open to opportunities

Sarthak
Agrawal

I break into systems (with permission), build tools that catch bad guys, and occasionally write code that compiles on the first try.

see what I've built say hello

// origin story

About — the human behind the keyboard

Portrait of Sarthak Agrawal

The short version

I grew up pulling things apart to see how they tick — clocks, radios, and eventually software stacks that really did not want to be pulled apart. That habit turned into a career in cybersecurity: find the crack, understand it, help teams fix it before someone less friendly does.

I care about clear writeups, tools that actually ship, and teaching others to read a trace without losing their soul. When I'm not in a shell, I'm probably brewing another pour-over or losing at a board game with deceptive mechanics.

Status
Available
Coffee meter
████░ 4/5
Soundtrack
lo-fi & metal — no in-between
Currently
Shipping this portfolio, tuning a custom fuzzer in Rust, and politely asking APIs to stop leaking secrets.

// the toolbelt

Skills — spells, scripts, and stubbornness

Offensive security
Web app pentesting API testing Network pentesting AD / identity Social engineering (authorized!)
Defensive & detection
SIEM queries Incident response Log analysis Threat hunting Forensics basics
Build & automate
Python Bash Docker CI/CD security Rust (getting there)

// side quests & main missions

Projects — things I actually finished

01

Recon pipeline

A opinionated bash + Python pipeline for scoped recon — less chaos, more signal, fewer accidental port scans of the wrong continent.

automation OSINT
GitHub →
02

JWT confusion lab

Mini app + notes on alg confusion and kid abuse — built so future me remembers why 3 a.m. debugging is a bad life choice.

web auth
Write-up →
03

CTF toolbox

Snippets and one-liners I've collected from war rooms, flights with no Wi‑Fi, and that one challenge that ate a weekend.

pwn crypto
GitHub →
04

Log hunter

Query pack + cheat sheet for turning noisy SIEM exports into "aha" moments without summoning a vendor SE.

blue team detection
Docs →
05

API fuzzer sketch

Throwing structured chaos at REST edges — rate limits, weird content types, and parameters that should not exist but do.

fuzzing APIs
GitHub →
06

Forensics quickstart

Disk and memory triage notes from CTFs — mostly so I stop re-learning file carving every six months.

forensics notes
Read →

// war stories

Writeups & CTF highlights

When the JWT algorithm lied to us
NullCTF 2025 · Web
web
Heap notes I wish I'd had on hour six
Local pwn night · Binary
pwn
RSA with extra steps (and fewer primes)
Crypto kitchen sink · Crypto
crypto
Carving files from chaos — a gentle introduction
Blue team brunch · Forensics
forensics
Cloud IAM: the misclick that wasn't
AppSec week · Cloud
cloud

// achievement unlocked

Certifications

OSCP
Offensive Security
2024
eLearnSecurity eJPT
INE Security
2023
AWS Security Specialty
Amazon Web Services
2025
CEH (Practical)
EC-Council
2022

// the main storyline

Timeline

2024 — present
Security Engineer
Product & platform security

Building safer systems, breaking them first, and writing tickets I'd actually want to receive. Focus on application security, tooling, and shipping without secrets in plain text.

2022 — 2024
Security Analyst → Pentester
Consulting & in-house product teams

Graduated from triage and alerts to full assessments, report writing that humans enjoy, and proof-of-concepts that actually reproduce.

2018 — 2022
B.Tech — Computer Science
University · CTF weekends included

Foundations in systems, networks, and the stubborn belief that every bug is a puzzle with a solution.

The beginning
Origin story
Script kiddie → curious engineer

Started with "what if I ran this in a VM?" and never really stopped asking unsafe questions in safe environments.

// end of file (almost)

Contact — say hello

Open to interesting roles, CTF teammates, and people who want to argue about password managers in a friendly way.

Email GitHub LinkedIn Twitter Instagram

Open to opportunities