I'm an Application Security specialist passionate about finding vulnerabilities before attackers do, and helping teams build safer digital products.

About Me

I specialize in Application Security and Penetration Testing - helping teams integrate security practices directly into the development lifecycle. I enjoy automating security checks, building secure CI/CD pipelines, and making security an enabler rather than a blocker.

Experience

Senior Application Security Specialist - Xsolla
July 2025 - Present
  • Designed foundational architecture of HashiCorp Vault deployment, including cluster setup, security hardening, access model, secret lifecycle management, and governance.
  • Enabled systematic identification of recurring weaknesses by implementing Python automation framework, correlating bug bounty trends, penetration test results, and custom checks across 400+ domains.
  • Restructured company's bug bounty program by identifying operational deficiencies, evaluating submission quality, proposing triage improvements, and updating documentation.
  • Reduced design-level risk by conducting structured threat modeling of critical products and identifying high-impact attack paths.
Bug Hunter - Qarabug
July 2025 - Present
  • Reported 7 vulnerabilities within first month, including account takeover attack chain with critical severity.
  • Delivered talk on crafting professional bug bounty reports, emphasizing clarity, structure, and business-oriented risk framing.
Senior Application Security Specialist - Unibank
October 2024 - July 2025
  • Established centralized DevSecOps process for automating CI/CD pipeline management, maximizing SAST and container security coverage, and seamlessly enabling SCA prevention mode in 70% of projects.
  • Reduced dependency vulnerabilities by two-thirds and secured PCI/DSS compliance by pioneering company-wide major framework upgrade across cross-functional teams.
  • Launched formal STRIDE-based threat-modeling process by demonstrating PoC on early-phase SaaS project with 12 threats flagged.
  • Co-authored secure coding training based on OWASP guidelines to help developers incorporate security into development process.
  • Eliminated false positives among SAST and SCA findings and escalated real vulnerabilities by reviewing project source codes in GitLab.
Lead Penetration Tester - Unibank
September 2022 - September 2024
Penetration Tester - Unibank
July 2021 - September 2022
  • Identified hundreds of critical vulnerabilities across web, mobile applications, and IT infrastructure.
  • Automated vulnerability discovery, exploitation, and password cracking activities using custom Python scripts, rapidly exposing serious security weaknesses and boosting success rate by 57%.
  • Optimized penetration testing processes by initiating and coordinating projects for establishing streamlined ticketing system in use by 100+ employees and designing new policies and procedures.
  • Launched successful phishing campaign against support chat via novel technique exploiting built-in Excel features.
  • Published write-ups covering exploitation technique and remediation guidance.

Core Skills

Application Security
Penetration Testing
DevSecOps
Threat Modeling
Secure Code Review
Programming

Projects

Burp Playbook - Practical Guide to Building Custom Extensions with Python

A practical e‑book that teaches you how to build Burp Suite extensions from scratch. Clear step‑by‑step examples, runnable code, and real-world exercises to automate and improve your testing workflow.

  • Step‑by‑step extension development guide
  • Complete example code & integration tips
  • Automation techniques to speed up testing
Grab your copy of my book on Amazon

Centralized DevSecOps Pipeline Automation

  • Established a centralized orchestration system for managing SAST scan configurations, implementing custom code rules and ignore policies.
  • Uncovered a critical SCA bottleneck in outdated framework versions; led a company-wide upgrade, cutting findings by two thirds and seamlessly enforcing prevention mode.
  • Optimized CI/CD pipeline jobs for 100% SAST coverage and scan accuracy across all project types, following DRY and retry/fail-fast principles as well as setting up alerts for full visibility into failures.
  • Rolled out an end-to-end vulnerability triage process-including a dedicated Jira board, standardized reporting templates, “how-to” guidelines for developers, and an internal channel for quick reference on recent dependency updates.

    • From the Blog

    Brand-new prototype pollution gadget in MongoDB leading to RCE

    I uncovered a new prototype pollution gadget in mongodb NPM package version 6.6.2, that results in Remote Code Execution (RCE).

    Why does cyber security matter for your business?

    Understand how security vulnerabilities can impact your company's reputation and bottom line.

    3 banking security mistakes to avoid for a safer digital experience

    In this blog, I want to shed light on common mistakes, which can inadvertently put the security of our data and money at risk.

    Data exfiltration using Excel

    In this article, I talk about a new data exfiltration technique, which allows to read files on victim's machine using an Excel file.

    Kiber təhlükəsizliyə yeni başlayanlar üçün tez-tez verilən suallar | FAQ for beginners in cyber security

    How integrating security early in development helps prevent costly incidents.

    You're not as safe as you think: Here's why you may be the next target of a cyber criminal

    Do you still believe hackers are only interested in spying on celebrities' lives or stealing money from well-known companies?

    Contact

    Let's connect! You can reach me via email or social media.

    📧 Email 💼 LinkedIn 🐙 GitHub