OPEN FOR ENGAGEMENTS · Q3 — Q4

Hi, I'm Harsh —
I break things
so you don't have to.

Independent security researcher, pentester & author. A decade in offensive security, 700+ pentests delivered across web, API, mobile, network, cloud and AI/ML systems.

View services Request a quote

Available Web · API · Cloud Mobile · Thick client AI / ML · Agentic vCISO · Advisory

HARSH BOTHRA · IN est. ~10y

Pentesting vCISO Security Advisory 1:1 Mentorship Web · API · Mobile AI / ML & Agentic Cloud Config Review Secure Code Review Internal & External Networks

10⁺

Years in industry

700⁺

Pentests delivered

Books authored

100⁺

Talks · Blogs · Mindmaps

01 — About

I'm a security researcher, pentester & author working independently — building a small, senior-led practice for organisations who want depth, not volume.

For the last ten years I've worked across nearly every surface offensive security touches — web and API, mobile and thick clients, networks and cloud, and most recently AI/ML and agentic systems. I've delivered 700+ pentests, led triage & security engineering teams, consulted on programs from scrappy startups to publicly traded enterprises, and mentored a generation of testers through writing, conference talks & 1:1 sessions.

Today I take on a limited number of pentest, vCISO, advisory and mentorship engagements at a time, with the depth of attention you can't get from a vendor.

Read full bio →

02 — Where to next

Pick your path.

Engage me directly, raid the resource archive, or pick up one of the books.

01 / SERVICES

Pentest, vCISO & Advisory.

Web, API, mobile, cloud, network, AI/ML pentests with full reporting, kick-off + read-out calls, and 3 months of free retesting baked into every engagement.

Services & pricing→

02 / RESOURCES

90+ resources

A searchable archive of every public resource I've put out.

Open archive→

03 / BOOKS

Three books

On ethical hacking, recon, and Bharat's cyber-safety future. MHRD-recommended.

See the books→

04 / MENTORSHIP

1:1 mentorship

For early-career testers & bug bounty hunters levelling up.

Apply→

05 / METHODOLOGY

How I test

A walk through the 11-step engagement pipeline.

Read methodology→

06 / CONTACT

Start a conversation.

Scope an engagement, ask about a talk, request mentorship, or just say hi — all roads lead to hbothra22@gmail.com.

Get in touch→

07 / WRITING

Long-form writing

Deep dives on cookie attacks, recon, prototype pollution, MFA bypass, and more — published with Cobalt, ProjectDiscovery & InfosecWriteups.

Read on Medium→

03 — Domains

Where I operate.

Ten years of focus across the surfaces where modern systems actually break.

web_appAuthentication, authorisation, session, business logic, OWASP-class issues, modern SPA quirksCORE
apiREST, GraphQL, gRPC, OAuth/OIDC flows, OWASP API Top 10, server-side & data-layer abuseCORE
mobileAndroid & iOS — static + dynamic analysis, runtime instrumentation, OWASP MASVSCORE
thick_clientReverse engineering, IPC abuse, local privilege issues, traffic interceptionSTRONG
networkExternal & internal pentesting, AD, lateral movement, egress & segmentation reviewSTRONG
cloudAWS / Azure / GCP configuration reviews, IAM & identity-perimeter abuseSTRONG
ai_mlLLM & agentic system pentests, prompt injection, tool abuse, supply chain & data poisoningEMERGING
code_reviewTargeted secure code review across Python, JS/TS, Java, Go, .NETSTRONG

04 — Certifications

Credentials, on paper.

Industry credentials accumulated along the way. The work speaks louder, but here they are.

CEHv10

Certified Ethical Hacker

eWPTX

Web App Pentester eXtreme

eWPT

Web App Pentester

eCPPTv2

Cert. Professional Penetration Tester

C-AL/MLPen

Certified AI/ML Pentester

// ENGAGE

Have an app, API, network or AI system that needs eyes on it?

Scoping & quotation in under 24 hours. Engagements typically start within 1–2 weeks.

Get in touch → See services

Hi, I'm Harsh — I break things so you don't have to.

Pick your path.

Where I operate.

Credentials, on paper.

Hi, I'm Harsh —
I break things
so you don't have to.