Suraj Bhosale
Senior Security Engineer · Application Security · DevSecOps · Offensive Security Automation · Dubai, UAE
Building defenses with an attacker’s mindset
10+ years across banking, fintech, cloud, and enterprise platforms — web, API, mobile, and cloud-native systems.
I focus on finding real, exploitable risk and fixing it with engineering-friendly, production-grade controls — from secure design and threat modeling to code review, testing, and CI/CD guardrails.
What you’ll find here: my structured AppSec knowledge base (depth-first), reporting style,
and a competency-based study plan — built to help you learn, interview, and apply security in real systems.
Contact & Profiles
| Channel | Details |
|---|---|
| surajbhosale@outlook.com | |
| Phone | +971 50 694 6202 |
| linkedin.com/in/suraj-bhosale-876b2937 | |
| GitHub | github.com/cybertron10 |
| HackerOne | hackerone.com/surajbhosale |
| Medium | surajbhosale10.medium.com |
| YouTube | youtube.com/@SurajBhosale222 |
Impact highlights
Enterprise AppSec: security reviews across web apps, mobile apps, APIs, microservices, and internal platforms;
threat modeling (STRIDE) and architecture reviews; evidence-driven reporting and remediation roadmaps.
DevSecOps: integrate SAST/DAST/SCA, container scanning, and secrets detection into CI/CD;
tighten feedback loops without slowing delivery.
Offensive depth: real-world bug bounty research (Hall of Fame / CVEs) used to build attacker-realistic test cases
and strengthen preventive controls.
Current focus
Senior Security Engineer · Dubai (Oct 2023 – Present)
- Container and Kubernetes security reviews; image hardening, RBAC, and network policies.
- Deep-dive web and API testing (authN/authZ, business logic abuse, BOLA, token issues).
- Secure code review (SAST + manual) and security automation at scale.
- Threat modeling and architecture reviews with engineering teams; risk-based remediation planning.
Experience timeline
Senior Security Engineer — Dubai (2023 → Present)
- Enterprise AppSec across banking platforms: web, API, mobile, microservices, internal systems.
- API security: BOLA, mass assignment, excessive data exposure, rate-limits, JWT mistakes.
- DevSecOps: SAST/DAST/SCA, container scanning, secrets detection, CI/CD security gates.
- Threat modeling (STRIDE), architecture reviews, control validation for WAF/gateways/proxies.
Senior Security Engineer — FinTech (2022 → 2023)
- AppSec assessments for high-volume payments/wallets/merchant portals/APIs and partner integrations.
- Manual testing across auth, session management, business logic flaws, transaction abuse.
- Secure code review (SAST + manual) and CI/CD security integration.
- Triage/validation of bug bounty submissions; exploitability-first approach.
Application Security Mentor — SaaS/Healthcare (2020 → 2022)
- Secure SDLC coaching; secure design/coding guidance; pre-production security validation.
- Built automation + internal knowledge base; hands-on mentoring.
- Threat modeling, risk assessments, and compliance support.
Penetration Testing Consultant — Web/Mobile/API/Network/Cloud (2016 → 2020)
- Full-scope penetration testing; exploit validation; high-quality reporting and retesting.
- Work aligned with regulated environments (PCI-DSS, banking/fintech, SaaS).
Certifications & recognition
- eWPTXv2 — eLearnSecurity Web Application Penetration Tester eXtreme
- CVE credits — CVE-2021-28294, CVE-2021-28295
- Hall of Fame / Bounty — recognition across global enterprise and public programs
How I work: I prioritize evidence, exploitability, and business impact — then drive fixes that prevent recurrence,
not just “patch the symptom”.
Selected security research & tooling
A sample of the kind of automation I build (for scale + reliability).
- Headless XSS scanner (Go + Playwright) — crawling + injection validation with WAF awareness.
- Template-driven hunting — Nuclei / Jaeles-style templates for repeatable detection.
- CI/CD security controls — practical pipelines for SAST/DAST/SCA/container scanning/secrets detection.