Who is Kalyan? 🤔
My path into security started the way most do — with curiosity and a Linux ISO. In 2019, during 12th grade, I installed Kali Linux for the first time. I didn't fully understand what I was looking at, but I recognized the core challenge: to operate in this field you have to be part developer, part systems thinker, and part adversary. That framing stuck.
I spent the next few years learning systematically. C first — to understand memory layout, pointer arithmetic, and what 'the stack' actually is. Then Python for automation and scripting. Then web stacks, because web applications are where the majority of real-world attack surface lives. I earned the CEH v10 certification in 2021 and started participating in bug bounty programs on HackerOne, which gave me structured experience reporting real vulnerabilities against live targets.
By 2023 I was teaching at Caddnest — running workshops on ethical hacking, exploit development, and offensive tooling. Teaching forced me to consolidate everything I'd learned into something communicable and precise. That same year I completed my Bachelor of Computer Applications at REVA University, where my final-year project was Bounty Hawk: an automated reconnaissance and vulnerability-assessment framework built on Nuclei, integrated with CI/CD pipelines and Slack notifications.
In 2024 I did a Java Full-Stack Developer internship at Sonata Software, where I worked on enterprise-grade Spring Boot applications. It deepened my understanding of how production backend systems are structured — which directly informs how I assess them for vulnerabilities.
I enrolled in the M.S. in Cybersecurity program at Northeastern University in Spring 2025. The program is research-heavy and hands-on by design. Coursework has covered Security Risk Management, Network Security Practices, Medical Device Security, Database Security (Oracle VPD, Fine-Grained Auditing, DBMS_CRYPTO), and Critical Infrastructure Protection — including a graduate research paper on the Boston Metropolitan Electric Power Distribution Network using complex network analysis, fault tree analysis, and resilience modeling.
In early 2026, I served as Team Lead of Northeastern's NEU-1 (NeuSense) team in MITRE eCTF 2026. We built a bare-metal Hardware Security Module on the TI MSPM0L2228 (ARM Cortex-M0+) in C with no OS. The cryptographic stack used AES-CBC-256 via the AESADV hardware peripheral with DMA-driven crypto, HMAC-SHA256 authentication, and a three-tier HKDF key hierarchy: ROOT_SEED → DEVICE_SEED → ENC_SEED / SESSION_SEED. I also designed the PIN rate limiting logic, a fail-closed permission model, the secure flash filesystem, and replay-resistance via nonce-bound session keys. I audited the LaTeX Technical Design Document line by line against the codebase, resolved cryptographic discrepancies, and cleared all compiler warnings before submission.
In CY5150 Network Security Practices (Prof. Kevin Amorin), I ran two major hands-on labs. First: an MQTT Denial-of-Service attack on a live Mosquitto broker on a Raspberry Pi 4 — three Python-scripted attack vectors (retained flood, wildcard storm, session exhaustion) drove broker RAM from 600MB to 8GB, network traffic from under 1 Mbit/s to 600–700 Mbit/s, and triggered a full outage lasting ~49 minutes. Second: a Snort IDS/IPS lab — deployed Snort in detection and inline prevention modes (NFQUEUE), wrote custom rules detecting SQL injection, CVE-2021-26855 (ProxyLogon), CVE-2022-1388 (F5 BIG-IP RCE), and CVE-2018-7600 (Drupalgeddon 2), and performed PCAP forensic analysis and reverse shell detection.
I co-authored a multi-institution academic paper on the NIST Cybersecurity Framework (CSF 2.0) with collaborators from Boston University and Northeastern — covering the six core CSF 2.0 functions, SP 800-53/171/61/181 control mappings, Zero Trust Architecture, supply chain risk management (C-SCRM), ISO 27001 comparison, and CIS Controls alignment. My graduate critical infrastructure research paper — submitted April 2026 to Prof. Themis A. Papageorge — modeled the Boston Metropolitan Electric Power Distribution Network as an 8-node graph with degree, betweenness, and eigenvector centrality analysis; spectral radius computation; MBRA resilience ranking; and fault tree analysis of the Downtown Distribution Substation under DHS Energy Sector framing.
I currently serve as Technical Director of NUIoTConnect at Northeastern — leading the technical direction of a five-person delegation to DEF CON 34 in August 2026, including managing the sponsorship proposal and coordinating with university stakeholders.
