ADVISORY — CLASSIFICATION: PUBLIC

SUBHANKAR
PAUL

Security Analyst 

B.Sc. graduate in Advanced Networking and Cyber Security, finding and reporting real-world vulnerabilities through bug bounty programs and VDPs — with a track record that includes helping secure teams at Jio, Sony, NASA, BBC and Honda.

Base: Kolkata, IN Rank: Top 1% THM Pro Hacker · HTB
0Companies secured
0Official acknowledgments
Top 1%TryHackMe global rank

01 — Profile

About me

I'm a cybersecurity practitioner focused on Vulnerability Assessment and Penetration Testing, with expertise spanning web application, API, and network pentesting, bug bounty hunting, pentest lab design, and AWS security.

I completed my graduation in Advanced Networking and Cyber Security, and I'm constantly expanding my skills in this fast-moving field — currently working as an Information Security Analyst, and previously writing up findings for publications like OSINT Team.

Phone+91 912XXXXXXX
LocationKolkata, India
LinkedIn/in/starlox

02 — Capability map

My skills

Security

Bug Hunting VAPT Ethical Hacking Web Security API Security Network Security

Programming & Scripting

Bash Python

Tools & Technologies

AWS Linux Postman Windows Nessus Burp Suite Metasploit

03 — Selected work

Projects

MailSnipe

An all-in-one tool to detect phishing emails by automatically analyzing email headers, embedded URLs, and attachments.

PythonFlaskHTMLCSSJavaScript
View repository →

CVE-2024-24919 POC

Proof-of-concept for a critical LFI / path traversal vulnerability in Check Point's CloudGuard Network Security appliance. Written in Bash to automate identification and exploitation.

BashSecurity
View repository →

Reverse Shell Generator

A Python CLI tool for pentesters and CTF players to quickly generate reverse shell commands in multiple languages for various use cases.

PythonCTF
View repository →

Race Condition Lab

A lab environment demonstrating race condition vulnerabilities — how concurrent access to shared resources leads to business logic bypass and inconsistent behavior.

PythonHTMLCSS
View repository →

04 — Timeline

Experience

JAN 2026 — PRESENT

Information Security Analyst - I

Astra Security — Remote

  • Conducted hacker-style penetration testing on web applications and APIs, identifying and reporting critical vulnerabilities.
  • Performed network penetration testing to assess security posture and uncover potential attack vectors.
  • Engaged in penetration testing for high-value POC clients, supporting successful onboarding of new projects.
APR 2025 — NOV 2025

Cyber Security Analyst

Zettawise Consulting Pvt. Ltd — Kolkata

  • Performed VAPT of web applications and APIs, uncovering and reporting critical vulnerabilities.
  • Created internal documentation and SOPs to standardize and improve security processes.
  • Worked with the Cypherpath SDI platform to build cybersecurity training labs and simulation environments.
JAN 2025 — MAR 2025

Cybersecurity Intern

Rootnik Labs — Kolkata

  • Conducted Vulnerability Assessment and Penetration Testing.
  • Performed web application penetration testing to identify security flaws.
  • Prepared detailed vulnerability reports with remediation recommendations.
  • Actively solved CTF challenges to sharpen offensive security skills.

05 — Track record

Achievements

Secured companies via Bug Bounty & VDP

Responsibly disclosed vulnerabilities across a range of programs, including:

JioSonyNASAGEA GroupBBCHondaEstonia GovernmentSprinklrHackerRankIndependerAudioStack

Acknowledgement letters — NASA, Drexel University & U.S. DoED

Received official acknowledgment letters for responsibly disclosing security vulnerabilities through their Vulnerability Disclosure Programs.

Pro Hacker rank on Hack The Box

Multiple CTFs and Fortress machines solved, demonstrating advanced penetration testing and real-world exploitation skills.

Global Top 1% on TryHackMe

Ranked in the global top 1%, reflecting depth across ethical hacking, VAPT, and advanced real-world challenges.

Publications featured in OSINT Team

Published cybersecurity and scripting write-ups on Medium, featured in publications including OSINT Team.

06 — Education

Education

B.Sc in Advanced Networking & Cyber Security

Swami Vivekananda University, Barrackpore, Kolkata

2022 – 2025

Higher Secondary

Halisahar Ramprasad Vidyapith

2022

Class X

Halisahar Ramprasad Vidyapith

2020

Certifications

Certifications

  • CRTACyberWarFare Labs
  • Cyber Security and Ethical HackingArdent Computech
  • Bash Scripting MasteryUdemy
  • OWASP API Security Top 10APISec University
  • Advent of Cyber 2021 / 2023 / 2024TryHackMe
  • Hackfinity CTFTryHackMe
  • Industrial-Intrusion CTFTryHackMe

Trainings & courses

Trainings & courses

TryHackMe Security Paths

  • Jr Penetration Tester
  • Web Fundamentals
  • Web Application Pentesting

HackTheBox Academy

  • SQL Injection Fundamentals
  • Linux Command Line & Shell
  • Windows Fundamentals
  • Active Directory
  • File Inclusion Attacks
  • Network Traffic Analysis

Udemy Security Courses

  • Intro to Bug Bounty Hunting & Web App Hacking (NahamSec)
  • Bash Mastery

PwnedLabs

  • Intro to AWS Hacking
  • AWS Exploitation Scenarios
  • Attacks on S3, IAM, DynamoDB, EC2, Lambda

PortSwigger

  • Server-side attacks (SQLi, XXE, SSRF, Race Condition, Command Injection)
  • Client-side attacks (XSS, CSRF, CORS)
  • Advanced web attacks (Web Cache Poisoning, JWT Attacks)

07 — Write-ups

Latest writing

Next.js middleware auth bypass illustration

How One Header Broke Next.js Auth — CVE-2025-29927

How injecting the x-middleware-subrequest header lets attackers bypass middleware-based authorization checks entirely.

Read on Medium →
AWS cloud CTF illustration

Hacking the Cloud: Unveiling Secrets in AWS CTF Challenges

A hands-on walkthrough of cloud pentesting scenarios from TryHackMe's Hackfinity Battle Encore CTF.

Read on Medium →
SQL injection illustration

When One Isn't Enough: Multiple SQL Injections in 1 VDP

How targeted Google Dorks uncovered several SQL injection vulnerabilities in a single VDP program.

Read on Medium →
View all posts on Medium

08 — Reach out

Get in touch

Open to security analyst and penetration testing roles, bug bounty collaborations, or just talking shop about a recent finding. The fastest way to reach me is email.

Copied to clipboard