Deepak Kumar Maurya

What I Do

Security Services

End-to-end security engineering across cloud, application, and network attack surfaces.

// 01

☁️

Cloud & AWS Security

Full AWS posture management — IAM hardening, VPC security, KMS encryption, GuardDuty, Security Hub, Wiz CSPM. 80% misconfiguration reduction achieved at Lenskart.

AWS IAMGuardDutyWiz/CSPMCloudTrailSSM

// 02

🛡️

Cloudflare WAF & Zero Trust

Protecting 50+ domains with Cloudflare WAF, custom firewall rules, Zero Trust ZTNA, DNS security, HSTS, DNSSEC, and DDoS mitigation.

Cloudflare WAFZero TrustDNSSECZTNA

// 03

🔬

Web & API Penetration Testing

300+ systems tested. SQLi, XSS, CSRF, SSRF, BOLA/BFLA, JWT attacks, GraphQL introspection abuse. Full OWASP Top 10 & API Top 10 coverage.

OWASP Top 10API Top 10BOLA/BFLAJWT

// 04

⚙️

CI/CD Pipeline Security

SAST (SonarQube, CheckMarx), DAST, SCA, container scanning (Trivy/Grype), OPA Conftest for IaC, secrets management via HashiCorp Vault & AWS Secrets Manager.

SonarQubeTrivyOPAVault

// 05

📱

Mobile & Network VAPT

Android & iOS testing — SSL pinning bypass, APK reverse engineering, static/dynamic analysis, insecure storage, deep-link hijacking. Network pentesting with lateral movement.

Android/iOSFridaAPK RENessus

// 06

📋

Compliance & Governance

UIDAI compliance audits for major banks, vendor security onboarding, DPAs, CIS Benchmarks, OWASP Top 10, and Secure SDLC implementation across regulated industries.

UIDAICIS BenchmarksVendor SecuritySDLC

Work History

Work Experience

Lenskart Solutions

DevSecOps Engineer

Oct 2024 — Present · New Delhi

● Current

AKS IT Services

Information Security Consultant

Mar 2021 — Sep 2024 · Noida

3.5 Years

GNIOT College, Greater Noida

B.Tech — Computer Science

2017 – 2021

Lenskart

AKS IT

DevSecOps Engineer

Lenskart Solutions Pvt. Ltd. · New Delhi

Oct 2024 — Present Full-Time Cloud · AppSec · Infra Security

80%

Misconfigs Reduced

50+

Domains Secured

3mo

Time to Impact

100%

Pipeline Coverage

☁️ AWS Cloud Security & Posture Management

Reduced Lenskart's AWS cloud misconfigurations by 80% within 3 months — drove end-to-end posture hardening using Wiz, AWS Security Hub, GuardDuty, and custom remediation runbooks across dev, staging, and prod environments.

Architected and enforced least-privilege IAM strategy across all AWS accounts — rewrote 100+ overly-permissive IAM roles/policies, implemented SCPs via AWS Organizations, and enforced MFA on all human and service accounts.

Secured VPC configurations with Security Group hardening, NACLs, VPC Flow Logs, and private subnet isolation for all sensitive workloads. Implemented cross-account trust with scoped role delegation.

Configured KMS encryption for all S3 buckets, RDS instances, EBS volumes, and SSM parameters — eliminated all unencrypted storage findings. Set up bucket policies, ACL restrictions, and S3 Block Public Access org-wide.

Deployed AWS CloudTrail + CloudWatch Alarms for real-time detection of suspicious API calls, root account usage, policy changes, and S3 data exfiltration attempts — integrated with alerting pipelines for sub-5-minute incident triage.

Manage threat detection using GuardDuty findings piped into SIEM — triaged 200+ findings, created suppression rules for false positives, and maintained a <24-hr SLA for critical alerts.

AWS IAMAWS VPCAWS KMSAWS S3AWS RDSAWS EC2GuardDutySecurity HubCloudTrailCloudWatchAWS SSMAWS OrganizationsAWS ConfigWiz CSPMNetskope DLP

🛡️ Cloudflare WAF, DNS & Zero Trust

Built and continuously tune Cloudflare WAF protecting 50+ domains and subdomains — crafted custom firewall rules targeting OWASP Top 10, volumetric DDoS, credential stuffing, bad-bot traffic, and API abuse patterns with <0.1% false-positive rate.

