Shahid Hakim, Developer in Bengaluru, Karnataka, India
Shahid is available for hire
Hire Shahid

Shahid Hakim

Verified Expert  in Engineering

Bio

Shahid is a skilled cybersecurity professional who thrives on challenges, specializing in offensive security, red teaming, threat modeling, and incident response. He is certified in ethical hacking and blockchain security and excels in strategic threat mitigation. He has documented success in creating robust security frameworks and enjoys mentoring others. With each vulnerability, Shahid uncovers advanced cybersecurity for a safer digital world.

Portfolio

JumpCloud
Containers, Access Control, Amazon API, Threat Modeling, Architecture...
6sense
Ansible, Apache Hive, Apache Kafka, Apache ZooKeeper, API Testing...
Mindtree
Apache Kafka, Agile DevOps, Apache Metron, API Testing...

Experience

Availability

Part-time

Preferred Environment

Penetration Testing, Certified Ethical Hacker (CEH), DevSecOps, IoT Security, Access Control, Vulnerability Management, Threat Modeling, Unified Threat Management (UTM), Red Teaming, Security Architecture

The most amazing...

...project I've authored is a CVE, CVE-2023-27290, for IBM Instana, with a CVSS score of 9.1.

Work Experience

Principal Product Security Engineer

2023 - PRESENT
JumpCloud
  • Handled security architecture of authentication standards (OAuth 2.0, Open ID Connect, SAML, JWT, Federated login), cryptography (TLS, X.509), and access control (RBAC, ABAC).
  • Integrated SAST, DAST, and IAST tools established a security-centric DevSecOps workflow and ensured daily AWS and GCP container security monitoring, including dynamic aspects like mTLS.
  • Introduced threat modeling as code with templates, incorporated OWASP risk rating, facilitated risk-based engineering decisions, and implemented gamified threat modeling using tools like Threatspec and LINDDUN GO.
  • Spearheaded a PSIRT operation, reduced incident tickets, and provided weekly updates to team leaders on security initiatives, threat models, VDP reports, DevSecOps procedures, and incident management for enhanced product security.
  • Led a comprehensive external penetration testing program to bolster product security, championed a "Secure by Design" culture, and integrated proactive security measures into the product engineering process.
  • Specialized in Kubernetes container security and cloud-native concepts, operating enterprise solutions, collaborating on requirements, and ensuring security standards, with an IT or computer science background and a customer-centric approach.
Technologies: Containers, Access Control, Amazon API, Threat Modeling, Architecture, Secure Storage, Secure Coding, Secure Code Best Practices, Threat Analytics, Threat Management Gateway (TMG), Unified Threat Management (UTM), Web Security, Go, Agile DevOps, Secure Containers, Cloud Security, Security Operations Centers (SOC), Security Orchestration, Automation, and Response (SOAR), DevSecOps, IT Infrastructure, Penetration Testing, Red Teaming, PSIRT, Vulnerability Management, Vulnerability Assessment, Vulnerability Identification, SAML-auth, Quality Assurance (QA), Endpoint Detection and Response (EDR), Shell Scripting

