From curious tinkering
to breaking real systems.

I'm Harshdeep Athawale, a security engineer and offensive security researcher. I find and report critical vulnerabilities across web and mobile targets, and I care about the full picture: clear reproduction, real impact, and remediation that actually holds.

The best security work is reproducible, honestly scoped, and written so the defender can fix it the same day.
CuriousRelentlessMethodicalEthical

Location

Pune, India

Status

Open to security roles

Focus

AppSec · Bug Bounty · Mobile

How it started

It started with a simple question that wouldn't leave me alone: how does software actually break? I'd pull apart apps just to see what assumptions they made — and which ones I could violate. That curiosity pulled me straight into security.

At Thapar Institute, coursework was only half the story. The other half was late nights on TryHackMe labs, reading disclosed reports, and learning to think like an attacker. The grind compounded — 230+ labs and a 300+ day streak into the Top 1% worldwide.

Bug bounty changed everything. Hunting real programs on HackerOne and Intigriti — Goldman Sachs, Flipkart, Coca-Cola, Red Bull — taught me that finding a bug is the easy part. Proving impact, writing a report a stranger can reproduce, and scoring it honestly is the craft. A Critical CVSS 9.1 at Red Bull and an unauthenticated API leaking 892 employees' PII drove that home.

Now I work across the offensive and defensive sides — vulnerability research, mobile security, and GRC (SOC 2, ISO 27001) at Iris Intelligence. I'm still learning fast, and I'm doing it by breaking things and writing it up.

How I work

Impact over noise

A finding only matters if it has real, demonstrable impact. I prove exploitability before I ever write the word 'critical'.

Reproducible or it didn't happen

Every report ships with clear steps, a working PoC, and a CVSS score the triager can verify in minutes.

Map the whole chain

Single bugs are fine; chains are where it gets interesting. IDOR to ATO, source-map leak to OAuth theft, dep-confusion to RCE.

Stay ethical

Scope is sacred. I only test what I'm authorized to, and I report to defenders before anyone else.

Beyond the bugs

Outside of hunting, you'll find me grinding CTFs and labs, reading disclosed reports, and reverse-engineering apps just to understand how they tick. I like learning in public and sharing what actually worked.

I'm drawn to engineers who combine deep technical depth with clear communication — because in security, the report is the product.

Let's connect

Whether you want to collaborate, talk security, or just say hi — I'd love to hear from you.