Implemented Cloudflare Zero Trust ZTNA (Cloudflare Access) for all internal admin panels and developer tooling — eliminated external VPN exposure, enforced identity-aware access with SSO integration, and applied device posture checks.

Manages full DNS security lifecycle: DNSSEC signing, DMARC/SPF/DKIM enforcement, CAA records, HSTS preloading, and TLS 1.3-only policies across all 50+ domains — zero domain-related security incidents since implementation.

Configured rate limiting, geo-restriction, IP reputation blocking, and Cloudflare Page Rules to reduce automated attack traffic by over 70% across customer-facing endpoints — monitored using Cloudflare Analytics dashboards.

Integrated Cloudflare DDoS L3/L4/L7 protection and Bot Management — defined custom bot score thresholds, challenge rules, and JS injection policies to maintain availability during volumetric attack events.

Cloudflare WAFCloudflare AccessZero Trust ZTNADNS/DNSSECHSTSRate LimitingBot ManagementDDoS ProtectionGeo-RestrictionIP Reputation

⚙️ CI/CD Pipeline Security & DevSecOps

Integrated SAST (SonarQube, Checkmarx), SCA (OWASP Dependency-Check), and DAST into Jenkins and GitHub Actions pipelines — implemented quality gates that block builds on critical/high severity findings, reducing vulnerabilities reaching staging by 90%.

Deployed Trivy and Grype container image scanning into every Docker/K8s deployment pipeline — enforce hard-fail policies for images with CVSS ≥7.0 CVEs, maintain golden base-image registry, and track CVE remediation SLAs per team.

Implemented OPA Conftest policies for Kubernetes manifests and Terraform IaC — block deployments with privileged containers, hostNetwork access, root user execution, or missing resource limits before they reach production.

Centralized secrets management using HashiCorp Vault + AWS Secrets Manager — eliminated 100% of hardcoded credentials from codebases, implemented dynamic secrets rotation, and enforced Vault agent sidecar injection for Kubernetes workloads.

Conduct weekly Security Gate Reviews with engineering leads — review pipeline findings, triage false positives, define remediation deadlines by severity (P1: 24hr, P2: 7d, P3: 30d), and track metrics via DORA + security KPI dashboards.

SonarQubeCheckmarxTrivyGrypeOWASP Dep-CheckOPA ConftestJenkinsGitHub ActionsHashiCorp VaultAWS Secrets ManagerDockerKubernetesTerraformArgoCDHelm

🔬 Application Security & Vendor Governance

Perform quarterly VAPT on Lenskart's web apps, mobile apps (Android/iOS), REST/GraphQL APIs, and internal admin portals — deliver detailed reports with CVSS scores, PoC evidence, and step-by-step remediation guidance for development teams.

Conduct Secure Code Reviews for all high-risk features — review against OWASP Top 10 and SANS Top 25 using both automated SAST tools and manual analysis; track findings to closure with dev teams via Jira security board.

Own vendor security onboarding end-to-end — issue security questionnaires, review DPAs and API contracts, scope network access (IP allowlisting, dedicated VPC endpoints), and conduct pre-go-live penetration tests on all integration points.

Manage bug bounty triage and responsible disclosure — validate external researcher submissions, reproduce findings, assign CVSS severity, coordinate with product teams for fixes, and communicate timelines to researchers within 48 hours.

Burp Suite ProOWASP ZAPNucleiPostmanNmapWiresharktcpdumpJiraConfluenceMetasploit

Information Security Consultant

AKS IT Services Pvt. Ltd. · Noida

Mar 2021 — Sep 2024 3.5 Years VAPT · Compliance · Secure Code Review

300+

Systems Tested

2

Bank Audits Led

★

Star of Quarter

5+

Industry Verticals

🌐 Web Application & API Penetration Testing

Conducted 300+ VAPT engagements across web applications, REST and GraphQL APIs per OWASP Top 10 and OWASP API Top 10 — delivered full-scope reports with executive summaries, CVSS scoring, PoC evidence, and remediation playbooks.

Exploited SQL Injection (Union-based, Blind Boolean/Time, Out-of-Band via DNS/HTTP), using SQLMap and manual crafted payloads — achieved database dump, authentication bypass, and OS command execution across multiple client systems.

Executed XSS attacks (Reflected, Stored, DOM-based), CSRF token bypass, Clickjacking via missing frame policies, and Open Redirect chains — leveraged for session hijacking, credential theft, and phishing simulation in full-scope assessments.