On the research side, I completed a graduate medical device security project analyzing CVE-2016-9355 on the BD Alaris 8015 infusion pump. The deliverables package included a full vulnerability analysis, STRIDE threat model, DFD diagrams, CVSS scoring, exploit chain documentation, and remediation guidance — plus a confirmed new finding: CWE-798 hard-coded default credentials, documented alongside the primary CWE-312/CWE-200 chain.
I'm also building NyxKernel — an offensive security YouTube channel and personal brand targeting practitioners, students, and recruiters in the red team and exploit development space. I authored Beneath the Shell, a book on the intersection of hacking philosophy and technical craft.
Outside of security, I stay sharp through CTF competitions (MetaCTF, MITRE eCTF), competitive programming, chess, and building tools I actually use — from full-stack job trackers to interactive skill maps. I write because teaching is the best compression algorithm for knowledge. I build because shipping things is the only real feedback loop.
The philosophy that drives everything: 'I am motivated by the fear of being average.' It sounds simple. The operational version of it is never stopping when something is 'good enough.'
Experience
2025 – Present
Technical Director
NUIoTConnect, Northeastern University
Leading technical direction for NUIoTConnect at Northeastern. Spearheading the organization's DEF CON 34 delegation (August 2026) — a five-student trip to Las Vegas for conference attendance, CTF competition, and professional networking. Responsible for the sponsorship proposal, university stakeholder coordination, and technical program planning.
2026
Team Lead — MITRE eCTF 2026
Team NEU-1 (NeuSense), Northeastern University
Led Northeastern's NEU-1 (NeuSense) team in building a bare-metal Hardware Security Module (HSM) on the TI MSPM0L2228 (ARM Cortex-M0+) in C. Designed and implemented the full cryptographic stack: AES-CBC-256 via the AESADV hardware peripheral with DMA-driven crypto, HMAC-SHA256 authentication, and a 3-tier HKDF key hierarchy (ROOT_SEED → DEVICE_SEED → ENC_SEED / SESSION_SEED). Implemented PIN rate limiting, a fail-closed permission model, session-based key management, replay-resistance mechanisms, a secure flash filesystem, and secure_bzero with anti-optimization guarantees. Audited the LaTeX Technical Design Document against the codebase, resolved cryptographic discrepancies, and cleared all compiler warnings across the codebase.
2023 – Present
Security Researcher (Bug Bounty)
HackerOne
Ongoing bug bounty research targeting web application vulnerabilities across public and private programs. Work encompasses recon automation, manual exploitation of authentication flaws, business logic vulnerabilities, IDOR, XSS, and API misconfigurations, followed by structured vulnerability disclosure reports.
2024
Java Full-Stack Developer Intern
Sonata Software
Built scalable enterprise web applications using Java, Spring Boot, and Angular. Worked within an Agile team environment, contributing to backend API design, database integration, and frontend feature development. Gained production-grade experience in software engineering lifecycle, code review processes, and deployment pipelines.
2023
Ethical Hacking & Programming Instructor
Caddnest
Designed and delivered training on ethical hacking, penetration testing methodology, exploit development, and offensive scripting. Covered topics including network reconnaissance, web application attack techniques, Metasploit usage, and introduction to bug bounty hunting.
2021 – 2022
CEH Instructor
APC Learning Centre
Taught the EC-Council CEH curriculum to cohorts of cybersecurity students. Topics included footprinting and reconnaissance, scanning networks, enumeration, vulnerability analysis, system hacking, social engineering, and session hijacking.
Education
2025 – 2027
Master of Science in Cybersecurity
Northeastern University
Coursework spans Security Risk Management, Network Security Practices, Medical Device Security (CY 7790 / CY 4973), Database Security (MET CS 674 — Oracle VPD, Fine-Grained Auditing, DBMS_CRYPTO), and Critical Infrastructure Protection. Graduate research includes a complex network analysis of the Boston Metropolitan Electric Power Distribution Network with MBRA, fault tree analysis, and resilience modeling. Member of NUIoTConnect; competed in MITRE eCTF 2026.
2021 – 2024
Bachelor of Computer Applications
REVA University
Final-year project: Bounty Hawk — an automated penetration testing and vulnerability assessment framework using Nuclei, integrated with CI/CD pipelines, Slack notifications, and VPN support. Built secure web and mobile applications, worked with Java, Spring Boot, React.js, Flutter, and Android Studio throughout the program.
