Web Application Security researcher.

Gouthaman G — final-year B.Tech Cybersecurity student building toward a career in VAPT and application security, one CTF flag and one custom-built scanner at a time.

VAPTPJPT (in progress)API SecurityCTF — Team Hunter
See the work → Download résumé
About

I'm a final-year B.Tech Cybersecurity student at Amrita Vishwa Vidyapeetham, Coimbatore, graduating in 2027. My core focus is Vulnerability Assessment & Penetration Testing (VAPT) — I'm currently working toward the Practical Junior Penetration Tester (PJPT) certification and building my offensive security fundamentals through structured lab work on PortSwigger's Web Security Academy.

API security is one of the domains I specialize in within that broader VAPT practice — it's where a lot of my project work lives, because API attack surfaces (BOLA, broken auth, GraphQL misconfigurations) reward exactly the kind of tool-building I enjoy. But my interests extend across web app pentesting, network security, and competitive security research through CTFs.

I learn best by building — if I want to understand a vulnerability class properly, I write a scanner that finds it, then test it against deliberately vulnerable labs until it holds up.

YearFinal year (2027)
InstitutionAmrita Vishwa Vidyapeetham
Primary focusVAPT
In progressPJPT — TCM Security
SpecializationAPI Security
TeamTeam Hunter (CTF)
Focus

Three practices, one instinct: break it to understand it.

01

VAPT

Structured, methodology-driven assessment of web applications and networks — working toward PJPT while practicing on PortSwigger's Web Security Academy and lab environments like crAPI and DVGA.

02

API Security

My specialization within VAPT. Deep, hands-on work with the OWASP API Top 10 — BOLA, mass assignment, broken auth, GraphQL misconfigurations — expressed through Aegis-API and a schema-aware zero-trust gateway.

03

Competitive Security

Sharpening the same instincts under time pressure with Team Hunter — crypto, pwn, web, and reversing across 60+ CTF events, ranked 68th globally and 7th in India in 2026.

Selected work

Projects, built to find what review misses.

Flagship project

Aegis-API

Python · REST / SOAP / GraphQL · 17+ build phases

A multi-protocol API penetration testing framework I built to properly understand the OWASP API Security Top 10 — not just read about it. It scans REST, SOAP, and GraphQL services end to end: discovering endpoints via Swagger/OpenAPI and WSDL enumeration, mapping GraphQL schemas through introspection, then actively probing for the vulnerability classes that matter most in modern APIs.

PythonRequestsLXMLFPDF2DockerGitHub Actions
  • Automated detection for BOLA, broken authentication, mass assignment, and rate-limiting flaws
  • Dynamic CVSS v3.1 scoring with evidence collection and auto-generated VAPT reports
  • Tested against intentionally vulnerable labs — crAPI, DVGA — to validate real detection accuracy
  • CI/CD security testing pipeline via GitHub Actions for continuous assessment
Final year project

Zero-Trust Gateway for GraphQL

Schema validation · Authorization enforcement

An in-progress security gateway that stops one of the most common real-world GraphQL failures: Broken Object Level Authorization. Instead of trusting a resolver to check permissions correctly, the gateway enforces authorization at the schema level under a zero-trust model — every field access is validated against the requester's actual permissions, regardless of what the query looks like.

GraphQL SecurityZero-Trust ArchitectureSchema ValidationBOLA Prevention
Network security

Intrusion Prevention System

Python · Scapy · iptables

A network intrusion prevention system built to understand detection and response at the packet level. It inspects traffic in real time with Scapy and enforces blocking decisions dynamically through iptables, rather than relying on static, pre-defined rules alone.

PythonScapyiptables
  • 10+ custom rules detecting ICMP/UDP/SYN floods, SQLi, XSS, and directory traversal
  • Automated suspicious-IP blocking with full event logging for post-incident analysis
Competitive security

Team Hunter.

I compete with Team Hunter, an academic CTF team from Amrita Vishwa Vidyapeetham. We're driven by curiosity and a love for hard problems — crypto, pwn, web, and reversing — and we aim to learn something new with every flag we capture.

In 2026 the team placed 68th globally and 7th in India across 60+ competitive events, with several podium and top-5 finishes along the way.

Team Hunter
Te@/\/\ #unter · Academic Team, Amrita Vishwa Vidyapeetham
68thGlobal rank 2026
7thIndia rank
60+events entered
We're actively recruiting →
Notable placements — 2026
#1 / 1st
SecLeaf Q2 CTF 2026
6,195 pts
#3 / 3rd
Hackअस्त्र
7,844 pts
#3 / 3rd
RAMunchers CTF
3,458 pts
#4 / 4th
ZeroDay Heist 2026
9,673 pts
#4 / 4th
bhackari CTF 2026
4,158 pts
#4 / 4th
HASBLCTF26
8,150 pts
#5 / 5th
CryptoNite CTF 2026
3,356 pts
#6 / 6th
plfanzen CFT 2026
3,707 pts
Toolkit

Offensive tools

  • Burp Suite
  • Nmap
  • Metasploit Framework
  • Nessus Essentials
  • Wireshark
  • OWASP ZAP

Domain knowledge

  • OWASP Top 10 & API Top 10
  • BOLA / IDOR
  • SQLi, XSS, CSRF
  • JWT & auth vulnerabilities
  • GraphQL security
  • CVSS v3.1 scoring

Build stack

  • Python
  • Bash scripting
  • Docker
  • Git / GitHub Actions
  • Kali Linux
  • C
Certifications

Practical Junior Penetration Tester (PJPT)

TCM Security
In progress

Cisco Ethical Hacker

Cisco

Cisco Networking Fundamentals

Cisco