Available for Engagements

VASU MELIPAKA Security Analyst // Web · API · Mobile · AI Security

Helping organisations break down real attack surfaces across Web, Mobile (Android/iOS), API, and now AI/LLM systems — through deep manual penetration testing aligned to OWASP, MASVS, PCI DSS 4.0, and OWASP Top 10 for LLMs.

Security Services Let's Talk → LinkedIn ↗
Web & API Pentesting Mobile (MASVS) PCI DSS 4.0 DevSecOps Cloud Security AI / LLM Security Adversarial ML Red Teaming AI
SEC_PROFILE_V2.EXE ACTIVE
Vasu Melipaka
VASU MELIPAKA
Senior Security Analyst
UID// VM-SEC-0042
7+
YRS CYBER
110+
PENTESTS
92%
CLOSURE
Web / API
96
Mobile
90
AI / LLM
72
DevSecOps
85
IDENTITY VERIFIED · AVAILABLE FOR ENGAGEMENTS
OWASP
PCI DSS 4.0
AI Red Team
MASVS
// 01

Profile Summary

Manual-first · High-impact
🧠

Who I Am

Senior Security Analyst specialising in penetration testing for Web, Mobile and API platforms — now actively expanding into AI/LLM adversarial testing. I combine offensive security depth with a clear understanding of business context, helping leadership understand the true risk behind each finding — not just a CVSS number.

I embed seamlessly into engineering, QA and architecture workflows, treating security as a continuous SDLC checkpoint rather than a final-sprint gate.

📋

What I Deliver

  • Evidence-backed findings with clear PoCs and full reproduction steps
  • OWASP, MASVS, PCI DSS 4.0 and OWASP LLM Top 10 control mapping
  • CVSS-based ratings with business-risk plain-English explanations
  • Developer-ready remediation with config and code examples
  • Retest & closure validation for production sign-off readiness
  • Executive summaries that communicate risk to leadership without jargon
vmsecops ~ pentest-workflow v2.0

kali@vmsecops $ run-engagement --scope web,api,mobile,ai --framework OWASP,MASVS,PCI-DSS,LLM-TOP10

[✓] Threat-driven test plan initialised — manual-first methodology [✓] False-positive separation layer: enabled [✓] Business impact mapping: active [+] Loading AI/LLM adversarial modules... [✓] Prompt injection scanner: ready [✓] Model jailbreak probe set: loaded (47 vectors) [✓] RAG poisoning detection: enabled [✓] Report: executive-ready + developer-ready + compliance-ready [✓] Retest & closure validation: included

kali@vmsecops $ _

// 02

Pentest Snapshot

Coverage · Risk · Delivery
Active Engagements
3
Web · Mobile · API
Findings / 30 Days
27
Across all severities
High / Critical
8
Prioritised with owners
Retest Closure Rate
92%
Confirmed & verified

Risk Coverage

  • OWASP Web Top 10 (2021)
  • OWASP API Security Top 10
  • OWASP MASVS M1–M10
  • OWASP LLM Top 10 (AI)
  • TLS / HTTP security headers
  • Auth, session & access control

Engagement Style

  • Threat-driven test planning
  • Manual verification of scanner output
  • Clear false-positive separation
  • Regular dev & QA touchpoints
  • Exec-ready risk summaries
  • Structured remediation tracking

Ideal Use Cases

  • Pre-production security sign-off
  • PCI DSS 4.0 readiness — web & mobile
  • AI/LLM product security validation
  • New feature / release hardening
  • Independent review of internal findings
  • Executive risk visibility
Web Applications
40+
Portals & dashboards
Mobile Apps
20+
Android & iOS
APIs Tested
50+
Public & internal
AI Assessments
New
LLM · RAG · Agents
// 03

Security Services

What I do for your team
🌐

Web Application Pentesting

Deep manual testing for authentication flaws, broken access control, IDOR, session weaknesses, business logic gaps, and OWASP Top 10 coverage before every production rollout.

📱

Mobile App Security

MASVS-aligned assessments for Android & iOS — data storage, API usage, reverse engineering resistance, certificate pinning, and runtime protection validation.

⚙️

API Security Testing

BOLA, BFLA, JWT weaknesses, rate-limit bypass, mass assignment, replay attacks, and abuse scenarios across microservices, REST, GraphQL, and API gateways.

🤖

AI / LLM Security Testing

Adversarial assessment of LLM-powered products: prompt injection, jailbreaks, RAG poisoning, data exfiltration via model outputs, agent trust boundaries, and OWASP LLM Top 10 coverage.

🔧

DevSecOps Advisory

SAST, SCA and secrets scanning integration into CI/CD with meaningful quality gates, low noise signal-to-ratio tuning, and training for developer security ownership.