2020 – 2021
Certified Ethical Hacker (CEH v10)
EC-Council
Completed the CEH v10 program covering all 20 modules of the EC-Council curriculum: reconnaissance, scanning, enumeration, vulnerability analysis, system hacking, malware threats, sniffing, social engineering, DoS/DDoS, session hijacking, web server and application attacks, SQL injection, cryptography, and cloud security fundamentals.
Capabilities
Penetration Testing
End-to-end penetration testing across web applications, APIs, and network infrastructure. Methodology covers recon, enumeration, exploitation, privilege escalation, lateral movement, and structured reporting. Experienced with Burp Suite Pro, Metasploit, SQLMap, Nmap, Gobuster, and custom tooling.
Hardware & Embedded Security
Bare-metal firmware development on ARM Cortex-M0+ (TI MSPM0L2228). Implemented AES-CBC-256, HMAC-SHA256, HKDF key derivation, session-based key management, secure flash filesystem, and replay-resistance mechanisms in C for the MITRE eCTF 2026 competition.
Exploit Development
Experience with buffer overflows, format string vulnerabilities, ROP chain construction, shellcode development, and CTF-style binary exploitation. Familiar with pwndbg, GDB, pwntools, and x86/ARM assembly fundamentals.
Vulnerability Research & CVE Analysis
Graduate-level medical device security research: full analysis of CVE-2016-9355 on the BD Alaris 8015 infusion pump. Deliverables included STRIDE threat model, DFD diagrams, CVSS scoring, exploit chain documentation, and a confirmed new finding (CWE-798 hardcoded default credentials).
Full-Stack Development
Production experience with Next.js 14, React, TypeScript, Node.js, PostgreSQL, Prisma, and BullMQ. Built JobLens (React/TypeScript/Vite job tracker with SheetJS), SecureTrack (Next.js 14/PostgreSQL internship tracker with pluggable connector architecture), and SkillAtlas (MapLibre GL JS interactive world map with Zustand and Fuse.js).
Cryptography
Practical implementation of AES-CBC, HMAC-SHA256, HKDF, and RSA in production security contexts. Studied lattice-based signature scheme nonce-reuse attacks (ECDSA/DSA). Coursework and CTF experience in both classical and modern cryptographic primitives.
Security Risk Management
Applied NIST frameworks, STRIDE threat modeling, DREAD scoring, CVSS v3.1 calculations, fault tree analysis, and MBRA in graduate coursework and research projects. SOX-compliance and GRC tooling familiarity from resume-level research.
CTF Competition
Active competitor in MetaCTF, MITRE eCTF 2026, and related competitions. Challenges completed include OSINT/geolocation, lattice-based cryptographic attacks (nonce-reuse), domain reconnaissance, binary exploitation, and network forensics.
OWASP Top 10
Deep familiarity with all OWASP Top 10 categories from both offensive and defensive perspectives: injection, broken access control, cryptographic failures, SSRF, XXE, IDOR, security misconfiguration, and insecure deserialization — applied through pentesting, bug bounty, and secure code review.
Database Security
Oracle database security: VPD (Virtual Private Database), Fine-Grained Auditing, DBMS_CRYPTO, and Unified Audit policies. Research papers on privacy-preserving databases and Zero Trust Architecture applied to Oracle environments.
Secure Coding & Code Review
Security-focused code review across C, Python, Java, TypeScript, and Solidity. Experience auditing cryptographic implementations for timing attacks, weak RNG, and key management flaws. Implemented secure_bzero, nonce validation, and replay-resistance logic in embedded C.
Critical Infrastructure Security
Graduate research on the Boston Metropolitan Electric Power Distribution Network: complex network analysis, MBRA resilience modeling, fault tree analysis, and cascade failure simulation using Python and networkx. SCADA/ICS attack surface familiarity.
API Security
REST and GraphQL API security assessment: authentication bypass, BOLA/IDOR, mass assignment, broken object-level authorization, JWT manipulation, and rate-limiting flaws. Applied through bug bounty and full-stack projects.
Blockchain Security
Smart contract vulnerability research including reentrancy, integer overflow, and access control flaws. Developed blockchain-based authentication systems and applied secure coding practices to Solidity contracts.
