Open to Senior / Lead roles globally

Anirudh
Makkar

Application Security Engineer  ·  Security Program Builder  ·  Bug Bounty Researcher

7+ years building and leading AppSec programs for cloud-native platforms processing sensitive PII. From threat modeling and secure architecture to AI/LLM security and real-world exploitation.

View Research Contact Me
0
Yrs Experience
0
Client Projects
0
CVE Published
About

Security leader.
Program builder.

Not just a tester. An engineer who builds the infrastructure that makes organizations measurably more secure.

I'm an Application Security Engineer based in Gurgaon, India, currently leading the establishment of the AppSec program at Atlys — a cloud-native platform processing sensitive PII and government immigration documentation. I'm building it from the ground up: vulnerability management infrastructure, automated scan orchestration, AI-assisted penetration testing, and a company-wide bug bounty program.

Before Atlys, I delivered application security consulting at Certus Cybersecurity across financial services, SaaS, and large-scale internet platforms. At ZS Associates, I built reusable security patterns and automated SAST/DAST triage pipelines that reduced remediation noise by 25%.

Outside of work I actively hunt bugs on Bugcrowd and HackerOne. I've been recognised by Tesla, Dell Technologies, Under Armour, Philips, BBC, Mastercard, the Department of Homeland Security, and received an appreciation from NCIIPC, Government of India for responsible disclosure. I published CVE-2026-7665 in June 2026 via Wordfence.

VAPT Threat Modeling Secure SDLC LLM Security Cloud Security DevSecOps Bug Bounty DPDP / GDPR Mobile Security CI/CD Security
Core proficiency
Application Penetration Testing95%
Secure Code Review90%
Threat Modeling (STRIDE)88%
DevSecOps / CI/CD Security85%
Mobile Security (Android/iOS)82%
Cloud Security (AWS / GCP)75%
AI / LLM Security70%
Expertise

What I do.

🏗
Security Program Leadership
Building AppSec programs from zero — vulnerability management infrastructure, scan orchestration, bug bounty programs, and SDLC integration.
SSDLCRoadmapGovernance
🔍
Application Penetration Testing
Web, API, and mobile security testing. Authorization bypass, IDOR, business logic flaws, race conditions, SSRF, injection chains.
OWASPBurp SuiteIDOR
🤖
AI / LLM Security
Penetration testing of AI-integrated surfaces. Prompt injection, RAG pipeline data leakage, AI agent excessive agency, OWASP LLM Top 10.
Prompt InjectionOWASP LLMAI Agents
Cloud & Infrastructure Security
AWS and GCP security architecture, IAM privilege escalation paths, Kubernetes security, container hardening, IaC misconfiguration detection.
AWSGCPKubernetesIaC
📱
Mobile Security
Android and iOS security: deep link abuse, WebView exploitation, JS bridge hijacking, APK analysis, certificate pinning bypass, runtime analysis.
AndroidiOSFridaMobSF
DevSecOps & Automation
SAST, DAST, SCA, and secrets detection integrated into CI/CD pipelines. Python tooling for triage automation, delta reporting, and scan orchestration.
SemgrepSnykGitHub Actions
Experience

7 years.
4 companies.

From Quality Analyst to leading a company-wide AppSec program. Product and consulting, both.

01/2026
Present
CURRENT
Gurgaon, India
Senior Security Engineer
Atlys India Pvt. Ltd.
Leading establishment of the company's AppSec program for a cloud-native PII platform from the ground up.
  • Built a centralised vulnerability management platform consolidating findings from automated scanners, manual testing, and external researchers into a unified triage system for engineering and leadership.
  • Designed and deployed automated security scan orchestration across the full microservices fleet — secrets detection, SAST, and dependency auditing with weekly delta reporting.
  • Developed an AI-assisted penetration testing agent applying OWASP Top 10 for LLM Applications to autonomously probe auth and injection weaknesses across API and AI-integrated surfaces.
  • Established and operate the company's external bug bounty program — end-to-end triage, severity classification, and coordinated disclosure.
  • Led a full PII and sensitive data inventory across internal services as part of DPDP Act and GDPR compliance readiness, identifying critical gaps in data retention and third-party exposure.
08/2024
12/2025
US, Remote
Security Engineer III
Certus Cybersecurity
Application security consulting across financial services, SaaS, and large-scale internet platforms.
  • Performed application penetration testing, secure code reviews, and threat modeling for large enterprise applications across multiple client environments.
  • Contributed to DevSecOps improvements by developing security scripts integrated into CI/CD pipelines to detect rate-limiting and authentication weaknesses.
  • Supported organizations in strengthening cloud security configurations across AWS and GCP services including IAM policies and access controls.
11/2021
07/2024
Pune, India
Senior Security Engineer
ZS Associates
AppSec at scale — penetration testing, pipeline automation, and paved-road security patterns for engineering teams.
  • Application penetration testing and attack surface analysis across Java, Python, and JavaScript services.
  • Automated SAST and DAST triage using Python and shell scripting, reducing noise and improving remediation velocity by 25%.
  • Defined secure development practices and reusable security patterns to prevent recurring vulnerability classes.
  • Worked closely with developers to remediate OWASP Top 10, CSRF, SSRF, XSS, SQLi, and authorization logic flaws.
02/2019
10/2021
Gurgaon, India
Software Quality Analyst, Security
Kellton Tech Solutions Limited
Web and mobile penetration testing across 40+ client projects with consistent security standards.
  • Web and mobile penetration testing and secure code reviews across Python, JavaScript, and C# applications.
  • Managed 40+ client projects independently, ensuring consistent delivery and compliance with security standards.
Security Research

Security Research.

Responsible disclosure and vulnerability research. CVE published via Wordfence CNA.

CVE-2026-7665
Unauthenticated Information Exposure in Essential Addons for Elementor
Insufficient authorization in the ajax_load_more handler allowed unauthenticated attackers to read private, password-protected, and draft post content. Affected 1M+ active WordPress installs (all versions ≤ 6.6.4). Reported via coordinated disclosure; CVE assigned by Wordfence (CNA).
CVSS 5.3 MEDIUM
Disclosed June 2026
Assigned by Wordfence CNA
Certifications

Credentials.

eW
eWPTX v2
eLearn Web Application Penetration Tester eXtreme · INE Security
Active ↗
CEH
Certified Ethical Hacker
EC-Council
Active
Contact

Let's
work
together.

Security collaboration, architecture reviews, responsible disclosure, or just a conversation about breaking things the right way.

Email
anirudh.makkar@gmail.com
LinkedIn
linkedin.com/in/anirudhmakkar
GitHub
github.com/anirudhmakkar
Medium
@anirudhmakkar
Based in
Gurgaon, India
IST · GMT+5:30
Open to global roles
Remote · Hybrid · Relocation
Available for consulting
Security reviews, VAPT, AppSec advisory
Interests
Security Research Vulnerability Disclosure AI Security Cloud Native Security Bug Bounty Badminton Travelling