I'm an Application Security specialist passionate about finding vulnerabilities before attackers do, and helping teams build safer digital products.

About Me

I specialize in Application Security and Penetration Testing - helping teams integrate security practices directly into the development lifecycle. I enjoy automating security checks, building secure CI/CD pipelines, and making security an enabler rather than a blocker.

Experience

Senior Application Security Specialist - Xsolla
July 2025 - Present
  • Pioneered secrets management strategy with HashiCorp Vault across 3 data centers, preventing policy sprawl and minimizing secret exposure during provisioning.
  • Prevented PCI non-compliance risk by analyzing PHP source code and identifying 23 sensitive data exposure points in logs.
  • Scaled recurring vulnerability detection across 400+ domains using Python automation and intelligence from 2500+ reports.
  • Optimized bug bounty triage throughput by building AI-driven report screening and duplicate detection tools.
  • Secured 9 business-critical product releases by performing pre-rollout security assessments combining threat modeling, secure code review, and penetration testing.
Bug Hunter - Qarabug
July 2025 - Present
  • Reported 7 vulnerabilities within first month, including critical account takeover attack chain in mobile banking application.
  • Strengthened security of government services by submitting 17 findings during national bug bounty competition.
  • Delivered talk on crafting professional bug bounty reports, emphasizing clarity, structure, and impact communication.
Senior Application Security Specialist - Unibank
October 2024 - July 2025
  • Achieved 100% CI/CD security coverage by operationalizing centralized repository import model with custom rules, ignore policies, and visibility alerts.
  • Uncovered critical SCA bottleneck in outdated framework and led company-wide upgrade, cutting findings by 2/3.
  • Redesigned container security strategy by integrating Trivy into base image build pipeline, driving 95% reduction in project-level findings.
  • Introduced STRIDE-based threat modeling practice via PoC in early-stage SaaS project, later continued by security team.
  • Authored OWASP-aligned secure coding training with 5 chapters, incorporated into developer onboarding.
Lead Penetration Tester - Unibank
September 2022 - September 2024
  • Transformed ad-hoc penetration testing intake into structured Jira-based workflow, reducing delays and confusion across 5 business units.
  • Formalized engagement capacity allocation model with distribution rules across teams, preventing conflicts and resource overload during parallel requests.
  • Built vulnerability tracking system with findings linked to engagement tickets, enabling traceability and explicit ownership across applications and severity levels.
  • Initiated security assessment of untested internet banking platform, uncovering critical risks that drove executive escalation and accelerated system replacement.
  • Championed security in agile sprints across 10+ squads, influencing design decisions and backlog prioritization by challenging assumptions on security impact and remediation urgency.
Penetration Tester - Unibank
July 2021 - September 2022
  • Identified 100+ vulnerabilities in first 6 months across web and mobile products, including critical authorization bypass in payment flow without user interaction.
  • Automated session hijacking detection in mobile banking application using Python scripts, identifying 100+ vulnerable APIroutes and leading to session validation redesign.
  • Reverse-engineered banking application APK to programmatically extract 200+ endpoints and infer request parameters, expanding testing coverage.
  • Uncovered 15+ internal network attack paths using ARP-based MITM techniques, including session compromise, insecure defaults, and unauthenticated services.
Ethical Hacking and Programming Instructor - Code Academy
June 2023 - February 2025
  • Trained 75+ beginner students in ethical hacking fundamentals through CTF exercises, hands-on labs, and real-world scenarios.
  • Delivered 6-day web hacking masterclass, enabling 19 students to exploit OWASP Top 10 vulnerabilities in controlled environments.
  • Conducted hands-on Python, web development, and SQL training to 20+ students within cybersecurity curriculum.
  • Refined ethical hacking syllabus with 16 modules, structuring complex topics into practical learning paths.

Core Skills

Application Security
Penetration Testing
DevSecOps
Threat Modeling
Secure Code Review
Programming

Projects

Burp Playbook - Practical Guide to Building Custom Extensions with Python

A practical e‑book that teaches you how to build Burp Suite extensions from scratch. Clear step‑by‑step examples, runnable code, and real-world exercises to automate and improve your testing workflow.

  • Step‑by‑step extension development guide
  • Complete example code & integration tips
  • Automation techniques to speed up testing

Centralized DevSecOps Pipeline Automation

  • Established a centralized orchestration system for managing SAST scan configurations, implementing custom code rules and ignore policies.
  • Uncovered a critical SCA bottleneck in outdated framework versions; led a company-wide upgrade, cutting findings by two thirds and seamlessly enforcing prevention mode.
  • Optimized CI/CD pipeline jobs for 100% SAST coverage and scan accuracy across all project types, following DRY and retry/fail-fast principles as well as setting up alerts for full visibility into failures.
  • Rolled out an end-to-end vulnerability triage process-including a dedicated Jira board, standardized reporting templates, “how-to” guidelines for developers, and an internal channel for quick reference on recent dependency updates.

    • From the Blog

    Brand-new prototype pollution gadget in MongoDB leading to RCE

    I uncovered a new prototype pollution gadget in mongodb NPM package version 6.6.2, that results in Remote Code Execution (RCE).

    Why does cyber security matter for your business?

    Understand how security vulnerabilities can impact your company's reputation and bottom line.

    3 banking security mistakes to avoid for a safer digital experience

    In this blog, I want to shed light on common mistakes, which can inadvertently put the security of our data and money at risk.

    Data exfiltration using Excel

    In this article, I talk about a new data exfiltration technique, which allows to read files on victim's machine using an Excel file.

    Kiber təhlükəsizliyə yeni başlayanlar üçün tez-tez verilən suallar | FAQ for beginners in cyber security

    How integrating security early in development helps prevent costly incidents.

    You're not as safe as you think: Here's why you may be the next target of a cyber criminal

    Do you still believe hackers are only interested in spying on celebrities' lives or stealing money from well-known companies?

    Contact

    Let's connect! You can reach me via email or social media.

    📧 Email 💼 LinkedIn 🐙 GitHub

    © 2025 Vusala. All rights reserved.