OffensiveSecurityConsulting
Specializing in deep manual penetration testing, vulnerability research, and secure code review for modern applications.
About
Cybersecurity Researcher and Consultant specializing in Web Security, Secure Code Review, Malware Analysis, and Vulnerability Assessment. I help organizations strengthen their security posture through detailed manual analysis and real-world offensive security techniques. Currently based in Kolkata, West Bengal, India
With experience securing 25+ government platforms and supporting private organizations under NDA, I focus on identifying high-impact vulnerabilities, improving code quality, and building stronger defensive controls. My expertise spans OWASP Top 10, network and Active Directory assessments, IoT security, and multi-language static analysis.
Core Skills
Certifications
Arsenal
Specializations
• OWASP Top 10 Web Security
• Secure Code Review (Java, Python, PHP, JS, Go, .NET, C/C++)
• Network & Active Directory Pentesting
• API Security (Learning & Practicing)
• Malware Analysis (Static & Dynamic)
Premium
Security
Services
Specialized security services tailored for modern organizations. I focus on deep manual analysis, secure code review, and targeted penetration testing to help build resilient and secure systems.
Penetration
Testing
Web, network, and Active Directory security assessments with a focus on real-world attack paths and high-impact vulnerabilities. Includes detailed reporting and prioritized remediation steps.
Source Code
Analysis & SCA
In-depth manual secure code review across multiple languages to uncover complex logic flaws, insecure patterns, and potential CVE-level issues. Backed by experience contributing to SAST research.
Security
Consulting
Guidance on improving application security, strengthening internal processes, and aligning your organization with modern security best practices. Ideal for teams building or scaling their security program.
Exploit
Development
Development of custom proof-of-concept exploits to demonstrate vulnerability impact, aid internal remediation, and support research initiatives.
Threat
Modeling
Identify attack surfaces and potential weaknesses across your application architecture. Tailored for startups, SaaS platforms, and teams planning secure releases.
Let's Build
Secure Systems
Partner with me to build security-first applications. From architecture to deployment, I'll help you create robust, resilient systems.
Experience
A timeline of my professional journey, delivering high-impact security assessments and leading red team operations for global enterprises.
Independent Security ResearcherIndependent Security ResearcherIndependent Security Researcher
↳Independent
Provide security assessments, secure code reviews, and vulnerability research across government platforms and private organizations under NDA. Discovered multiple high-impact vulnerabilities and contributed to CVE-level findings.
Vulnerability
Research
Documenting critical vulnerabilities, zero-day exploits, and open-source security tools released to the community.
Arbitrary Code Execution via Unsafe Deserialization
Discovered and reported a local privilege escalation issue in pdfminer.six caused by insecure pickle deserialization. The advisory was published as an official GitHub Security Advisory.
Improper Input Validation in Document Parsing
Two additional vulnerabilities affecting open-source libraries. Vendor has acknowledged the report and is reviewing patches. Will be forwarded to MITRE if no response within the disclosure window.
Scam Infrastructure Takeover (OSINT + Exploitation)
Investigated and compromised a live scam infrastructure running a fraudulent rewards scheme. Documented the exploitation chain, backend weaknesses, and attack flow to assist law enforcement & awareness.
Offensive Security & CTF Research
Active contributor in Capture-The-Flag competitions with detailed writeups covering web exploitation, forensics, reverse engineering fundamentals, and privilege escalation.
open source
contributions
A curated selection of open-source tools and frameworks I've developed. These projects focus on automation, reconnaissance, and security testing.
ReconFavicon
OSINT tool for identifying applications and tech stacks using favicon hashing. Used widely by researchers for recon and fingerprinting.
Xposed
Automated exploitation framework designed for practicing and testing security vulnerabilities across multiple categories.
RSCHunter CVE-2025-55182
Powerful tool for detecting and exploiting React Server Component (RSC) vulnerabilities. Features automated detection and exploitation modules.
PRISM
Modular penetration testing helper tool featuring recon, enumeration, and automation components for security workflows.
Nmap XML Visualizer
A clean, browser-based visualizer for Nmap XML outputs. Helps simplify port and service analysis with an interactive UI.
FFUF Contribution
Contributor to FFUF, one of the most respected fuzzing tools in cybersecurity. Helped improve codebase through an approved pull request.
trusted by
industry leaders
Feedback from clients and colleagues I've worked with. These recommendations reflect my commitment to technical excellence and professional integrity.
“Suman brings a rare combination of deep technical expertise and real problem-solving ability. He consistently delivers results, solves complex issues, and exceeds expectations every single time.”
Aditya Seth
Vulnerability Analyst • PSIRT
“Suman brings a rare combination of deep technical expertise and real problem-solving ability. He consistently delivers results, solves complex issues, and exceeds expectations every single time.”
Aditya Seth
Vulnerability Analyst
“A dependable specialist with excellent team skills. Suman's judgment and decision-making consistently improve outcomes. One of the best professionals I've had the pleasure of managing.”
Indrajit Mondal
Ex-EY
“A hardworking and reliable professional. His grasp of systems and troubleshooting lays a strong foundation for the advanced security expertise he delivers today.”
Sairam Satyavada
Deputy General Manager
“Highly professional and extremely hardworking. Suman will be an asset to any organization that values security excellence and continuous improvement.”
Siddharth Chowdhury
Product Support Engineer
frequently
asked
Common questions about my services, methodology, and engagement process. If you have more specific queries, feel free to reach out directly.
What services do you offer?
How do I engage your services?
What is your typical turnaround time?
Do you work with government organizations?
What's included in the final report?
Do you support remediation and retesting?
Do you sign NDAs and handle sensitive systems?
Do you offer CVE research or vulnerability discovery?
Are you CERT-In Empanelled?
Do your assessments replace CERT-In audits?
Why choose an independent consultant instead of an audit firm?
Do you issue compliance certificates?
Let's build something secure.
Ready to elevate your security posture? Schedule a consultation or drop a direct line.