Sarthak Giri.
Builds secure digital systems.
I build secure, scalable, and intelligent digital systems — blending offensive security thinking with full-stack craft and AI-augmented product work.
Featured projects — case studies, not screenshots.
Each one ships in production, breaks something old, or stretches into a new domain. Pick one to see the problem it solves and how it's built.
Stockxie
AI stock battle & market discovery
Retail investors are buried in noise. Comparing two stocks the way a portfolio manager would is slow, scattered, and intimidating.
A head-to-head AI battle interface that ranks any two tickers on fundamentals, momentum, and sentiment, then explains the verdict in plain English.
read case study - Side-by-side stock battle UX
- AI-narrated verdict & rationale
- Live market data + sentiment fusion
- Discovery feed for new tickers
Net Zero Waste
Sustainability platform & guidance engine
Most people want to recycle correctly but the rules are local, confusing, and change constantly across regions.
A mobile-first PWA that identifies the right bin for any item, tracks impact over time, and nudges sustainable habits with real-time guidance.
read case study - Smart bin identification
- Sustainability metrics dashboard
- Offline-first capability
- Mobile-first design
24-7Jobs
MERN job platform with role-aware matching
Candidates and recruiters live in different funnels. Generic boards bury good matches under noise and slow first-contact loops.
A MERN job platform with role-aware matching, faster apply flows, and recruiter tooling that prioritises signal over volume.
- Role-aware candidate matching
- Recruiter dashboard
- Saved searches & alerts
- Application tracking
Security Labs
Web AppSec research & responsible disclosure
Real-world security skill grows in labs, not in slide decks. Most learning paths skip the part where you actually break things safely.
A personal lab series — controlled targets covering OWASP Top 10 categories, written up as walkthroughs with the fix alongside the finding.
- OWASP Top 10 coverage
- Responsible disclosure write-ups
- Reproducible Docker labs
- Defensive remediation guides
I work where security, software, and intelligence meet.
I'm Sarthak — a builder who thinks like an attacker. I design and ship full-stack products, harden the cloud infrastructure they run on, and pull AI into the loop when it earns its place.
Most of my work lives at the intersection of three lanes: web application security and ethical hacking, full-stack development with TypeScript and Next.js, and AI-augmented product engineering. I care about systems that don't break quietly — and shipping fast without leaving holes behind.
A focused stack across four disciplines.
No buzzword soup. The tools and disciplines I reach for daily, grouped the way I actually think about them.
Offense-first web AppSec, OWASP-grounded vulnerability assessment, and secure-by-default architecture.
Live from GitHub.
Pulled hourly from the GitHub public API. No tracking, just receipts for what I'm shipping.
How I think about secure systems.
Security isn't a section in the spec — it's the spec. This is the lens I bring to every project.
Secure by default
I design architectures where the safe path is the easy path — least privilege, defaults that deny, and secrets that never touch a repo.
OWASP-grounded
I model threats against OWASP Top 10 and Top 25 before code ships, not after a scanner cries.
Defense in depth
Edge → API → data — every layer assumes the layer above it can fail, so a single bypass isn't a full compromise.
Responsible testing
Always scoped, always authorized. I disclose findings privately, ship the fix path, then publish learnings.
- 01
Foundations
HTTP/TLS internals, browser sandboxes, cookies, SOP, CORS.
- 02
OWASP Top 10
Injection, broken auth, IDOR, SSRF, XSS — exploited and patched.
- 03
AppSec craft
Burp Suite, ZAP, parameter tampering, authz testing, race conditions.
- 04
Cloud + IaC
Hardened deploys on Vercel + Cloudflare, secret hygiene, IAM.
- 05
Detection
Reading logs like prose. Building alerts that catch real signal.
- Threat-model before scaffold
- Validate input at every trust boundary
- Parameterize queries, never concatenate
- Rotate secrets, scope tokens, expire sessions
- Pin dependencies, audit weekly
- Log enough to investigate, never enough to leak
If you've shipped a bug, I'll tell you privately first. Coordinated disclosure, never drama.
Six years from curiosity to craft.
Education, web, ops, security, AI — each layer compounding on the last. Scroll to advance through the timeline.
Started coding
Picked up HTML/CSS/JS, then dove into Python. First taste of breaking things on purpose.
- 2020// edu
Started coding
Education · Self-taughtPicked up HTML/CSS/JS, then dove into Python. First taste of breaking things on purpose.
- 2021// web
Web development apprenticeship
Freelance · Client projectsShipped marketing sites and small apps with React. Learned what production actually means.
- 2022// ops
IT & technical operations
Operations roleNetworking, Linux administration, infrastructure scripts. Found the seams between dev and ops.
- 2023// sec
Cybersecurity deep dive
Self-directed · LabsOWASP Top 10 head-on, Burp Suite + ZAP daily, first responsibly disclosed findings.
- 2024// ai
AI-augmented product work
Independent · Stockxie + toolsPulled LLMs into the loop on real products. Shipped market intelligence and developer tooling.
- 2026// sec
Cybersecurity engineer · builder
Current focusFull-stack security work, secure-by-default architecture, and AI-augmented engineering.
Things I write down so I remember them.
Short field notes from security research, cloud deploys, and AI product work. New entries land here as they're written.
Let's build something secure.
Open to security engineering roles, full-stack contracts, and serious freelance work. If you want to ship something fast and ship it safe — I'm in.