est. India offensive security IST 00:00:00

Pavan Saxena

rootkid

$ penetration tester

If it's smart, it's vulnerable. That's the job — red team ops, end-to-end VAPT, and bug hunts on logic and config nobody stress-tested before ship. Recruiters see deliverables. Hackers see how it was done.

keep going

whoami

always chasing a harder target. here's who's chasing.

I'm Pavan Saxena — online, mostly rootkid. I break into things on purpose: web apps, APIs, networks, mobile, and more. Red teaming and full-scope VAPT are the day job — recon to root, then a report a developer can actually use. Bug bounties and CTFs keep the edge sharp; write-ups and workshops are how I pay it back. I spend a fair chunk of time training and mentoring — workshops, interns, teams.

No CS degree, no neat roadmap — just labs, broken VMs, and a lot of 2 a.m. "wait, why does this work" moments. That's why my Cyber Journal is free and hands-on: the guide I wish I'd had when I started.

Skills over knowledge. — the rule I learned everything by

There's always a harder target and a cleaner write-up to chase — that's the part I'm in no hurry to finish. Everything else here — findings, certs, the journal — is just the trail behind the work.

experience

technical depth, training, leadership — the professional record behind the work.

career metrics

  • 0 years in offensive security consulting
  • 0 security assessments
  • 0 vulnerabilities reported to clients
  • 0 offensive security teams led
  • 0 professionals trained & mentored

domains assessed

  • network
  • network segmentation
  • web apps
  • api
  • mobile
  • thick client
  • cloud
  • source code
  • wireless
  • active directory
  • database
  • architecture review
  • config review
  • red team

sectors — VAPT & red team

  • Aerospace & Defense
  • Agriculture
  • Automotive
  • Banking & Finance
  • BPO & IT Services
  • Chemical
  • Construction
  • Critical Infrastructure
  • E-commerce
  • Education
  • Energy & Power
  • Fintech & Payments
  • Gaming
  • Government
  • Healthcare
  • Hospitality
  • Insurance
  • Legal
  • Logistics & Shipping
  • Manufacturing
  • Media & Entertainment
  • NGO & Non-profit
  • Oil & Gas
  • Pharmaceuticals
  • Real Estate
  • Retail
  • Sports
  • Technology & SaaS
  • Telecom
  • Utilities
  • Water & Waste

cve credits

public vulnerability disclosures — credited research with CVE assignment.

  • CVE-2026-55165 4.8 · medium

    Netflix Lemur

    JWT verifier trusts attacker-supplied alg from the token header instead of pinning allowed algorithms — CWE-347 defense-in-depth gap in auth/service.py, chain-dependent ATO when paired with secret disclosure. Affects ≤1.9.2.

  • CVE-2026-55166 9.9 · critical

    Netflix Lemur

    SSO auto-provision at active=True chains with attacker-controlled ACME acme_url SSRF to EC2 IMDS (CWE-918) and creator-equality IDOR on cert private keys (CWE-639) — any federated user exfiltrates worker IAM creds and retains PKI keys after ownership transfer. Affects ≤1.9.0.

security disclosures

every harder target adds a line to the trail — from recon to report, repeat.

  • Inflectra
  • KnowledgeOwl
  • NCIIPC
  • NTUC Enterprise
  • IOM
  • PingCAP
  • Afterpay
  • Swarms
  • Netflix
  • phpMyAdmin
  • Apache Burr
  • Mautic
  • Asciinema
  • Pimcore
  • Woodpecker CI
  • IBM
  • Vercel
  • Orderly
  • Matomo
  • MongoDB
  • Splunk
  • Vespa
  • Apple PCC
  • webhound
  • Microsoft
  • Google
  • WordPress
  • Matomo
  • Vercel
  • Apache Burr
  • Splunk
  • WordPress
  • Afterpay
  • PingCAP
  • Mautic
  • Woodpecker CI
  • phpMyAdmin
  • webhound
  • Asciinema
  • MongoDB
  • IBM
  • Microsoft
  • KnowledgeOwl
  • Pimcore
  • NCIIPC
  • Orderly
  • Google
  • IOM
  • Vespa
  • Swarms
  • Netflix
  • Apple PCC
  • Inflectra
  • NTUC Enterprise

arsenal

tools, domains and methods — built in labs, proven in production.

