Security Operator III · Interactive Brokers · Remote

Hi, I'm Mahendra and I'm a Penetration Tester

6+ years breaking systems · 3 CVEs · 200+ organizations secured.

ORGS 0+ Secured
CVEs 0 Disclosed
EXP 0+ Years
HOF 0+ Entries
34.1526° N, 77.5771° E ↑ 3,524 m · Ladakh, Himalayas 46.0207° N, 7.7491° E ↑ 2,690 m · Gulmarg, Kashmir

01 / About

A bit about me.

I've always been fascinated by the intricate dance between technology and security. My journey began with curiosity about how systems work — that curiosity became a passion for uncovering hidden vulnerabilities within complex environments.

As Security Operator III at Interactive Brokers, I lead red team engagements, build AI/LLM-powered security tooling, and deliver internal training. My background with Rajasthan Police Cyber Cell grounds me in both technology and human behavior. Off-screen: Royal Enfields through Himalayan passes, ridgelines at dawn, snowboards in Gulmarg.

02 / Credentials

Certifications & CVEs.

Click any badge to view the credential.

CVE Disclosures

03 / Experience

Where I've operated.

  1. Security Operator III

    Interactive Brokers · Remote

    Mar 2021 — Present

    Penetration Tester → Sr. Penetration Tester (Jan 2025) → Security Operator III (Jan 2026)

    Red TeamAI/LLM SecurityWeb · Mobile · API · ADPurple Team
    • Leads full-scope APT-style red team engagements — LotL, credential harvesting, lateral movement, C2 operations.
    • Architected an LLM-powered Offensive Reporting Framework cutting turnaround ~60%.
    • Built an AI Threat Intelligence Platform ingesting CVE feeds, MITRE ATT&CK TTPs, and dark web signals.
    • Conducts AI/LLM red team assessments: prompt injection, jailbreaking, model inversion, data exfiltration.
    • Full-spectrum pentesting: Web, Mobile, Thick-Client, REST/GraphQL APIs, Active Directory, Network.
    • Drives Purple Team exercises translating offensive findings into SIEM rules, EDR tuning, IR playbooks.
  2. Security Researcher

    HackerOne & Bugcrowd · Freelance

    Jul 2019 — Present
    Bug Bounty3 CVEsIDOR · RCE · SSRF
    • Valid reports submitted to 200+ organizations.
    • Discovered and disclosed CVE-2020-28838, CVE-2020-35397, CVE-2020-36115.
    • Recognized by Google, Tesla, Mastercard, Dell, US DoD, and 45+ others.
  3. Cyber Crime Case Investigator

    Rajasthan Police · Rajsamand, India

    Dec 2019 — Aug 2020
    Digital ForensicsOSINTCyber Crime
    • Investigated digital fraud, hacking, and online offenses — evidence from computers, mobile devices, network logs.
    • File system analysis, memory forensics, network traffic analysis to identify threat actors.
    • Authored forensic reports; provided expert technical testimony in judicial proceedings.
  4. Security Researcher Intern

    Cyber Octet Pvt. Ltd. · Ahmedabad

    Nov 2019 — Apr 2020
    • VAPT on web applications and network infrastructure for client organizations.
    • R&D on emerging CVEs, exploitation techniques, and evasion against modern controls.
    • Delivered cybersecurity training; authored structured assessment reports.
AmbassadorMay 2025 — Present

APISec University · Remote

Promoting API security awareness through events, workshops, and educational content.

Crew MemberOct 2021 — Oct 2022

Security BSides Ahmedabad

Conference logistics, speaker coordination, and attendee experience.

04 / Capabilities

Core competencies.

Web, API & Mobile Penetration TestingOWASP Top 10 · REST/GraphQL · iOS/Android MASVS · Thick-Client
Red Team & Adversary SimulationAPT-style TTPs · LotL · C2 ops · Lateral movement · Persistence
AI / LLM SecurityPrompt injection · Jailbreaking · Model inversion · Data exfiltration via AI
Active Directory AttacksKerberoasting · AS-REP · Pass-the-Hash · DCSync · GPO Abuse · BloodHound
Bug Bounty Research200+ valid reports · HackerOne & Bugcrowd · 3 CVEs · since Jul 2019
Security Tool DevelopmentJSHawk · Nuclei templates · LLM reporting framework

Arsenal

Tools & stack.