☁️

Cloud & Platform Review

IAM misconfiguration, storage exposure, network perimeter, and internal service discovery checks across AWS and Azure environments with actionable hardening guides.

// 04

AI / LLM Security

Emerging · Offensive · Adversarial
BREAKING
AI SYSTEMS
BEFORE
ATTACKERS DO

As AI-powered products go mainstream, so do their attack surfaces. I'm actively building expertise in adversarial AI testing — probing LLMs, RAG pipelines, AI agents, and model APIs for vulnerabilities that traditional pentesting doesn't cover.

Grounded in the OWASP Top 10 for LLMs and MITRE ATLAS, my approach treats AI components as first-class attack targets with unique threat models.

OWASP LLM Top 10 MITRE ATLAS Prompt Injection Jailbreaking RAG Poisoning Agent Hijacking Model Data Exfil AI Red Teaming
💉

Prompt Injection (LLM01)

Direct and indirect prompt injection attacks that manipulate model behaviour, bypass system prompts, or hijack agent actions through untrusted inputs.

🔓

Jailbreaking & Safety Bypass

Multi-turn roleplay attacks, DAN variants, adversarial suffixes, and encoding tricks that strip guardrails from production LLMs.

☣️

RAG & Knowledge Poisoning (LLM03)

Injecting malicious content into retrieval corpora, vector stores, or knowledge bases to poison model responses at inference time.

🕵️

Data Exfiltration via Models (LLM06)

Extracting training data, system prompt leakage, and sensitive context exfiltration through crafted adversarial queries and model inversion techniques.

🤖

Agentic AI & Tool Abuse (LLM08)

Exploiting autonomous AI agents to take unintended actions — file access, API calls, privilege escalation through indirect prompt injection chains.

vmsecops ~ ai-red-team --target gpt-4o-powered-app

kali@vmsecops $ probe-llm --vectors prompt-injection,jailbreak,rag-poison,exfil

[+] Scanning system prompt boundaries... [!] LLM01 — Prompt Injection: VULNERABLE — indirect via document upload [!] LLM02 — Insecure Output Handling: PARTIAL — XSS via rendered markdown [!] LLM06 — Sensitive Info Disclosure: VULNERABLE — system prompt leakable in 3 turns [✓] LLM04 — Model DoS: Not exploitable — rate limiting enforced [+] Running jailbreak probe set... [!] Safety bypass: SUCCESSFUL via multi-role persona chain attack [AI] Generating adversarial remediation roadmap... [✓] Report: OWASP LLM Top 10 mapped, business impact rated, fix guidance included

kali@vmsecops $ _

// 05

Sample Engagements

Anonymised real-world cases
Case 01 · Fintech

Finance Portal Assessment

Full-stack web pentest for a payment-handling portal. Uncovered broken access control chains, insecure session management, and IDOR across user account flows — all before production launch.

Web · OWASP TOP 10 CRITICAL
Case 02 · Mobile & API

Android/iOS App + APIs

End-to-end MASVS and OWASP API Top 10 assessment covering data-at-rest protection, JWT weaknesses, certificate pinning bypass, and BOLA across supporting microservices.

ANDROID · iOS · MASVS HIGH
Case 03 · Compliance

PCI DSS 4.0 Readiness

Web and mobile testing mapped to PCI DSS 4.0 requirements for a payment-focused product team, enabling smoother QSA audit review and faster compliance sign-off.

PCI DSS 4.0 COMPLIANT
Case 04 · AI Security

LLM-Powered App Assessment

Adversarial testing of a customer-facing AI assistant. Discovered prompt injection via user-controlled document uploads leading to full system prompt disclosure and safety guardrail bypass.

LLM01 · LLM06 CRITICAL
Case 05 · AI Red Team

RAG Pipeline Security Review

Security review of an enterprise RAG deployment. Identified knowledge-base poisoning vectors via unsanitised document ingestion and model output injection enabling cross-user data leakage.

RAG · LLM03 CRITICAL
Case 06 · Cloud

AWS Environment Review

IAM privilege analysis, S3 public access audit, internal service exposure mapping, and metadata API hardening for a SaaS platform migrating workloads to AWS.

