// ABOUT

Ten years in offensive security.

This is the longer version — how I got here, what I focus on, and what I've put my name on along the way.

// 01 — Bio

The short version.

I'm Harsh Bothra — a security researcher, pentester and author based out of India. I've spent the last decade working across every surface offensive security touches: web and API, mobile and thick clients, networks and cloud, and most recently AI/ML and agentic systems.

The bulk of my career has been delivered as a pentester — over 700 engagements at this point, spanning startups, scaleups and publicly traded enterprises. Alongside the testing work, I've led triage operations, built and run security engineering functions, consulted on AppSec programs, and mentored a generation of new testers through writing, conference talks, and 1:1 sessions.

I'm a Computer Science Engineer, an OWASP chapter alumnus, former chapter leader of OWASP Bikaner, and a former chapter lead of OWASP Jaipur for over two years. I've authored two books on ethical hacking — both recommended by MHRD, AICTE & NITTTR for academic curriculum across Indian engineering institutions.

Today, I run my consultancy independently — taking on a small number of pentest, vCISO, advisory and mentorship engagements at a time. The work I do now is the kind that needs deep attention and senior judgement; that's the practice I've built.

10+
Years in offensive security
700+
Pentests delivered
20+
Conference & podcast talks
02
Books authored, MHRD-recommended
// 02 — Expertise

What I actually do.

The surfaces I've spent the most hours on.

// 03 — Career

How I got here.

A condensed timeline of roles & chapters.

PRESENT
Independent Security Consultant
Pentesting · vCISO · Advisory · Mentorship
Running a small, senior-led practice. Pentests across web, API, mobile, cloud, network & AI/ML, plus fractional CISO and advisory work. Limited mentorship slots.
PRIOR
Lead Pentester & Triage Engineer
Cobalt Core
Lead pentester & long-form security writer. Delivered hundreds of pentests through the Cobalt platform; wrote technical deep-dives on cookies, SSRF, GraphQL, prototype pollution, web cache poisoning & more.
PRIOR
Security Engineer · Researcher
Multiple security consultancies
Web app, mobile and network pentesting across enterprise clients; security engineering and AppSec program work for product teams.
ONGOING
Bug Bounty Hunter
Bugcrowd · HackerOne · Intigriti
Active in the bug bounty community for years — Bugcrowd MVP and a top-150 all-time researcher. Findings disclosed responsibly across dozens of programs.
2017 — 2020
Author — Two Books on Ethical Hacking
Khanna Publishing
Wrote Hacking: Be a Hacker with Ethics (2017) and Mastering Hacking (2020). Both recommended by MHRD, AICTE & NITTTR for engineering curriculum.
2015 — 2018
OWASP Chapter Leader
OWASP Jaipur · OWASP Bikaner
Chapter lead for OWASP Jaipur for over two years, then chapter leader for OWASP Bikaner. Organised meetups, talks & community programs.
// 04 — Certifications

Credentials.

For when the paperwork matters.

CEHv10
Certified Ethical Hacker
eWPTX
Web App Pentester eXtreme
eWPT
Web Application Pentester
eCPPTv2
Certified Professional Penetration Tester
C-AL/MLPen
Certified AI/ML Pentester
// 05 — Selected writing

A handful of favourites.

See full archive →
RECON · METHODOLOGY
Scope Based Recon Methodology — Exploring Tactics for Smart Recon
// cobalt.io
BYPASS · MFA
Bypassing the Protections — MFA Bypass Techniques for the Win
// cobalt.io
AUTH · COOKIES
Got Cookies? Exploring Cookie Based Authentication Vulnerabilities in the Wild
// cobalt.io
JS · PROTO POLLUTION
A Pentester's Guide to Prototype Pollution Attacks
// cobalt.io
HTTP · CSD
A Dive into Client-Side Desync Attacks
// cobalt.io
CI/CD · NUCLEI
Implementing Nuclei into your GitHub CI/CD pipelines
// projectdiscovery.io
// Work with me

Pentest, advisory, vCISO or 1:1 mentorship.

Limited slots, senior attention, no surprises. Initial scoping is free and non-obligatory.

View services Email me