Exploited SSRF, XXE, and SSTI vulnerabilities to access cloud metadata endpoints (EC2 IMDS, GCP metadata), read internal files, perform port scanning on internal networks, and in one case achieve RCE via SSTI in Jinja2/Twig templates.

Discovered and exploited IDOR and Broken Access Control flaws — accessed other users' PII, financial records, and admin functions; demonstrated horizontal/vertical privilege escalation with full PoC evidence across 40+ client applications.

Performed OWASP API Top 10 assessments — identified BOLA/BFLA (unauthorised object/function access), Mass Assignment, Broken Authentication, JWT algorithm confusion (RS256→HS256, none-alg), API Key enumeration, and GraphQL introspection / batching abuse.

Identified and demonstrated Business Logic vulnerabilities — negative pricing attacks, coupon/referral abuse, race conditions in financial transactions, and multi-step workflow bypass across fintech and e-commerce client applications.

Advanced web techniques executed: HTTP Request Smuggling (CL.TE / TE.CL), Subdomain Takeover (dangling DNS CNAME to unclaimed S3/GitHub/Heroku), Insecure Deserialization (Java, PHP, Python pickle), Host Header injection, and Web Cache Poisoning.

Burp Suite ProSQLMapXSStrikeOWASP ZAPNucleiAmassSubfinderffufNiktoPostmanInsomniaJWT ToolGraphQL CopArjunCaido

📱 Mobile Application Security (Android & iOS)

Performed Android VAPT including APK reverse engineering (jadx, apktool, JADX-GUI), decompilation for hardcoded secrets, API key extraction, and insecure data storage (SharedPreferences, SQLite, external storage, logcat leakage).

Bypassed SSL Pinning on Android and iOS apps using Frida scripts and Objection framework — intercepted encrypted HTTPS traffic through Burp Suite for full API security testing on production and pre-production builds.

Executed dynamic analysis using MobSF, Frida, and Drozer — identified runtime code execution vulnerabilities, exported activity abuse, insecure IPC via Content Providers, and deep-link hijacking enabling account takeover.

Conducted iOS security assessments on IPA files — analyzed plist configurations, Keychain storage misuse, ATS (App Transport Security) bypass, and binary protections (jailbreak detection bypass, anti-debugging circumvention via Frida).

Identified insecure WebView implementations — JavaScript injection via addJavascriptInterface, file:// URI access, universal XSS through WebView, and intent redirection vulnerabilities enabling phishing and local file disclosure.

FridaObjectionMobSFDrozerapktooljadxBurp SuiteCharles ProxyADBGenymotioniOS JailbreakCheckra1nAPK Analyzer

🖧 Network Pentesting & Thick Client Testing

Executed full-scope network penetration tests — reconnaissance (Nmap, Masscan, Shodan), vulnerability scanning (Nessus, OpenVAS), exploitation (Metasploit, manual), post-exploitation lateral movement, and privilege escalation across internal and external networks.

Performed Active Directory attacks — AS-REP Roasting, Kerberoasting (hashcat cracking), Pass-the-Hash (Mimikatz, Impacket), DCSync attacks, BloodHound enumeration for attack path analysis, and NTLM relay (Responder + NTLMrelayx).

Exploited network-level vulnerabilities: SMB relay attacks, EternalBlue (MS17-010), PrintNightmare, LLMNR/NBT-NS poisoning, and ARP spoofing for MitM traffic interception — documented full kill chains with remediation for each.

Conducted thick client / desktop application testing — traffic interception via Wireshark and Echo Mirage, memory analysis for credential extraction, DLL hijacking, insecure file handling, local privilege escalation, and binary reversing (x64dbg, Ghidra).

NmapMasscanMetasploitResponderImpacketNessusOpenVASMimikatzBloodHoundCrackMapExecWiresharktcpdumpx64dbgGhidraShodan

📋 Secure Code Review & Compliance

Performed comprehensive source code reviews for web, mobile, and desktop applications — identified hardcoded secrets, injection sinks, insecure cryptographic implementations, missing authentication checks, and race conditions using both SAST tooling (SonarQube, Semgrep) and manual analysis.

Led UIDAI compliance audits across Healthcare, Financial, and Energy sectors — including 2 major Indian banking engagements. Assessed data handling, access control, encryption at rest/transit, audit logging, and incident response capabilities against regulatory requirements.

