skip to content
$sarthak.giri
00cybersecurity engineer · ethical hacker · full-stack

Sarthak Giri.
Builds secure digital systems.

I build secure, scalable, and intelligent digital systems — blending offensive security thinking with full-stack craft and AI-augmented product work.

sys.core
booting
v3.0.0loading core…
01Selected Work

Featured projects — case studies, not screenshots.

Each one ships in production, breaks something old, or stretches into a new domain. Pick one to see the problem it solves and how it's built.

01BUILDING

Stockxie

AI stock battle & market discovery

Problem

Retail investors are buried in noise. Comparing two stocks the way a portfolio manager would is slow, scattered, and intimidating.

+solution
Solution

A head-to-head AI battle interface that ranks any two tickers on fundamentals, momentum, and sentiment, then explains the verdict in plain English.

stack
Next.jsTypeScriptSupabaseAI SDKTailwindVercel
Stockxie
read case study
+key features
  • Side-by-side stock battle UX
  • AI-narrated verdict & rationale
  • Live market data + sentiment fusion
  • Discovery feed for new tickers
02LIVE

Net Zero Waste

Sustainability platform & guidance engine

Problem

Most people want to recycle correctly but the rules are local, confusing, and change constantly across regions.

+solution
Solution

A mobile-first PWA that identifies the right bin for any item, tracks impact over time, and nudges sustainable habits with real-time guidance.

stack
ReactPWATypeScriptVercel
Net Zero Waste
read case study
+key features
  • Smart bin identification
  • Sustainability metrics dashboard
  • Offline-first capability
  • Mobile-first design
03LIVE

24-7Jobs

MERN job platform with role-aware matching

Problem

Candidates and recruiters live in different funnels. Generic boards bury good matches under noise and slow first-contact loops.

+solution
Solution

A MERN job platform with role-aware matching, faster apply flows, and recruiter tooling that prioritises signal over volume.

stack
MongoDBExpressReactNode.js
247jobs — zsh
$node match --role "full-stack" --signal-only
▸ parsing candidate profile … ok
▸ scoring 1,284 open roles
{
"match": "Senior Full-Stack Engineer",
"signal": 0.94, "noise": 0.06,
"first_contact": "2h 14m"
}
✓ 12 high-signal matches → inbox
$
read case study
+key features
  • Role-aware candidate matching
  • Recruiter dashboard
  • Saved searches & alerts
  • Application tracking
04LIVE

Security Labs

Web AppSec research & responsible disclosure

Problem

Real-world security skill grows in labs, not in slide decks. Most learning paths skip the part where you actually break things safely.

+solution
Solution

A personal lab series — controlled targets covering OWASP Top 10 categories, written up as walkthroughs with the fix alongside the finding.

stack
Burp SuiteOWASP ZAPDockerLinux
sec.lab — zsh
$./run --target juice-shop --scope owasp-a03
▸ recon ………………… done
▸ injection [VULN] ' OR 1=1 -- → 200 OK
▸ fix parameterize · deny by default
▸ writeup labs/a03-injection.md
✓ disclosed responsibly · patched · published
$
read case study
+key features
  • OWASP Top 10 coverage
  • Responsible disclosure write-ups
  • Reproducible Docker labs
  • Defensive remediation guides
02About

I work where security, software, and intelligence meet.

I'm Sarthak — a builder who thinks like an attacker. I design and ship full-stack products, harden the cloud infrastructure they run on, and pull AI into the loop when it earns its place.

Most of my work lives at the intersection of three lanes: web application security and ethical hacking, full-stack development with TypeScript and Next.js, and AI-augmented product engineering. I care about systems that don't break quietly — and shipping fast without leaving holes behind.

Web AppSecCloudTypeScriptAI ProductsLinux
system.profile
identity verified
role
Cybersecurity Engineer · Builder
location
Sydney, Australia · UTC+10:00
focus
AppSec · Cloud Security · AI Products
stack
TypeScript · Next.js · Node · Supabase
currently
Open to roles & freelance security work
clearance
Responsible disclosure only
12+
projects
3+
years
50+
cves
— s.g.
03Skills

A focused stack across four disciplines.

No buzzword soup, no made-up percentages. Tools I reach for daily — and the receipts to back them up.

Offense-first web AppSec, OWASP-grounded vulnerability assessment, and secure-by-default architecture.

daily drivers
Burp SuiteOWASP ZAPThreat modelingWeb app pentestingNetwork securitySecure code review
03.5Code activity

Live from GitHub.

