, Azure Active Directory, Database Security, Cassandra, ClickHouse, Elasticsearch, SQL Injection Protection, H2 Database, Apache Hive, Memcached, Redis, Redis Cache, Secure Digital Input//Output (SDIO), MongoDB, PostgreSQL, MySQL, CockroachDB, Databases
Industry Expertise
Automotive, Cybersecurity
Languages
SAML, Python, Java, GraphQL, SQL, Python 3, Python 2, Bash Script, Bash, SAS, Embedded C, Falcon, Go
Frameworks
Spring Security, Apache Metron, Hadoop, Windows PowerShell, Presto, Apache Struts 2, Spring Microservice, Core MIDI, Flask
Other
Ethical Hacking, Ethical Hacking, IoT Security, Web Security, Cloud Security, Security Design, Mobile Security, Web App Security, Server Security, Payment Security, Endpoint Security, Offensive Security, Security Architecture, Red Teaming, Threat Modeling, Container Security, Security, Amazon RDS, Amazon API, API Gateways, IT Security, CISO, Configuration Management, Information Security, Risk Assessment, Stakeholder Management, Application Security, Static Application Security Testing (SAST), IT Deployments, Security Engineering, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Cloud, Auditing, PCI DSS, ISO 26262, ISO 31000, FIM, Leadership, IT Management, Risk Modeling, Enterprise Risk Management (ERM), SAML-auth, Quality Assurance (QA), Endpoint Detection and Response (EDR), Shell Scripting, Single Sign-on (SSO), CCNP Security, CCNA Security, Security Audits, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Security Analysis, Security Groups, White-hat Security, Wordfence Security, Threat Analytics, Threat Intelligence, Unified Threat Management (UTM), Threat Management Gateway (TMG), Cyber Threat Hunting, Incident Management, Incident Response, MDM, Source Code Review, Secure Containers, Kubernetes Operations (kOps), Secure Coding, Secure Web Development, Secure Storage, Machine Learning, Blockchain Game Development, Dynamic Application Security Testing (DAST), Pulumi, Email Security, OWASP Top 10, OWASP, NIST, SIEM, System-on-a-Chip (SoC), SOC 2, GRC, Data Privacy, API Testing, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, VoIP Administration, Reverse Engineering, Agile DevOps, Office 365, Out of Box Experience (OOBE), SAP HR Security, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Memory Leaks, Vulnerability Management, Vulnerability Assessment, Vulnerability Identification, ARM SoC, Security Operations Centers (SOC), Cryptography, Data Science, UI Testing, QA Testing, Hacking, Redis Clusters, Burp Proxy, Secure Automated Lending Technology (SALT), AWS DevOps, Web Application Firewall (WAF), Networking, Containers, Data-level Security, Zero Trust, Zero-day Vulnerabilities, Cobalt Strike, Slack App, Sandbox to Production, Security Awareness Training, Compliance, SOC Compliance, PCI Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, RESTful Microservices, Bug Fixes, Bug Triage, Bug Leakage, Certified Hacking Forensic Investigator (C|HFI), Artificial Intelligence (AI), English, Communication, Sensor Data, Home Automation, MIDI, Architecture, Influencers, Web Marketing, Web App Development, Teams, WhatsApp, Discord, APIs, SSL Certificates, Prometheus, Exploits, APM, Monitoring, Access Control, Authorization, Authentication, JumpCloud, Web Dashboards, Web Applications, Applications, API Applications, Web Development, Coding, IT Infrastructure, PSIRT, Risk Management, MITRE, Federated Sign-in, Jamf, Computer Literacy, Data Ethics
How to Work with Toptal
Toptal matches you directly with global industry experts from our network in hours—not weeks or months.
Share your needs
Choose your talent
Start your risk-free talent trial
Top talent is in high demand.
Start hiring