Security Engineering Lead

2021 - 2023
6sense
  • Performed threat hunting on endpoints by exploring and correlating large data sets, resulting in timely customer alerts.
  • Uncovered novel attack techniques and monitored and cataloged changes in activity group tradecraft.
  • Acquired new and leveraged existing knowledge of attacker tools, tactics, and procedures to improve customers' security posture.
  • Investigated threats and created and maintained high detection rules while engaging and collaborating with the infra, data science, and engineering teams. Developed custom indicators of compromise (IOCs) for each group based on criticality.
  • Used CrowdStrike, Jamf, JumpCloud, Office 365, Wazuh, and Rapid7 InsightVM to implement endpoint security for each user, as well as automated remediation and real-time response for each IOC and indicator of attack (IOA).
  • Created threat modeling for data in transit and implemented best security practices for each microservice.
  • Made maturity models and specialized security architecture add-ons for each of the 6sense vendors. Used Jira to track my work to create smooth transitions. Confluence and Slack were used to create a knowledge base for each input.
  • Performed penetration testing for internal and external networks, applications, APIs, cloud assets, and red and purple team assessments. Headed s bug bounty program with a one-day or less turnaround time.
  • Integrated in-depth logging and monitoring platforms and created alerts using Splunk, Sumo Logic, and CrowdStrike as threat intelligence sources. This reduced incident response time to less than seven days, thus saving money by decreasing data costs.
  • Ensured timely resolution, necessary communication, and escalation of obsolete and critical infrastructure tickets by conducting QA of incidents.
Technologies: Ansible, Apache Hive, Apache Kafka, Apache ZooKeeper, API Testing, API Architecture, Amazon Web Services (AWS), AWS DevOps, Web Application Firewall (WAF), Endpoint Security, Agile DevOps, Bash, Bash Script, Burp Proxy, Burp Suite, Threat Modeling, Threat Analytics, Threat Intelligence, Threat Management Gateway (TMG), Unified Threat Management (UTM), Secure Coding, Secure Storage, Secure Containers, Secure Code Best Practices, Secure Web Development, Web Security, Java Security, Bro Network Security Monitor, Networking, Kubernetes, Containers, Docker, Rapid7, CrowdStrike, Ethical Hacking, Red Teaming, Cybersecurity, Presto, MongoDB, Data-level Security, Database Security, Offensive Security, APIs, Security, Web App Security, Mobile Security, SIEM, Confluence, Jira, Zero Trust, Python, Java, Spark ML, Apache Struts 2, SOC 2, Vulnerability Assessment, Zero-day Vulnerabilities, Vulnerability Identification, Vulnerability Management, Accunetix Vulnerability Scanner, JavaScript Testing, Cobalt Strike, VPN, Slack App, Slack API, Splunk, Sandbox to Production, Security Awareness Training, Office 365, SonarQube, OWASP Top 10, OWASP, OWASP Zed Attack Proxy (ZAP), NIST, Compliance, SOC Compliance, PCI Compliance, HIPAA Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, GRC, Microservices, Spring Microservice, Microservices Architecture, RESTful Microservices, Amazon Elastic Container Service (ECS), Container Security, Bug Fixes, Bug Triage, Bug Leakage, Ethical Hacking, Penetration Testing, DevSecOps, Cloud Security, Security Design, Security Architecture, Amazon API, Access Control, Amazon Athena, Amazon CloudFront CDN, Amazon CloudWatch, Amazon EKS, Amazon RDS, Amazon S3 (AWS S3), Apache Metron, API Applications, API Gateways, APM, Architecture, Artificial Intelligence (AI), Authorization, Authentication, AWS CLI, AWS Lambda, Azure DevOps, Applications, Amazon API, Amazon Virtual Private Cloud (VPC), Security Engineering, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Jamf, Quality Assurance (QA), Endpoint Detection and Response (EDR), Shell Scripting