Pulled hourly from the GitHub public API. No tracking, just receipts for what I'm shipping.

22
Public repos
3mo ago
Last push
recently pushed
top languages
JavaScriptHTMLPythonPHPRuby
04Security Mindset

How I think about secure systems.

Security isn't a section in the spec — it's the spec. This is the lens I bring to every project.

01

Secure by default

I design architectures where the safe path is the easy path — least privilege, defaults that deny, and secrets that never touch a repo.

02

OWASP-grounded

I model threats against OWASP Top 10 and Top 25 before code ships, not after a scanner cries.

03

Defense in depth

Edge → API → data — every layer assumes the layer above it can fail, so a single bypass isn't a full compromise.

04

Responsible testing

Always scoped, always authorized. I disclose findings privately, ship the fix path, then publish learnings.

web app security · learning path
  1. 01

    Foundations

    HTTP/TLS internals, browser sandboxes, cookies, SOP, CORS.

  2. 02

    OWASP Top 10

    Injection, broken auth, IDOR, SSRF, XSS — exploited and patched.

  3. 03

    AppSec craft

    Burp Suite, ZAP, parameter tampering, authz testing, race conditions.

  4. 04

    Cloud + IaC

    Hardened deploys on Vercel + Cloudflare, secret hygiene, IAM.

  5. 05

    Detection

    Reading logs like prose. Building alerts that catch real signal.

practices · daily defaults
  • Threat-model before scaffold
  • Validate input at every trust boundary
  • Parameterize queries, never concatenate
  • Rotate secrets, scope tokens, expire sessions
  • Pin dependencies, audit weekly
  • Log enough to investigate, never enough to leak
disclosure policy

If you've shipped a bug, I'll tell you privately first. Coordinated disclosure, never drama.

05Journey

Six years from curiosity to craft.

Education, web, ops, security, AI — each layer compounding on the last. Scroll to advance through the timeline.

  1. 2020// edu

    Started coding

    Education · Self-taught

    Picked up HTML/CSS/JS, then dove into Python. First taste of breaking things on purpose.

  2. 2021// web

    Web development apprenticeship

    Freelance · Client projects

    Shipped marketing sites and small apps with React. Learned what production actually means.

  3. 2022// ops

    IT & technical operations

    Operations role

    Networking, Linux administration, infrastructure scripts. Found the seams between dev and ops.

  4. 2023// sec

    Cybersecurity deep dive

    Self-directed · Labs

    OWASP Top 10 head-on, Burp Suite + ZAP daily, first responsibly disclosed findings.

  5. 2024// ai

    AI-augmented product work

    Independent · Stockxie + tools

    Pulled LLMs into the loop on real products. Shipped market intelligence and developer tooling.

  6. 2026// ops

    Head technician · Zone Bowling

    Zone Bowling · Current role

    Keeping lanes, pinsetters, and a floor of arcade machines alive by day — building secure software after hours.

after hoursinsert coin

ZONE.ARCADE

Day job: head technician at Zone Bowling — 16 lanes, a floor of arcade machines, and every one of them convinced it should break on league night.

lane.07
tap to aim · tap to throw
5 frames · 2 balls each · strikes pay bonus
000
lanes kept alive
000+
machines revived
000+
league nights saved
PINSETTER.SYS

Pinspotter surgery

Tear-downs, rebuilds, and live diagnosis on the machines that never get to stop. Mechanical, electrical, and the occasional percussive maintenance.

[ 1 credit · press start ]
ARCADE.DBG

Cabinet debugging

I/O boards, card readers, coin mechs, CRTs and LCDs. Find the fault, swap it, solder it, test it — then watch a kid break it again by Friday.

[ 1 credit · press start ]
LANE.OPS

Keeping league night up

Lane machines, scoring systems, and the network behind them. When all 16 lanes are full, downtime is measured in groans per minute.

[ 1 credit · press start ]
SAME.INSTINCT

Why it fits

Hardware or software, the job is identical: take it apart, find why it fails, put it back stronger. Security work with grease under the fingernails.

swipe for more cabinets →

07let's build

Let's build something secure.

Open to security engineering roles, full-stack contracts, and serious freelance work. If you want to ship something fast and ship it safe — I'm in.

new transmissionenc · tls 1.3
response · within 24h