AWS · IAM · CLOUD HIGH
// 06

Skills & Tooling

Stack I work with daily
Application Security
OWASP Web Top 10 IDOR / BAC Session Mgmt CORS / CSRF SQLi / XSS SSRF Auth Bypass Business Logic
Mobile & API
MASVS M1–M10 OWASP API Top 10 Burp Suite MobSF Frida Objection BOLA / BFLA JWT Attacks
AI / LLM Security
OWASP LLM Top 10 Prompt Injection Jailbreaking RAG Poisoning AI Red Teaming MITRE ATLAS Agent Hijacking Garak / Pyrit
Governance & DevSecOps
PCI DSS 4.0 Secure SDLC SAST / SCA Secrets Scanning AWS Security Azure Security CI/CD Gates Threat Modelling
// 07

Learning Labs

TryHackMe · Rooms · Paths
🏆
Top 4%
Global Rank
48,200
Total Points
🔥
142
Day Streak
🧩
38
Rooms Done
🎯
6
Paths Active
🤖
AI SECURITY PATH
LLM Attacks · Prompt Injection · Adversarial ML · OWASP LLM TOP 10
72%
PROGRESS
🔴
OFFENSIVE PENTESTING
Web Exploitation · Privilege Escalation · Post-Exploitation · CTF Challenges
88%
PROGRESS
🌐
WEB APP PENTESTING
OWASP Top 10 · Burp Suite · SQLi · XSS · IDOR · API Attacks
95%
PROGRESS
All Rooms 🤖 AI Security 🌐 Web / API 🔴 Red Team 📱 Mobile ☁️ Cloud
🤖
AI ✓ Done
Intro to LLM Security
Fundamentals of LLM attack surfaces — prompt injection, jailbreaks, data exfil via model outputs, and OWASP LLM Top 10 mapping.
Prompt Injection Jailbreaking LLM01
COMPLETION100%
1,200XP 12 / 12 tasks
💉
AI In Progress
RAG Pipeline Attacks
Exploiting retrieval-augmented generation — knowledge base poisoning, vector store injection, and cross-user data leakage via shared context.
RAG Poisoning LLM03 Vector DB
COMPLETION65%
980XP 8 / 12 tasks
🕵️
Hard In Progress
Agentic AI Red Teaming
Attack autonomous AI agents — indirect prompt injection chains, tool abuse, privilege escalation through agent-to-agent trust boundaries.
Agent Hijacking LLM08 MITRE ATLAS
COMPLETION40%
1,500XP 6 / 15 tasks
🌐
Medium ✓ Done
OWASP Top 10: 2021
Hands-on exploitation of all 10 OWASP categories — injection, broken auth, IDOR, security misconfig, and cryptographic failures on intentionally vulnerable apps.
SQLi XSS IDOR SSRF
COMPLETION100%
2,400XP 24 / 24 tasks
⚙️
Medium ✓ Done
GraphQL & REST API Attacks
BOLA, BFLA, mass assignment, introspection abuse, JWT algorithm confusion, and rate-limit bypass across GraphQL and REST API endpoints.
BOLA BFLA JWT GraphQL
COMPLETION100%
1,800XP 18 / 18 tasks
🕷️
Hard In Progress
Advanced Burp Suite
Macro recording, session handling rules, custom Collaborator payloads, extension development, and automation scripting for complex engagement scenarios.
Burp Suite Pro Intruder Extensions
COMPLETION70%
1,400XP 14 / 20 tasks
💀
Hard ✓ Done
Red Team Fundamentals
Full red team engagement lifecycle — initial access, lateral movement, persistence, C2 frameworks, and adversary simulation mapped to MITRE ATT&CK.
MITRE ATT&CK C2 Persistence
COMPLETION100%
3,200XP 32 / 32 tasks
📱
Easy ✓ Done
Android App Security
MASVS-aligned Android testing — APK reversing, certificate pinning bypass with Frida, insecure data storage, intent interception, and deeplink abuse.
Frida MobSF MASVS APK
COMPLETION100%
1,600XP 16 / 16 tasks
☁️
Medium New
Attacking & Defending Azure
Azure AD misconfigs, service principal abuse, Managed Identity exploitation, Defender for Cloud evasion, and Sentinel log analysis for blue team response.
Azure AD IAM Sentinel AZ-500
COMPLETION15%
2,000XP 3 / 20 tasks
// 07.2

Certs & Badges

Completed · In Progress · Planned
🏅
PCI DSS QSA-Ready
PCI Security Standards Council
✓ Applied
🛡️
AZ-500
Microsoft Azure Security
⏳ In Progress
🔴
eWPTX
eLearnSecurity Web PT Xtreme
📌 Planned
🤖
AI Red Team Cert
OWASP / MITRE ATLAS
📌 Planned
🎯 View Full TryHackMe Profile ↗
// 08

Let's Talk Security

START A CONVERSATION

Need a focused pentest for an upcoming release, an AI/LLM security assessment, PCI DSS-aligned testing, or an independent review of an existing application? Fill out the form and I'll respond within one business day.

Web · API Mobile AI / LLM PCI DSS 4.0 DevSecOps
Message received — I'll reply within one business day.
Email contact@vmsecops.com
in
LinkedIn vaasumelipaka
📅
Schedule a Call Book a 30-min discovery call

⚡ Typically responds within 1 business day.
All enquiries are treated with full confidentiality.
NDA available on request before scoping calls.

THREAT FEED
Loading threat intelligence...