Red Team Lead

2017 - 2021
Mindtree
  • Started a cybersecurity center of excellence team in Mindtree and reported directly to the CTO.
  • Established a research and development group with the goal of developing signature-based attacks through hypothesis-based red teaming. This process was carried out to develop IoCs for Apache Metron.
  • Created security tools for SIEM, vulnerability assessment, and penetration testing with my team over the course of 3.5 years.
  • Contributed to DevSecOps solutions to integrate proactive security in the CI/CD pipeline for each and every project Mindtree built.
  • Developed tools that used Terraform, Qualys, and Faraday to automate red teaming solutions and DevOps processes.
  • Reported vulnerable microservice configurations to more than 50 clients, including organizations with bug bounty programs.
  • Received the employee of the year award for two consecutive years.
  • Completed different certifications, including Computer Hacking and Forensics Investigation, Certified Data Science with SAS, and Blockchain Professional Developer.
  • Developed six case studies on red teaming that were used in publications and websites. It demonstrated how Mindtree was able to stop business losses of more than $100 million by securing zero-day vulnerabilities.
  • Focused on offensive cloud security, application security, IoT security, DevSecOps, cloud security, security architecture design, and secure coding practices.
Technologies: Apache Kafka, Agile DevOps, Apache Metron, API Testing, Accunetix Vulnerability Scanner, Amazon Web Services (AWS), Azure, Python 3, Python 2, Web Security, IoT Security, Java Security, SAP Security, CCNP Security, CCNA Security, Web App Security, Security Groups, Security Design, Spring Security, Cloud Security, Server Security, Mobile Security, Security Testing, Payment Security, Security Audits, Database Security, Security Analysis, Endpoint Security, Computer Security, Security Planning, White-hat Security, Security (AES-CCM), Security Architecture, Blockchain, API Architecture, Data Science, H2 Database, Hadoop, Apache Hive, Vulnerability Management, Vulnerability Assessment, Vulnerability Identification, Retina Vulnerability Scanner, Penetration Testing, UI Testing, Testing, QA Testing, Ethical Hacking, Hacking, Ethical Hacking, Digital Forensics, Memcached, Redis, Redis Cache, Redis Queue, Redis Clusters, Kafka Streams, Apache ZooKeeper, Red Teaming, Windows PowerShell, Bash Script, Bash, Docker, Secure Containers, Container Security, Burp Suite, Burp Proxy, DevSecOps, DevOps, Azure DevOps, Checkmarx, Checkpoints, Cassandra, Cisco Wireless, ClickHouse, Confluence, CrowdStrike, Cryptography, Data Privacy, Dynamic Application Security Testing (DAST), Elasticsearch, Email Security, Firewalls, Forensic Science, GitHub, Google Cloud Platform (GCP), GraphQL, GRC, IDS/IPS, Incident Management, Incident Response, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Java, Jenkins, Jira, Kali Linux, Kubernetes, Kubernetes Operations (kOps), Linux, Machine Learning, MDM, Memory Leaks, Microservices, Microservices Architecture, NIST, Office 365, Ansible, OWASP, Out of Box Experience (OOBE), OWASP Top 10, Cybersecurity, Palo Alto Networks, Pulumi, Python, Rapid7, Reverse Engineering, Secure Coding, Secure Storage, Secure Web Development, Security Operations Centers (SOC), Server Side/Client Side Object Model (SharePoint), SIEM, System-on-a-Chip (SoC), SAP HR Security, Source Code Review, SQL, SQL Injection Protection, Sqlmap, Sumo Logic, Terraform, Threat Analytics, Cyber Threat Hunting, Threat Intelligence, Threat Management Gateway (TMG), Threat Modeling, Unified Threat Management (UTM), VoIP Administration, Wazuh, Wireless Protocols, Wordfence Security, Forensics & CSI, SOC 2, Secure Code Best Practices, Secure Digital Input//Output (SDIO), Secure Automated Lending Technology (SALT), QualysGuard, Offensive Security, Data Governance, IT Governance, Governance, Data Protection, Quality Assurance (QA), Endpoint Detection and Response (EDR), Shell Scripting

Director of Security

2017 - 2019
Hackxpress
  • Identified holes in networks and applications through penetration testing. Employing a strategy that differs from that of other organizations that rely on a tool-based approach, Hackxpress has a kill chain approach and stands out in its assessments.
  • Reported multiple common vulnerabilities and exposures for the IBM Instana product to IBM. Received the Good Samaritan, A1-Injection, and Injector awards.
  • Handled offensive security services, including scanning for vulnerabilities and producing reports to protect systems from potential attacks.
Technologies: Ethical Hacking, Penetration Testing, Red Teaming, Influencers, Web Marketing, Web App Development, Web App Security, IoT Security, Web Security, Mobile Security, Bug Fixes, Ethical Hacking, DevSecOps, Cloud Security, Security Design, Offensive Security, Security Architecture, Container Security, Data Governance, IT Governance, Governance, Data Protection, Endpoint Detection and Response (EDR), Shell Scripting, Threat Modeling

