From curious tinkering
to breaking real systems.
I'm Harshdeep Athawale, a security engineer and offensive security researcher. I find and report critical vulnerabilities across web and mobile targets, and I care about the full picture: clear reproduction, real impact, and remediation that actually holds.
The best security work is reproducible, honestly scoped, and written so the defender can fix it the same day.
Location
Pune, India
Status
Open to security roles
Focus
AppSec · Bug Bounty · Mobile
How it started
It started with a simple question that wouldn't leave me alone: how does software actually break? I'd pull apart apps just to see what assumptions they made — and which ones I could violate. That curiosity pulled me straight into security.
At Thapar Institute, coursework was only half the story. The other half was late nights on TryHackMe labs, reading disclosed reports, and learning to think like an attacker. The grind compounded — 230+ labs and a 300+ day streak into the Top 1% worldwide.
Bug bounty changed everything. Hunting real programs on HackerOne and Intigriti — Goldman Sachs, Flipkart, Coca-Cola, Red Bull — taught me that finding a bug is the easy part. Proving impact, writing a report a stranger can reproduce, and scoring it honestly is the craft. A Critical CVSS 9.1 at Red Bull and an unauthenticated API leaking 892 employees' PII drove that home.
Now I work across the offensive and defensive sides — vulnerability research, mobile security, and GRC (SOC 2, ISO 27001) at Iris Intelligence. I'm still learning fast, and I'm doing it by breaking things and writing it up.
How I work
Impact over noise
A finding only matters if it has real, demonstrable impact. I prove exploitability before I ever write the word 'critical'.
Reproducible or it didn't happen
Every report ships with clear steps, a working PoC, and a CVSS score the triager can verify in minutes.
Map the whole chain
Single bugs are fine; chains are where it gets interesting. IDOR to ATO, source-map leak to OAuth theft, dep-confusion to RCE.
Stay ethical
Scope is sacred. I only test what I'm authorized to, and I report to defenders before anyone else.
Beyond the bugs
Outside of hunting, you'll find me grinding CTFs and labs, reading disclosed reports, and reverse-engineering apps just to understand how they tick. I like learning in public and sharing what actually worked.
I'm drawn to engineers who combine deep technical depth with clear communication — because in security, the report is the product.