Web & API Penetration Testing · Offensive Security Consulting

Zishan Ahamed Thandar

Offensive Security Expert and Ethical Hacker helping SaaS, startups, and enterprises discover and fix real-world vulnerabilities in their web applications, APIs, and infrastructure — before attackers do.

Hack The Box — Top 10 (Legacy) TryHackMe — Top 5% 150+ Valid Vulnerabilities Reported 20+ Security Hall of Fame Mentions
Book a Web/API Penetration Test Download Resume (PDF) View Courses & Ebooks
Based in Kolkata, India · Working with clients worldwide Web / API / Infrastructure / Active Directory Security Bug Bounty Hunter on HackerOne & selected private programs
Zishan Ahamed Thandar avatar

Services

How I Help Secure Your Business

Cyber Security Consultancy

End-to-end manual web application penetration testing, API & Backend Security Testing aligned with OWASP, focused on authentication, authorization, access control, business logic, and real attacker-style exploitation paths that matter to your business. High-creativity, adversarial assessments inspired by years of bug bounty experience across 50+ programs. Ideal when you want research-grade findings and complex chains, not just a basic vulnerability scan.

Web Apps & Portals OWASP Top 10 & Beyond
Request Web App Pentest Proposal

Notes, Training & Mentoring

Structured, battle-tested notes and guidance for certifications and red-team learning. Designed for professionals who want to move from theory to hands-on offensive security skills.

Practical Study Notes 1:1 Mentoring & Guidance
Bug Bounty Checklist CRTA Notes
OSCP Notes Bundle OSWP Notes

Open Source & Sponsorship

Maintaining and improving open-source security projects that speed up recon, testing, and learning for the wider security community. Sponsorship helps me dedicate more time to building better tools.

Support My Security Work
Sponsor via GitHub

Hall of Fame & Recognitions

Trusted by Global Organizations

Recognized over twenty times by international organizations for impactful, responsible disclosure that helped protect millions of users and critical systems.

Google Honorable Mentions Oracle Critical Patch Update Credits AOL Security Hall of Fame Xiaomi Security Hall of Fame Zoho Hall of Fame NCIIPC, Govt of India Newsletter Mention
Mail.ru Responsible Disclosure GeeksForGeeks Hall of Fame Shaadi.com Security Acknowledgement PostNL Responsible Disclosure EUR.nl Hall of Fame Visenze Security Hall of Fame

…and additional organizations across technology, education, and government sectors that have trusted my work to improve their security posture.

Experience

Publicly Verifiable Security Research

Independent Security Researcher & Bug Bounty Hunter

2018 — Present · HackerOne · Yogosha

Conducted independent security research across real-world production systems, responsibly disclosing high-impact vulnerabilities including access control flaws, authentication issues, stored XSS, and complex business logic vulnerabilities.

Recognized through public Hall of Fame acknowledgements and verified reports on industry-standard vulnerability disclosure platforms.

Bug Bounty Web & API Security Responsible Disclosure
HackerOne Public Profile Verified Reports Yogosha Researcher Profile Strike Force

Projects

Security Tools & Learning Resources

Hacker Proxy Pro (Firefox Add-on)

Lightweight Firefox extension used by security professionals to toggle quickly between Burp Suite proxy and TOR, reducing setup overhead and keeping one browser dedicated to offensive security work.

Firefox WebExtension Burp & TOR Routing
Source Code (GitHub)
Install Firefox Add-on

Hackify

Bash script that automates installation of common wordlists and penetration testing tools on Debian-based systems, so new lab or VPS environments are ready for testing with a single command.

Bash · Debian
GitHub Source

WebsiteDorkerPro

OSINT and recon tool for red teamers, bug bounty hunters, and web app pentesters to quickly generate dorks, discover exposed endpoints, and map attack surfaces around a target domain.

OSINT & Recon Automation Python Package
GitHub Source
Install from PyPI

CyberTerminus (Firefox Theme)

Sleek, hacker-inspired Firefox dark theme with deep blacks and neon highlights in green, cyan, and sharp red — mirroring the glow of a terminal. Designed for coders, ethical hackers, and cyberpunk lovers who live in the browser.

Firefox Theme Neon Terminal Palette
Install CyberTerminus Theme

Testimonials

Feedback from Security Teams

“We greatly appreciate your effort in disclosing a security vulnerability responsibly and confirming the fix.”

Sai Prasad, Instamojo

“Thanks for your hard work, Zishan!”

AT&T

“We appreciate you bringing this to our attention.”

Edmodo

“Thank you for bringing the following vulnerability to our attention.”

Kate M Jeary, University of Cambridge

Certifications & Education

Verified Technical Skills

Cyber Security Certifications

CWL Certified Red Team Analyst (CRTA) CyberWarFare Labs CWL Certified Cyber Security Analyst (C3SA) CyberWarFare Labs EC-Council Ethical Hacking Essentials EC-Council

Academic Qualification

B.Tech (AUE) 2015 MAKAUT HS (12th) 2011 Higher Secondary Madhyamik (10th) 2009 Secondary

Coding & Technology Certifications

Sololearn Python Programming Sololearn Java Programming Sololearn PHP Web Backend Sololearn HTML Frontend Sololearn CSS Styling Sololearn JavaScript Frontend Sololearn jQuery Frontend Codecademy Python2 Programming Codecademy Java Programming Codecademy Git & GitHub Version Control Ardent Android Development Mobile Development

Contact

Let’s Secure Your Application

If you need a professional Web or API penetration test, a bug bounty style assessment, or help improving your security posture, share a brief about your application and timelines. I typically respond within 24 hours with next steps.

HackerOne HackTheBox TryHackMe
Download Professional Resume