Authored executive-grade security assessment reports — structured with management summaries, risk ratings (CVSS v3.1), vulnerability descriptions, attack scenarios, PoC screenshots/videos, and prioritized remediation roadmaps. Zero report rejection rate across all client engagements.

Awarded ★ Star of the Quarter at AKS IT Services — recognized for exceptional client satisfaction scores, zero-rework report quality, and consistent on-time delivery across simultaneous multi-client engagements spanning banking, healthcare, and energy sectors.

SonarQubeSemgrepCheckmarxBanditESLint SecurityBrakemanFindSecBugsOWASP Top 10SANS Top 25UIDAI GuidelinesCIS BenchmarksCVSS v3.1

Impact

Key Achievements

Systems Audited

300+

Web apps, APIs, mobile, desktop, network across 5 years.

Cloud Hardening

80%

Misconfig reduction at Lenskart within 3 months.

★

Star of the Quarter

Awarded at AKS IT Services for extraordinary delivery quality.

WAF Coverage

50+

Lenskart domains and subdomains shielded by custom Cloudflare WAF ruleset against OWASP Top 10, DDoS, and bot traffic.

Banking Compliance

2×

Major bank UIDAI compliance audits led across Healthcare, Financial, and Energy sectors with full regulatory adherence.

HTB Writeups

72+

Walkthroughs on ethicalhacs.com

OSCP Boxes

42+

OSCP-style machine writeups

Years XP

5+

In information security

Network Devices

300+

Network infrastructure assessments

Arsenal

Tool Stack

Burp Suite Pro Nessus / OpenVAS Metasploit OWASP ZAP Nuclei SQLMap Amass / Subfinder Nmap / Masscan Wireshark SonarQube CheckMarx Trivy / Grype GuardDuty Wiz CSPM Cloudflare WAF Burp Suite Pro Nessus / OpenVAS Metasploit OWASP ZAP Nuclei SQLMap Amass / Subfinder Nmap / Masscan Wireshark SonarQube CheckMarx Trivy / Grype GuardDuty Wiz CSPM Cloudflare WAF

HashiCorp Vault OPA Conftest Docker / Kubernetes BloodHound Netskope DLP Frida / Objection Terraform Responder XSStrike / Nikto GitHub Actions Jenkins AWS SSM tcpdump XSStrike HashiCorp Vault OPA Conftest Docker / Kubernetes BloodHound Netskope DLP Frida / Objection Terraform Responder XSStrike / Nikto GitHub Actions Jenkins AWS SSM tcpdump XSStrike

Credentials

Certifications

OSCP

Offensive Security · 2023

24-hour hands-on exam requiring proof of compromise across multiple machines. Validates advanced penetration testing, privilege escalation, and professional reporting under real exam conditions.

CEH

EC-Council · v11 · 2021

Certified Ethical Hacker v11. Comprehensive coverage of ethical hacking methodology, attack phases, offensive tooling, and countermeasures across network, web, and system security domains.

AD

Active Directory · Udemy · 2023

Deep-dive into Active Directory attack and defense — enumeration, Kerberoasting, Pass-the-Hash, BloodHound analysis, and enterprise hardening for production environments.

Research & Writing

Blog & Writeups

72+

HackTheBox Walkthroughs

Hands-on cybersecurity research on ethicalhacs.com — covering Linux, Windows, BSD & Android HTB machines, DVWA exploit guides, and OSCP-style writeups since 2020.

42+

OSCP Boxes

5+

DVWA Guides

∞

Research

💉

DVWA Exploit

SQLi, XSS, Command Injection, File Upload

→

📦

HackTheBox Walkthrough

72+ Linux, Windows, BSD & Android machines

→

🔓

Data Breach

Real-world breach analysis & threat intel

→ Explore ethicalhacs.com →

Let's Talk

LET'S BUILD
TOGETHER.

Open to DevSecOps roles, cloud security consulting, and penetration testing engagements. Based in New Delhi — remote & hybrid globally.

linkedin.com/in/deepakdkm

buymeacoffee.com/deepakmaurya

System Online — Available

OPEN TO CONSULTING & FULL-TIME ROLES

Ready to deploy — AWS hardening, WAF configuration, full-spectrum VAPT, threat modeling, and DevSecOps implementation. Let's discuss your security needs.

Start the Conversation →

Security Services

Work Experience

Key Achievements

Tool Stack

Certifications

Blog & Writeups