Sarthak Giri.
Builds secure digital systems.
I build secure, scalable, and intelligent digital systems — blending offensive security thinking with full-stack craft and AI-augmented product work.
Featured projects — case studies, not screenshots.
Each one ships in production, breaks something old, or stretches into a new domain. Pick one to see the problem it solves and how it's built.
Stockxie
AI stock battle & market discovery
Retail investors are buried in noise. Comparing two stocks the way a portfolio manager would is slow, scattered, and intimidating.
+solution
A head-to-head AI battle interface that ranks any two tickers on fundamentals, momentum, and sentiment, then explains the verdict in plain English.
A head-to-head AI battle interface that ranks any two tickers on fundamentals, momentum, and sentiment, then explains the verdict in plain English.
read case study +key features
- Side-by-side stock battle UX
- AI-narrated verdict & rationale
- Live market data + sentiment fusion
- Discovery feed for new tickers
- Side-by-side stock battle UX
- AI-narrated verdict & rationale
- Live market data + sentiment fusion
- Discovery feed for new tickers
Net Zero Waste
Sustainability platform & guidance engine
Most people want to recycle correctly but the rules are local, confusing, and change constantly across regions.
+solution
A mobile-first PWA that identifies the right bin for any item, tracks impact over time, and nudges sustainable habits with real-time guidance.
A mobile-first PWA that identifies the right bin for any item, tracks impact over time, and nudges sustainable habits with real-time guidance.
read case study +key features
- Smart bin identification
- Sustainability metrics dashboard
- Offline-first capability
- Mobile-first design
- Smart bin identification
- Sustainability metrics dashboard
- Offline-first capability
- Mobile-first design
24-7Jobs
MERN job platform with role-aware matching
Candidates and recruiters live in different funnels. Generic boards bury good matches under noise and slow first-contact loops.
+solution
A MERN job platform with role-aware matching, faster apply flows, and recruiter tooling that prioritises signal over volume.
A MERN job platform with role-aware matching, faster apply flows, and recruiter tooling that prioritises signal over volume.
+key features
- Role-aware candidate matching
- Recruiter dashboard
- Saved searches & alerts
- Application tracking
- Role-aware candidate matching
- Recruiter dashboard
- Saved searches & alerts
- Application tracking
Security Labs
Web AppSec research & responsible disclosure
Real-world security skill grows in labs, not in slide decks. Most learning paths skip the part where you actually break things safely.
+solution
A personal lab series — controlled targets covering OWASP Top 10 categories, written up as walkthroughs with the fix alongside the finding.
A personal lab series — controlled targets covering OWASP Top 10 categories, written up as walkthroughs with the fix alongside the finding.
+key features
- OWASP Top 10 coverage
- Responsible disclosure write-ups
- Reproducible Docker labs
- Defensive remediation guides
- OWASP Top 10 coverage
- Responsible disclosure write-ups
- Reproducible Docker labs
- Defensive remediation guides
I work where security, software, and intelligence meet.
I'm Sarthak — a builder who thinks like an attacker. I design and ship full-stack products, harden the cloud infrastructure they run on, and pull AI into the loop when it earns its place.
Most of my work lives at the intersection of three lanes: web application security and ethical hacking, full-stack development with TypeScript and Next.js, and AI-augmented product engineering. I care about systems that don't break quietly — and shipping fast without leaving holes behind.
A focused stack across four disciplines.
No buzzword soup, no made-up percentages. Tools I reach for daily — and the receipts to back them up.
Offense-first web AppSec, OWASP-grounded vulnerability assessment, and secure-by-default architecture.
Live from GitHub.
Pulled hourly from the GitHub public API. No tracking, just receipts for what I'm shipping.
- 24-7jobsJavaScript · 3mo ago
- netzerowaste1— · 26mo ago
- zero_wastev1— · 27mo ago
How I think about secure systems.
Security isn't a section in the spec — it's the spec. This is the lens I bring to every project.
Secure by default
I design architectures where the safe path is the easy path — least privilege, defaults that deny, and secrets that never touch a repo.
OWASP-grounded
I model threats against OWASP Top 10 and Top 25 before code ships, not after a scanner cries.
Defense in depth
Edge → API → data — every layer assumes the layer above it can fail, so a single bypass isn't a full compromise.
Responsible testing
Always scoped, always authorized. I disclose findings privately, ship the fix path, then publish learnings.
- 01
Foundations
HTTP/TLS internals, browser sandboxes, cookies, SOP, CORS.
- 02
OWASP Top 10
Injection, broken auth, IDOR, SSRF, XSS — exploited and patched.
- 03
AppSec craft
Burp Suite, ZAP, parameter tampering, authz testing, race conditions.
- 04
Cloud + IaC
Hardened deploys on Vercel + Cloudflare, secret hygiene, IAM.
- 05
Detection
Reading logs like prose. Building alerts that catch real signal.
- Threat-model before scaffold
- Validate input at every trust boundary
- Parameterize queries, never concatenate
- Rotate secrets, scope tokens, expire sessions
- Pin dependencies, audit weekly
- Log enough to investigate, never enough to leak
If you've shipped a bug, I'll tell you privately first. Coordinated disclosure, never drama.
Six years from curiosity to craft.
Education, web, ops, security, AI — each layer compounding on the last. Scroll to advance through the timeline.
Started coding
Picked up HTML/CSS/JS, then dove into Python. First taste of breaking things on purpose.
- 2020// edu
Started coding
Education · Self-taughtPicked up HTML/CSS/JS, then dove into Python. First taste of breaking things on purpose.
- 2021// web
Web development apprenticeship
Freelance · Client projectsShipped marketing sites and small apps with React. Learned what production actually means.
- 2022// ops
IT & technical operations
Operations roleNetworking, Linux administration, infrastructure scripts. Found the seams between dev and ops.
- 2023// sec
Cybersecurity deep dive
Self-directed · LabsOWASP Top 10 head-on, Burp Suite + ZAP daily, first responsibly disclosed findings.
- 2024// ai
AI-augmented product work
Independent · Stockxie + toolsPulled LLMs into the loop on real products. Shipped market intelligence and developer tooling.
- 2026// ops
Head technician · Zone Bowling
Zone Bowling · Current roleKeeping lanes, pinsetters, and a floor of arcade machines alive by day — building secure software after hours.
ZONE.ARCADE
Day job: head technician at Zone Bowling — 16 lanes, a floor of arcade machines, and every one of them convinced it should break on league night.
Pinspotter surgery
Tear-downs, rebuilds, and live diagnosis on the machines that never get to stop. Mechanical, electrical, and the occasional percussive maintenance.
Cabinet debugging
I/O boards, card readers, coin mechs, CRTs and LCDs. Find the fault, swap it, solder it, test it — then watch a kid break it again by Friday.
Keeping league night up
Lane machines, scoring systems, and the network behind them. When all 16 lanes are full, downtime is measured in groans per minute.
Why it fits
Hardware or software, the job is identical: take it apart, find why it fails, put it back stronger. Security work with grease under the fingernails.
swipe for more cabinets →
Things I write down so I remember them.
Short field notes from security research, cloud deploys, and AI product work. New entries land here as they're written.
Let's build something secure.
Open to security engineering roles, full-stack contracts, and serious freelance work. If you want to ship something fast and ship it safe — I'm in.