Available for Engagements

VASU MELIPAKA Security Analyst // Web · API · Mobile · AI Security

Helping organisations break down real attack surfaces across Web, Mobile (Android/iOS), API, and now AI/LLM systems — through deep manual penetration testing aligned to OWASP, MASVS, PCI DSS 4.0, and OWASP Top 10 for LLMs.

Security Services Let's Talk → LinkedIn ↗

Web & API Pentesting Mobile (MASVS) PCI DSS 4.0 DevSecOps Cloud Security AI / LLM Security Adversarial ML Red Teaming AI

VASU MELIPAKA

Senior Security Analyst

UID// VM-SEC-0042

YRS CYBER

110+

PENTESTS

92%

CLOSURE

Web / API

Mobile

AI / LLM

DevSecOps

OWASP

PCI DSS 4.0

AI Red Team

MASVS

// 01

Profile Summary

Manual-first · High-impact

🧠

Who I Am

Senior Security Analyst specialising in penetration testing for Web, Mobile and API platforms — now actively expanding into AI/LLM adversarial testing. I combine offensive security depth with a clear understanding of business context, helping leadership understand the true risk behind each finding — not just a CVSS number.

I embed seamlessly into engineering, QA and architecture workflows, treating security as a continuous SDLC checkpoint rather than a final-sprint gate.

📋

What I Deliver

Evidence-backed findings with clear PoCs and full reproduction steps
OWASP, MASVS, PCI DSS 4.0 and OWASP LLM Top 10 control mapping
CVSS-based ratings with business-risk plain-English explanations
Developer-ready remediation with config and code examples
Retest & closure validation for production sign-off readiness
Executive summaries that communicate risk to leadership without jargon

vmsecops ~ pentest-workflow v2.0

vasu@secops $ run-engagement --scope web,api,mobile,ai --framework OWASP,MASVS,PCI-DSS,LLM-TOP10

[✓] Threat-driven test plan initialised — manual-first methodology [✓] False-positive separation layer: enabled [✓] Business impact mapping: active [+] Loading AI/LLM adversarial modules... [✓] Prompt injection scanner: ready [✓] Model jailbreak probe set: loaded (47 vectors) [✓] RAG poisoning detection: enabled [✓] Report: executive-ready + developer-ready + compliance-ready [✓] Retest & closure validation: included

vasu@secops $ _

// 02

Pentest Snapshot

Coverage · Risk · Delivery

Active Engagements

Web · Mobile · API

Findings / 30 Days

Across all severities

High / Critical

Prioritised with owners

Retest Closure Rate

92%

Confirmed & verified

Risk Coverage

OWASP Web Top 10 (2021)
OWASP API Security Top 10
OWASP MASVS M1–M10
OWASP LLM Top 10 (AI)
TLS / HTTP security headers
Auth, session & access control

Engagement Style

Threat-driven test planning
Manual verification of scanner output
Clear false-positive separation
Regular dev & QA touchpoints
Exec-ready risk summaries
Structured remediation tracking

Ideal Use Cases

Pre-production security sign-off
PCI DSS 4.0 readiness — web & mobile
AI/LLM product security validation
New feature / release hardening
Independent review of internal findings
Executive risk visibility

Web Applications

40+

Portals & dashboards

Mobile Apps

20+

Android & iOS

APIs Tested

50+

Public & internal

AI Assessments

New

LLM · RAG · Agents

// 03

Security Services

What I do for your team

🌐

Web Application Pentesting

Deep manual testing for authentication flaws, broken access control, IDOR, session weaknesses, business logic gaps, and OWASP Top 10 coverage before every production rollout.

📱

Mobile App Security

MASVS-aligned assessments for Android & iOS — data storage, API usage, reverse engineering resistance, certificate pinning, and runtime protection validation.

⚙️

API Security Testing

BOLA, BFLA, JWT weaknesses, rate-limit bypass, mass assignment, replay attacks, and abuse scenarios across microservices, REST, GraphQL, and API gateways.

🤖

AI / LLM Security Testing

Adversarial assessment of LLM-powered products: prompt injection, jailbreaks, RAG poisoning, data exfiltration via model outputs, agent trust boundaries, and OWASP LLM Top 10 coverage.