Security Engineer

2017 - 2017
Opt IT Technologies (I) Pvt
  • Received systems used by ransomware attackers and created a methodology for reverse engineering them using memory analysis and signature detection.
  • Built a team to handle memory forensics and security analysis and used Excel sheets every day to keep track of their progress. Reported the quarterly progress of the team to the COO and CEO.
  • Collaborated with the client success team to secure the largest client ever for cybersecurity services. Billable hours completed in the second and third quarters became profitable.
  • Conducted penetration testing and vulnerability assessment, which became essential services for each client during my time at Opt IT.
  • Conducted Office 365 offensive security and forensic investigations for each client.
Technologies: Reverse Engineering, Penetration Testing, Ethical Hacking, Ethical Hacking, DevSecOps, Azure DevOps, Agile DevOps, Office 365, Apache Metron, SIEM, Wazuh, Red Teaming, Out of Box Experience (OOBE), Server Side/Client Side Object Model (SharePoint), IoT Security, Web Security, SAP Security, CCNP Security, CCNA Security, Java Security, Cloud Security, Mobile Security, Server Security, Spring Security, Security Groups, Security Audits, Security Design, Web App Security, Payment Security, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Database Security, Security Analysis, Endpoint Security, White-hat Security, Offensive Security, SAP HR Security, Checkmarx, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Memory Leaks, Ansible, API Testing, Azure, Apache Kafka, Burp Suite, API Architecture, Amazon Web Services (AWS), Vulnerability Management, Vulnerability Assessment, Vulnerability Identification, Accunetix Vulnerability Scanner, Retina Vulnerability Scanner, Kali Linux, Linux, ARM SoC, System-on-a-Chip (SoC), Security Operations Centers (SOC), Cryptography, Security Architecture, Data Governance, IT Governance, Data Protection, Shell Scripting, Threat Modeling

Security Analyst

2014 - 2014
Techdefence Labs
  • Worked on the top ten OWASP vulnerabilities. Despite the company's small size, the staff was of high caliber and had extensive technical knowledge.
  • Conducted weekly attacks on more than 100 targets, including VoIP equipment, wifi networks, and web and mobile apps. For each target, I generated a report.
  • Got certified as a cybersecurity expert.
  • Designed my first security tool called Android Custom ROM for Penetration Testing to do ethical hacking, penetration testing, vulnerability assessments, and command injections on mobile, web, VoIP, wifi networks, and local networks.
  • Got my first bug bounty on Whirlpool India's web application.
Technologies: Penetration Testing, Web Security, CCNP Security, Cloud Security, IoT Security, Java Security, OWASP Top 10, OWASP, Sqlmap, SQL, SQL Injection Protection, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, Mobile Security, VoIP Administration, Security Analysis, Database Security, Server Security, Security Design, Web App Security, Ethical Hacking, DevSecOps, Offensive Security, Security Architecture, Red Teaming, Data Governance, IT Governance, Data Protection, Shell Scripting, Threat Modeling

Infrastructure and DevOps Security

The eCommerce marketplace is one of the most important aspects of the digital economy. The global eCommerce market is expected to exceed $5.6 trillion by 2023. It provides a large and diverse database that can be leveraged across industries to better understand consumer preferences and habits. When a worldwide consumer goods corporation sought to relaunch a website for one of its brands, it had to ensure that the information it handled was safe.

Registered CVE-2023-27290

https://www.ibm.com/support/pages/node/6959969
Registered a CVE-2023-27290 vulnerability for IBM Instana as I discovered that the Docker-based data stores currently do not require authentication. This vulnerability could be exploited by an attacker who has network access to the data stores, allowing them to interrogate the data stores with read/write privileges. Please check the acknowledgment for my name.

End-to-end Network Security

One of the most important aspects of air travel is getting passengers' luggage to their destinations on schedule. As a result, when the world's biggest air transport and communication company wanted to upgrade its baggage handling operations, Hackxpress stepped in to help secure the operations and make millions of customers' travels more convenient.

