ADVISORY — CLASSIFICATION: PUBLIC
SUBHANKAR
PAUL
Security Analyst
B.Sc. graduate in Advanced Networking and Cyber Security, finding and reporting real-world vulnerabilities through bug bounty programs and VDPs — with a track record that includes helping secure teams at Jio, Sony, NASA, BBC and Honda.
01 — Profile
About me
I'm a cybersecurity practitioner focused on Vulnerability Assessment and Penetration Testing, with expertise spanning web application, API, and network pentesting, bug bounty hunting, pentest lab design, and AWS security.
I completed my graduation in Advanced Networking and Cyber Security, and I'm constantly expanding my skills in this fast-moving field — currently working as an Information Security Analyst, and previously writing up findings for publications like OSINT Team.
02 — Capability map
My skills
Security
Programming & Scripting
Tools & Technologies
03 — Selected work
Projects
MailSnipe
An all-in-one tool to detect phishing emails by automatically analyzing email headers, embedded URLs, and attachments.
View repository →CVE-2024-24919 POC
Proof-of-concept for a critical LFI / path traversal vulnerability in Check Point's CloudGuard Network Security appliance. Written in Bash to automate identification and exploitation.
View repository →Reverse Shell Generator
A Python CLI tool for pentesters and CTF players to quickly generate reverse shell commands in multiple languages for various use cases.
View repository →Race Condition Lab
A lab environment demonstrating race condition vulnerabilities — how concurrent access to shared resources leads to business logic bypass and inconsistent behavior.
View repository →04 — Timeline
Experience
Information Security Analyst - I
Astra Security — Remote
- Conducted hacker-style penetration testing on web applications and APIs, identifying and reporting critical vulnerabilities.
- Performed network penetration testing to assess security posture and uncover potential attack vectors.
- Engaged in penetration testing for high-value POC clients, supporting successful onboarding of new projects.
Cyber Security Analyst
Zettawise Consulting Pvt. Ltd — Kolkata
- Performed VAPT of web applications and APIs, uncovering and reporting critical vulnerabilities.
- Created internal documentation and SOPs to standardize and improve security processes.
- Worked with the Cypherpath SDI platform to build cybersecurity training labs and simulation environments.
Cybersecurity Intern
Rootnik Labs — Kolkata
- Conducted Vulnerability Assessment and Penetration Testing.
- Performed web application penetration testing to identify security flaws.
- Prepared detailed vulnerability reports with remediation recommendations.
- Actively solved CTF challenges to sharpen offensive security skills.
05 — Track record
Achievements
Secured companies via Bug Bounty & VDP
Responsibly disclosed vulnerabilities across a range of programs, including:
Acknowledgement letters — NASA, Drexel University & U.S. DoED
Received official acknowledgment letters for responsibly disclosing security vulnerabilities through their Vulnerability Disclosure Programs.
Pro Hacker rank on Hack The Box
Multiple CTFs and Fortress machines solved, demonstrating advanced penetration testing and real-world exploitation skills.
Global Top 1% on TryHackMe
Ranked in the global top 1%, reflecting depth across ethical hacking, VAPT, and advanced real-world challenges.
Publications featured in OSINT Team
Published cybersecurity and scripting write-ups on Medium, featured in publications including OSINT Team.
06 — Education
Education
B.Sc in Advanced Networking & Cyber Security
Swami Vivekananda University, Barrackpore, Kolkata
2022 – 2025
Higher Secondary
Halisahar Ramprasad Vidyapith
2022
Class X
Halisahar Ramprasad Vidyapith
2020
Certifications
Certifications
- CRTACyberWarFare Labs
- Cyber Security and Ethical HackingArdent Computech
- Bash Scripting MasteryUdemy
- OWASP API Security Top 10APISec University
- Advent of Cyber 2021 / 2023 / 2024TryHackMe
- Hackfinity CTFTryHackMe
- Industrial-Intrusion CTFTryHackMe
Trainings & courses
Trainings & courses
TryHackMe Security Paths
- Jr Penetration Tester
- Web Fundamentals
- Web Application Pentesting
HackTheBox Academy
- SQL Injection Fundamentals
- Linux Command Line & Shell
- Windows Fundamentals
- Active Directory
- File Inclusion Attacks
- Network Traffic Analysis
Udemy Security Courses
- Intro to Bug Bounty Hunting & Web App Hacking (NahamSec)
- Bash Mastery
PwnedLabs
- Intro to AWS Hacking
- AWS Exploitation Scenarios
- Attacks on S3, IAM, DynamoDB, EC2, Lambda
PortSwigger
- Server-side attacks (SQLi, XXE, SSRF, Race Condition, Command Injection)
- Client-side attacks (XSS, CSRF, CORS)
- Advanced web attacks (Web Cache Poisoning, JWT Attacks)
07 — Write-ups
Latest writing
How One Header Broke Next.js Auth — CVE-2025-29927
How injecting the x-middleware-subrequest header lets attackers bypass middleware-based authorization checks entirely.
Read on Medium →
Hacking the Cloud: Unveiling Secrets in AWS CTF Challenges
A hands-on walkthrough of cloud pentesting scenarios from TryHackMe's Hackfinity Battle Encore CTF.
Read on Medium →
When One Isn't Enough: Multiple SQL Injections in 1 VDP
How targeted Google Dorks uncovered several SQL injection vulnerabilities in a single VDP program.
Read on Medium →08 — Reach out
Get in touch
Open to security analyst and penetration testing roles, bug bounty collaborations, or just talking shop about a recent finding. The fastest way to reach me is email.