🔧

DevSecOps Advisory

SAST, SCA and secrets scanning integration into CI/CD with meaningful quality gates, low noise signal-to-ratio tuning, and training for developer security ownership.

☁️

Cloud & Platform Review

IAM misconfiguration, storage exposure, network perimeter, and internal service discovery checks across AWS and Azure environments with actionable hardening guides.

// 04

AI / LLM Security

Emerging · Offensive · Adversarial

BREAKING
AI SYSTEMS
BEFORE
ATTACKERS DO

As AI-powered products go mainstream, so do their attack surfaces. I'm actively building expertise in adversarial AI testing — probing LLMs, RAG pipelines, AI agents, and model APIs for vulnerabilities that traditional pentesting doesn't cover.

Grounded in the OWASP Top 10 for LLMs and MITRE ATLAS, my approach treats AI components as first-class attack targets with unique threat models.

OWASP LLM Top 10 MITRE ATLAS Prompt Injection Jailbreaking RAG Poisoning Agent Hijacking Model Data Exfil AI Red Teaming

💉

Prompt Injection (LLM01)

Direct and indirect prompt injection attacks that manipulate model behaviour, bypass system prompts, or hijack agent actions through untrusted inputs.

🔓

Jailbreaking & Safety Bypass

Multi-turn roleplay attacks, DAN variants, adversarial suffixes, and encoding tricks that strip guardrails from production LLMs.

☣️

RAG & Knowledge Poisoning (LLM03)

Injecting malicious content into retrieval corpora, vector stores, or knowledge bases to poison model responses at inference time.

🕵️

Data Exfiltration via Models (LLM06)

Extracting training data, system prompt leakage, and sensitive context exfiltration through crafted adversarial queries and model inversion techniques.

🤖

Agentic AI & Tool Abuse (LLM08)

Exploiting autonomous AI agents to take unintended actions — file access, API calls, privilege escalation through indirect prompt injection chains.

vmsecops ~ ai-red-team --target gpt-4o-powered-app

vasu@secops $ probe-llm --vectors prompt-injection,jailbreak,rag-poison,exfil

[+] Scanning system prompt boundaries... [!] LLM01 — Prompt Injection: VULNERABLE — indirect via document upload [!] LLM02 — Insecure Output Handling: PARTIAL — XSS via rendered markdown [!] LLM06 — Sensitive Info Disclosure: VULNERABLE — system prompt leakable in 3 turns [✓] LLM04 — Model DoS: Not exploitable — rate limiting enforced [+] Running jailbreak probe set... [!] Safety bypass: SUCCESSFUL via multi-role persona chain attack [AI] Generating adversarial remediation roadmap... [✓] Report: OWASP LLM Top 10 mapped, business impact rated, fix guidance included

vasu@secops $ _

// 05

Sample Engagements

Anonymised real-world cases

Case 01 · Fintech

Finance Portal Assessment

Full-stack web pentest for a payment-handling portal. Uncovered broken access control chains, insecure session management, and IDOR across user account flows — all before production launch.

Web · OWASP TOP 10 CRITICAL

Case 02 · Mobile & API

Android/iOS App + APIs

End-to-end MASVS and OWASP API Top 10 assessment covering data-at-rest protection, JWT weaknesses, certificate pinning bypass, and BOLA across supporting microservices.

ANDROID · iOS · MASVS HIGH

Case 03 · Compliance

PCI DSS 4.0 Readiness

Web and mobile testing mapped to PCI DSS 4.0 requirements for a payment-focused product team, enabling smoother QSA audit review and faster compliance sign-off.

PCI DSS 4.0 COMPLIANT

Case 04 · AI Security

LLM-Powered App Assessment

Adversarial testing of a customer-facing AI assistant. Discovered prompt injection via user-controlled document uploads leading to full system prompt disclosure and safety guardrail bypass.

LLM01 · LLM06 CRITICAL

Case 05 · AI Red Team

RAG Pipeline Security Review

Security review of an enterprise RAG deployment. Identified knowledge-base poisoning vectors via unsanitised document ingestion and model output injection enabling cross-user data leakage.

RAG · LLM03 CRITICAL

Case 06 · Cloud

AWS Environment Review

IAM privilege analysis, S3 public access audit, internal service exposure mapping, and metadata API hardening for a SaaS platform migrating workloads to AWS.

AWS · IAM · CLOUD HIGH