Offensive Tools

Burp Suite ProMetasploitCobalt StrikeImpacketBloodHoundMimikatzResponderCrackMapExecEvil-WinRMFridaMobSF

Recon & Scanning

NucleiJSHawkNmapWiresharkSQLmapOWASP ZAP

Frameworks & Dev

MITRE ATT&CKOWASP Top 10PTESCVSS / CVE / CWEPythonBashPowerShell

05 / Projects

Things I've built.

Open Source · CreatorGitHub ↗

JSHawk

Context-aware JavaScript security scanner — hunts exposed credentials, API keys, endpoints, and sensitive data in JS files. Widely used for offensive assessments and bug bounty.

17 starsPythonSecret DetectionBug Bounty
IBKR Internal

LLM Offensive Reporting Framework

LLM-driven tool auto-generating pentest reports, risk matrices, and executive summaries. Cut reporting overhead by ~60%.

~60% fasterAI / LLMCVSS Automation
IBKR Internal

AI Threat Intelligence Platform

Aggregates CVE data, MITRE ATT&CK TTPs, and dark web signals into prioritized actionable intelligence for proactive attack surface management.

Threat IntelMITRE ATT&CKDark Web
ContributorGitHub ↗

Nuclei Templates

YAML-based detection templates contributed to ProjectDiscovery's Nuclei scanner, used by thousands of security researchers globally.

NucleiYAMLVulnerability Detection

06 / Recognition

Hall of fame.

50+ recognized disclosures across Bugcrowd, HackerOne, and direct security programs.

07 / Content

Mahendra Podcast.

Security education in Hindi & English — red team techniques, CVE breakdowns, community discussions. 5.27k+ subscribers · 51k+ views · 60+ episodes.

From the writeups.

Latest from Medium — vulnerability breakdowns, bug bounty methodology, security research.

fetching articles…

08 / Testimonials

What people say.

"Deep investigations, clear steps to reproduce, intelligent responses to questions/criticisms, patient and kind attitude. Excellent."

Private Teamvia HackerOne · 2 months ago

"Mahendra is an absolute rockstar when it comes to hacking. Whether it's red teaming, web app testing, mobile app, or anything in between. He's sharp, creative, and always ready to tackle tough problems."

Brett StaniforthSenior Red Team · LinkedIn · May 2025

"Mahendra proved he is a real external asset to us by finding a few vulnerabilities in our system. He sent examples and a detailed, thoughtful, descriptions. All that I'm looking for in a white hat hacker."

Reem ShermanCTO at StreamElements · LinkedIn · August 2020

"You reported some issues regarding our website that are vulnerabilities. You reported this in a responsible manner. Your findings and knowledge are a great help to us. I'm happy to refer you to anyone interested in your professional manner."

Gert-Jan HartelustManaging Partner · Dutch Dare International · September 2019

"Well written report"

Stripo Incvia HackerOne · 6 years ago

Testimonials anonymized per client confidentiality. Full references available on request.

Beyond the Terminal

Life off-screen.

Security by profession. Mountains by obsession.

Ladakh, Himalayas
Motorcycle Ladakh, Himalayas 34.1526° N · 77.5771° E · ↑ 3,524 m
Snowboarding, Gulmarg Kashmir
Snowboarding Gulmarg, Kashmir 46.0207° N · 7.7491° E · ↑ 2,800 m
Trekking, Rajasthan
Trekking Aravalli Hills, Rajasthan 25.1792° N · 73.4119° E · ↑ 1,220 m
Golden hour ridgeline
Hiking Golden Hour Ridgeline 24.5854° N · 73.7125° E · ↑ 1,890 m

09 / Contact

Let's talk security.

Reach out for red team engagements, AI security consulting, bug bounty collaboration, content partnerships, or speaking opportunities.

Rajsamand, Rajasthan, India · Valid B1/B2 US Visa available for onsite engagements.

mahendrapurbia19@gmail.com