Recon & OSINT

  • Subdomain Enum
  • OSINT
  • DNS Recon
  • Nmap
  • Dir Fuzzing
  • Shodan / Censys

Exploitation

  • Metasploit
  • Exploit Dev
  • Privilege Esc.
  • Buffer Overflow
  • Payload Craft
  • AV Evasion

Web & API

  • Burp Suite
  • OWASP Top 10
  • Logic Flaws
  • SSRF
  • XSS & SQLi
  • IDOR / Access
  • API Testing

Network & AD

  • Active Directory
  • Kerberoasting
  • Pivoting
  • SMB / Relay
  • Wireless / WPA
  • Packet Analysis

Red Team Ops

  • C2 Frameworks
  • Initial Access
  • Lateral Movement
  • Persistence
  • Defense Evasion

Reporting & GRC

  • VAPT Reporting
  • CVSS Scoring
  • Threat Modeling
  • ISO 27001 LA
NmapAmassSubfinderhttpxffufGobusterNucleiKatanaBurp SuitesqlmapOWASP ZAPNiktoWPScanMetasploitmsfvenomsearchsploitGhidrapwntools
BloodHoundNetExecImpacketMimikatzRubeusResponderKerbruteevil-winrmCobalt StrikeSliverHavocWiresharkHashcatJohn the RipperHydraAircrack-ngFridaMobSF

certifications

credentials that follow the work, not lead it.

  • CSSP-AWS
  • OSCP
  • OSWP
  • KLCP
  • ISO 27001
  • CAPen
  • CEH
  • eJPT v2
  • CNSP
  • ISC2 CC
  • CAP
  • AZ-900

talks

talks that follow the practice — workshops, keynotes, and CTF builds.

2025 1 talk
workshop · keynote BSides Agra 0x01

Red Team Thinking for Pentesters

Full workshop track on attacker mindset for offensive engineers.

2024 5 talks
keynote Null · Vadodara

Active Directory Pentesting — 101

Enumeration → relay → DCSync, walked end-to-end with live demos.

keynote Null · Ahmedabad

Active Directory Pentesting — 101

From Kerberoasting to domain admin — the AD kill-chain explained.

keynote The Hackers Community · Vadodara

Introduction to HTTP Request Smuggling

CL.TE, TE.CL & H2.CL — front/back-end desync demoed on vulnerable stacks.

keynote ExploitXplorers Community

Android & iOS Application Pentesting

Static + dynamic analysis, Frida hooks and IPA/APK teardown across both stacks.

keynote Karnavati University

Kali Linux & Wireless Hacking

Kali fundamentals → deep wireless-hacking track with hands-on practice.

2023 5 talks
session Parul University

VAPT Basics — live SQLi & XSS

VAPT fundamentals, standards & methodologies + hands-on SQLi/XSS on live apps.

keynote The Hackers Community · Vadodara

Red Team — Recon 101

Subdomain enum, JS bundle mining and asset discovery the attacker way.

keynote · CTF Karnavati University

CTF Toolset & Hands-on Practical

Tooling walk-through plus a custom-built CTF for the practical block.

keynote · CTF The Hackers Community · Ahmedabad

Linux Privilege Escalation: Elevate Your Controls

Organized a custom CTF for all participants alongside the keynote.

keynote The Hackers Community · Ahmedabad

The Art of Exploiting Logic Flaws

Why scanners miss the biggest payouts — pattern hunting for business-logic abuse.

work with me

open to freelance and consulting — project-based offensive security engagements.

engagement types

open to projects

  • Vulnerability Assessment and Penetration Testing
  • Red Team Operations
  • Corporate Security Training
  • Team Mentoring & Upskilling
  • Workshop Sessions & Custom CTF Builds
  • Cyber Security Consultation
  • remote
  • on-site
  • project-based
  • retainer

Full-time roles welcome too — but freelance and consulting projects are actively open.

the journal

the journal behind the work — every finding worth sharing ends up here.

fetching blog sections … blog.rootkid.in ↗

The live journal mirror needs http(s). Read directly at blog.rootkid.in.

Full archive at blog.rootkid.in.