MOST SEE A WALL. I SEE THE GAP.
I'm Shivam Goswami — known online as CSPSHIVAM. Seven years across penetration testing, SOC, EDR/XDR, incident response, and vulnerability management, plus an active bug bounty career recognized by Netflix, Google, and Meta. I don't just fill a security seat — I build the tools, teams, and companies that run it.
Every system has a seam. I find it before someone with worse intentions does — through a penetration test, a bug bounty report, or a 2 a.m. SOC alert — then close it, prove it's closed, and build the tool, team, or company that keeps it closed. Offense informs defense. That's how I operate. Building the businesses around it is how I grow.
Seven-plus years of enterprise security operations, one case file at a time.
PRESENT2Y+ · CURRENT
Own the enterprise vulnerability management program across infrastructure, cloud, applications, and every externally exposed asset. Drive remediation through Engineering, Infrastructure, Cloud, and Business teams using risk-based prioritization. Run attack surface management, credential-leakage tracking, and dark-web intelligence reviews — and deliver the executive-level metrics that keep leadership honest.
JUN 20231Y 10M
Led web application, infrastructure, network, and OS security assessments across enterprise environments. Manually validated vulnerabilities for real business impact, not just CVSS scores. Ran third-party vendor risk reviews, supported PCI DSS and ISO 27001 audit readiness, and mentored junior analysts into the process.
AUG 20211Y 2M
Web application, network, VPN, and VoIP security assessments. Supported SOC operations, incident investigations, and remediation validation from first alert to closure.
MAY 20207M
Application security assessments, vulnerability validation, and remediation verification for client engagements.
JUN 20192M
Web application security testing aligned with OWASP methodology — the starting point of the discipline everything after was built on.
Not just employed. Building.
A title only covers the hours I bill. The rest of the time goes into tools other researchers actually use, and — through my registered venture, Uncrypt.net — security services and an academy that trains people on real-world attacks and techniques, not theory. Uncrypt isn't the headline here; it's one more way of giving back to the community that gave me my first Hall of Fame.
Tool to automate reconnaissance — the first step of every engagement, made repeatable.
Fast subdomain enumeration tool, built with bash only. No dependencies, no friction.
An advanced web shell for achieving RCE through LFI & RFI — the go-to upload for fast, clean wins in bug bounty.
Generates Google dorks to surface directory listings, leaked logs, SQL errors and more — recon for hunters.
Deliberately vulnerable buffer-overflow apps, built for others to practice on — given back to the community.
Wraps common Nmap scanning workflows into one fast command — less syntax, faster first pass on a target.
Offense and defense, run by the same person.
Four disciplines, one practitioner. Knowing how a system breaks is what makes the defense of it credible.
- OWASP Top 10
- API Security Testing
- SAST · DAST · SCA
- Container Security
- Secure SDLC
- SIEM
- EDR / XDR
- Incident Response
- Threat Detection
- Attack Surface Mgmt
- PCI DSS
- ISO 27001
- Risk Assessment
- Remediation Governance
- Third-Party Risk
- AWS Cloud Security
- CI/CD Security
- Stakeholder Mgmt
- Executive Reporting
- Program Delivery
Hall of Fame across a growing list of global security programs.
Vulnerabilities disclosed and acknowledged by the organizations and platforms that run bug bounty and responsible disclosure programs at scale.
Let's harden
what matters.
Open to partnerships, advisory work, and conversations with teams who want a security program — or a security business — built properly from the ground up. Based in New Delhi, working with people anywhere.