Microservices Exploitation Project

An adaptation tool based on the MITRE ATT&CK framework, written in Python, is used to exploit microservices. The tool first surveys all the microservices in the cloud infrastructure using a boto client and then prepares an exploit for each of the identified microservices. The first step is command and control, after which one can execute a command in another shell and perform exfiltration, which leads to lateral movement within the infrastructure.

IT Security Automation Toolkit

https://github.com/zipponnova/IT-Security-Automation-App
A Python Flask-based IT security threat-hunting application that can be used to monitor mobile device management (MDMs) versus CrowdStrike deployment. Companies that use CrowdStrike, Jamf, JumpCloud, or Microsoft Intune to monitor devices and implement CrowdStrike as endpoint security can thoroughly analyze present versus missing devices.

This tool covers a significant gap in the company's security posture and identifies vulnerable endpoints. It is an automated tool that uses APIs to provide real-time data and actionable items, such as integrating Slack and Jira to automate the process further. The tool also provides metrics in the form of graphs and descriptions to create a detailed report.

In-air Touch Sensor

Developed a touch-based decision system using MPR121 capacitive touch and paramagnetic electronic conductive paint as an aid for referees to provide final decisions for Vivo Pro Kabaddi sports. The patent for this system is submitted and pending approval.

Worked on MIDI and touch-based technologies to create innovative advertisements, instruments, home automation, and sports decision systems.

Demonstrated a white paper on animal language study through ECG interception and proximity.
2012 - 2016

Bachelor's Degree in Information Technology

BMS Institute of Technology and Management - Bangalore, India

SEPTEMBER 2023 - PRESENT

Certified Threat Modeling Professional (CTMP)

Practical DevSecOps

AUGUST 2022 - PRESENT

Red Team Ethical Hacking

Udemy

SEPTEMBER 2021 - PRESENT

Certified Red Team Professional

Pentester Academy

DECEMBER 2020 - PRESENT

IELTS

British Council

DECEMBER 2018 - PRESENT

Blockchain Essentials

IBM

DECEMBER 2018 - PRESENT

Blockchain Professional Certificate

Global Skill Development Council

DECEMBER 2018 - DECEMBER 2021

Computer Hacking and Forensics Investigator

EC-Council

APRIL 2017 - PRESENT

Certificate in Data Science and SAS

Imarticus Learning

MARCH 2016 - DECEMBER 2022

Certified Ethical Hacker

EC-Council

SEPTEMBER 2014 - PRESENT

Certified Cyber Security Expert

Techdefence

Libraries/APIs

Java Security, Redis Queue, Spark ML, Slack API, Web MIDI, NVD3, Amazon API

Tools

Amazon EKS, Amazon CloudWatch, Amazon Athena, Amazon CloudFront CDN, SAP Security, GitHub, Confluence, Jira, Ansible, Terraform, Jenkins, Sumo Logic, Sqlmap, Checkmarx, Accunetix Vulnerability Scanner, Retina Vulnerability Scanner, Kafka Streams, Apache ZooKeeper, Bro Network Security Monitor, JavaScript Testing, VPN, Splunk, SonarQube, OWASP Zed Attack Proxy (ZAP), Amazon Elastic Container Service (ECS), Slack, Zoom, Shell, AWS CLI, Boto 3, Logging, IBM BPM, Instana, Grafana, Jamf Pro, Microsoft Intune, Amazon Virtual Private Cloud (VPC), Secure Web Gateways (SWG)

Paradigms

Penetration Testing, DevSecOps, Microservices, Microservices Architecture, API Architecture, Azure DevOps, Server Side/Client Side Object Model (SharePoint), Testing, DevOps, Secure Code Best Practices, HIPAA Compliance, Business Intelligence (BI), Automation, REST, Security Orchestration, Automation, and Response (SOAR)

Platforms

AWS Lambda, Burp Suite, CrowdStrike, Rapid7, Docker, Kubernetes, Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Blockchain, Apache Kafka, Wazuh, Kali Linux, Linux, QualysGuard, Blockchain Platforms, Microsoft Dynamics 365