Expertise with Technologies
Python
Primary scripting language for offensive tooling, automation, CTF solve scripts, exploit development, network analysis (networkx, scapy), and security research.
C
Bare-metal embedded firmware development (TI MSPM0L2228 ARM Cortex-M0+). Buffer overflow research, shellcode development, memory-safe cryptographic implementations.
TypeScript
Primary language for full-stack web projects. Used across Next.js 14, React, Vite, and Turborepo monorepo SaaS architectures with strict type safety.
JavaScript
Frontend and Node.js backend development. React component libraries, REST API design, real-time features, and Express middleware.
Java
Enterprise full-stack development at Sonata Software (Spring Boot, Angular). Also used in competitive programming and algorithm design.
Bash
Shell scripting for recon automation, log analysis, exploit chaining, CI/CD security pipelines, and Linux system administration.
C++
Low-level systems work, exploit research, algorithm implementation. Competitive programming on CodeChef and LeetCode.
Ruby
Metasploit module development and exploit scripting. Familiar with the Metasploit Framework API for custom module authoring.
SQL
Relational database design and security: Oracle (VPD, FGA, DBMS_CRYPTO), PostgreSQL (production use in SecureTrack), MySQL, and SQL injection testing.
Go
High-performance microservices and security tool development. Explored for building concurrent recon tooling and network scanners.
Dart / Flutter
Cross-platform mobile application development. Built a Netflix clone, animated weather app, and ticket booking app in Flutter.
PHP
Backend web application development. Familiar with server-side security hardening, session management, and PHP-based vulnerability classes.
GraphQL
API design and security assessment. Experience identifying BOLA, introspection leakage, and batch query abuse in GraphQL endpoints.
React.js
Component-based UI development. Used across JobLens, SkillAtlas, personal brand website (glassmorphic design system), and portfolio.
Next.js
Full-stack React framework. Used for SecureTrack (App Router, PostgreSQL, BullMQ), SkillAtlas (MapLibre GL JS), and this portfolio.
Node.js
Server-side JavaScript: REST APIs, Express, BullMQ job queues, WebSocket servers, and Prisma ORM integration.
Django
Python web framework used for security-focused backend services and REST APIs. Familiar with Django's built-in security middleware and CSRF/XSS defenses.
Spring Boot
Enterprise Java backend development at Sonata Software. Microservices architecture, REST API design, JPA/Hibernate database integration.
Flask
Lightweight Python web framework for rapid security tool development, REST APIs, and internal tooling.
PostgreSQL
Production relational database used in SecureTrack. Schema design, query optimization, Prisma ORM integration, and database-level access control.
MongoDB
NoSQL document store used in the ICSTCEE conference registration platform. Familiar with injection prevention and access control in MongoDB environments.
Docker
Containerization for development environments, security testing labs, and CI/CD deployment pipelines. Familiar with container escape and privilege escalation attack surfaces.
AWS
Cloud infrastructure with a focus on security: IAM policy analysis, S3 misconfiguration assessment, Lambda security, and VPC network controls.
Burp Suite
Primary web application testing platform. Proxy interception, active/passive scanning, custom Intruder payloads, Repeater-based manual exploitation, and extension development.
Metasploit
Framework-level penetration testing: exploit selection, payload generation, post-exploitation modules, meterpreter sessions, and custom Ruby module authoring.
Nmap
Network reconnaissance and host discovery. NSE scripting for custom service enumeration, OS fingerprinting, and vulnerability detection.
Wireshark
Network traffic analysis for forensics, protocol inspection, and detecting anomalous communications. Used in both academic labs and CTF challenges.
SQLMap
Automated SQL injection detection and exploitation across MySQL, PostgreSQL, Oracle, and MSSQL targets.
Kali Linux
Primary offensive security operating system. Daily driver for penetration testing, exploit development, CTF challenges, and security research.
Git / GitHub
Version control, open-source contribution, and CI/CD pipeline management via GitHub Actions. Familiar with repository security scanning and supply chain attack surfaces.
Firebase
Backend-as-a-service for authentication, real-time databases, and serverless functions in mobile and web projects.
Figma
UI/UX design for web and mobile projects. Prototyping, component libraries, and design handoff for the personal brand website and SkillAtlas.


