Back to Developers
Shambhi Reddy Reddy

Shambhi Reddy Reddy

Application Security Engineer

Hyderabad, India 3+ yrs exp 88 · Excellent

About

Application Security Engineer with 3.9 years of hands-on experience delivering end-to-end VAPT across Web, Android, API, and Cloud (AWS) environments at HCLTech for enterprise Health, Banking, Entertainment, and E-Commerce clients. Skilled in manual exploitation of OWASP Top 10 and API Top 10 vulnerabilities, going beyond what automated scanners can detect. Recognized by NASA, WHO, RBI, Flipkart, Nokia, Indian Railways, EC-Council, UNESCO, and 50+ global organizations for responsible vulnerability disclosure and inducted into their Hall of Fame programs.

Skills & Expertise (34)

VAPT Advanced
8.5/10
3.9
Years Exp
API Advanced
8.0/10
3.9
Years Exp
Manual Testing Advanced
8.0/10
3.9
Years Exp
Burp Suite Pro Advanced
8.0/10
3.9
Years Exp
Web Applications Advanced
8.0/10
3.9
Years Exp
OWASP ZAP Intermediate
7.5/10
3.9
Years Exp
Kali Linux Intermediate
7.0/10
3.9
Years Exp
SQLmap Intermediate
7.0/10
3.9
Years Exp
Nuclei Intermediate
6.5/10
3.9
Years Exp
Metasploit Intermediate
6.5/10
3.9
Years Exp
CVSS v3.1 Postman OWASP API Top 10 BOLA BFLA JWT Attacks Mass Assignment OWASP Top 10 Frida GDPR Ubuntu Windows Android Studio Objection apktool MobSF JADX Dev Tools Nikto Nmap HCL Appscan Source Code Review DAST Android

Work Experience

Software Engineer (Application Security)

HCLTech

Aug 2022 - Present

Delivered end-to-end VAPT engagements for enterprise Health, Entertainment and E-Commerce clients, manually identifying and exploiting Business Logic Flaws, Auth bypass, XSS, SSRF, CSRF, IDOR, File upload vulnerability and SQL Injection that automated scanners consistently missed. Executed DAST using Burp Suite Pro and HCL AppScan with thorough false-positive triage; assessed REST APIs against OWASP API Top 10 uncovering BOLA, BFLA, JWT weaknesses, OAuth misconfigurations, and rate limiting bypass. Conducted Android application security assessments using Jadx for static analysis and Frida for dynamic instrumentation identifying SSL pinning bypass, hardcoded secrets, insecure data storage, and vulnerable exported components. Performed deep manual business logic testing exploiting payment validation bypass, price manipulation, coupon abuse, multi-step process bypass, and broken access controls that no automated tool flagged. Participated in STRIDE threat modelling sessions for critical business applications; enforced OWASP Top 10 and GDPR compliance across assessments; maintained monthly vulnerability dashboards to track remediation progress. Produced CVSS v3.1-rated pentest reports with detailed PoC, reproduction steps, and developer-facing remediation advice; mentored junior security analysts and partnered with Dev, DevOps, and QA teams to validate fixes within Agile sprint cycles.

Education

BSc (Computing & Design) - BITS Pilani, WILP

2022 - 2026 · Afghanistan

Intermediate (MPC) - APSWREIS

2019 - 2021 · Afghanistan

Certifications

No certifications added yet

Interested in this developer?

Profile Score Breakdown

📷 Photo 10/10
📄 Resume 10/10
💼 Job Title 10/10
✍️ Bio 10/10
🛠️ Skills 20/20
🎓 Education 10/10
⏱️ Experience 13/15
💰 Rate 0/5
🏆 Certs 0/5
Verified 5/5
Total Score 88/100

Profile Overview

Member sinceJun 2026

Skills (34)

Click a skill to find developers with the same skill

VAPT API Manual Testing Burp Suite Pro Web Applications OWASP ZAP Kali Linux SQLmap Nuclei Metasploit +24 more

Similar Profiles

FA

Future application_Technologies

Future application_Technologies

Bhoomi Chawla Computer Science & Applications

Bhoomi Chawla Computer Science & Applications

Suraj Kumar

Suraj Kumar

Android Application Developer

$100/hr Maghima Thiagarajan

Maghima Thiagarajan

Web Application Developer with 3 years of Experience

$100/hr
View All Developers →