Storage

Amazon S3 (AWS S3), Data Lake Design, Data Lakes, Google Cloud, Azure Active Directory, Database Security, Cassandra, ClickHouse, Elasticsearch, SQL Injection Protection, H2 Database, Apache Hive, Memcached, Redis, Redis Cache, Secure Digital Input//Output (SDIO), MongoDB, PostgreSQL, MySQL, CockroachDB, Databases

Industry Expertise

Automotive, Cybersecurity

Languages

SAML, Python, Java, GraphQL, SQL, Python 3, Python 2, Bash Script, Bash, SAS, Embedded C, Falcon, Go

Frameworks

Spring Security, Apache Metron, Hadoop, Windows PowerShell, Presto, Apache Struts 2, Spring Microservice, Core MIDI, Flask

Other

Ethical Hacking, Ethical Hacking, IoT Security, Web Security, Cloud Security, Security Design, Mobile Security, Web App Security, Server Security, Payment Security, Endpoint Security, Offensive Security, Security Architecture, Red Teaming, Threat Modeling, Container Security, Security, Amazon RDS, Amazon API, API Gateways, IT Security, CISO, Configuration Management, Information Security, Risk Assessment, Stakeholder Management, Application Security, Static Application Security Testing (SAST), IT Deployments, Security Engineering, Data Governance, IT Governance, Governance, Data Protection, Group Policy, Cloud, Auditing, PCI DSS, ISO 26262, ISO 31000, FIM, Leadership, IT Management, Risk Modeling, Enterprise Risk Management (ERM), SAML-auth, Quality Assurance (QA), Endpoint Detection and Response (EDR), Shell Scripting, Single Sign-on (SSO), CCNP Security, CCNA Security, Security Audits, Security (AES-CCM), Security Testing, Computer Security, Security Planning, Security Analysis, Security Groups, White-hat Security, Wordfence Security, Threat Analytics, Threat Intelligence, Unified Threat Management (UTM), Threat Management Gateway (TMG), Cyber Threat Hunting, Incident Management, Incident Response, MDM, Source Code Review, Secure Containers, Kubernetes Operations (kOps), Secure Coding, Secure Web Development, Secure Storage, Machine Learning, Blockchain Game Development, Dynamic Application Security Testing (DAST), Pulumi, Email Security, OWASP Top 10, OWASP, NIST, SIEM, System-on-a-Chip (SoC), SOC 2, GRC, Data Privacy, API Testing, Forensic Science, Forensics & CSI, Digital Forensics, Wireless Protocols, Cisco Wireless, VoIP Administration, Reverse Engineering, Agile DevOps, Office 365, Out of Box Experience (OOBE), SAP HR Security, Checkpoints, Palo Alto Networks, Firewalls, IDS/IPS, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Memory Leaks, Vulnerability Management, Vulnerability Assessment, Vulnerability Identification, ARM SoC, Security Operations Centers (SOC), Cryptography, Data Science, UI Testing, QA Testing, Hacking, Redis Clusters, Burp Proxy, Secure Automated Lending Technology (SALT), AWS DevOps, Web Application Firewall (WAF), Networking, Containers, Data-level Security, Zero Trust, Zero-day Vulnerabilities, Cobalt Strike, Slack App, Sandbox to Production, Security Awareness Training, Compliance, SOC Compliance, PCI Compliance, SOX Compliance, MISRA Compliance, Product Compliance, Risk & Compliance, Compliance Training, RESTful Microservices, Bug Fixes, Bug Triage, Bug Leakage, Certified Hacking Forensic Investigator (C|HFI), Artificial Intelligence (AI), English, Communication, Sensor Data, Home Automation, MIDI, Architecture, Influencers, Web Marketing, Web App Development, Teams, WhatsApp, Discord, APIs, SSL Certificates, Prometheus, Exploits, APM, Monitoring, Access Control, Authorization, Authentication, JumpCloud, Web Dashboards, Web Applications, Applications, API Applications, Web Development, Coding, IT Infrastructure, PSIRT, Risk Management, MITRE, Federated Sign-in, Jamf, Computer Literacy, Data Ethics

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.

1

Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.
2

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.
3

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring