Bhushan Kolhe

• Managing & Conducting end-to-end Vulnerability Assessment and Penetration Testing (VAPT) for Web, Android, and
iOS platforms, identifying security 'laws and ensuring compliance with industry standards.
• Performing comprehensive VAPT on Web, Android, and iOS applications using tools such as Burp Suite, MobSF, Drozer,
and OWASP frameworks to identify, exploit, and report security vulnerabilities.
• Identified Vulnerabilities such as SQL Injection, Cross site scripting XSS, SQLi, Insecure Deserialization, Business Logic
Bypass, SSRF, BOLA, BFLA, privilege escalation and even out of box security vulnerabilities along with Chain multiple
vulnerabilities.
• Conducted comprehensive source code reviews to identify security vulnerabilities in Applications built on Java, .NET,
Ruby, GraphQL, Swift, etc. to ensure secure coding practices are built in.
• Embedded Secure-By-Design principles into application development by conducting early-stage threat modelling,
secure design reviews and architectural risk assessment to prevent vulnerabilities before code implementation.
• Performed application security architecture review at design and pre-build stages, creating data like trust boundaries,
data lows and security control gaps to proactively close vulnerabilities at early stage of development. (Proactive
Security).
• Designed and deployed F5 BIG-IP ASM / Advanced WAF solutions securing 10+ enterprise applications against OWASP
Top 10 web vulnerabilities, reducing critical incidents by 60%.
• Lead the optimizxation of Secure Software Development Lifecycle (SSDLC), process and embededed security into
design and early phases of SDLC (Shift Left + DevSecOps).
• Integrated SonarQube with GitLab for Automated Code Scanning, CI/CD Integration with SAST Tools for Shift Left
Approach based Vulnerability Assessment.
• Performing VAPT on Microsoft Active Directory (On-Prem) using tools such as BloodHound, Sharp Hound,
CrackMapExec, Mimikatz,
escalation opportunities.
• Conducting Cloud Security assessments on Microsoft Azure and AWS platforms leveraging tools like Pacu, Scout Suite,
and Prowler to identify misconfigurations, privilege escalations, and insecure service permissions.
• Implemented AI Governance Controls by defining secure usage guidelines, access controls, risk assessment process for
AIEnabled applications in line with enterprise security and compliance requirements.
• Supported AI Governance initiatives by defining security, privacy and risk controls. Also implemented controls like AI
Usage, access management to ensure AI System adherence and smooth AI Security Audit.
• Managing vulnerability advisories, threat intelligence, and cyber investigations — leveraging platforms such as MISP,
Virus Total, and ThreatConnect to identify, correlate, and respond to evolving threats impacting Microsoft Azure, AWS,
and on-prem environments.
• Managing vulnerability lifecycle using Tenable Security Center Plus — performing scans, risk prioritization, and
remediation tracking across on-prem and cloud environments.
• Involved in AI governance initiatives — assessing AI model risks, data privacy compliance, bias mitigation, and
alignment with organizational and regulatory standards.
• Performing AI governance and assurance activities including model risk assessment, bias detection, and compliance
validation with frameworks such as ISO/IEC 42001, DPDP Act, and responsible AI guidelines — ensuring secure and
ethical deployment of AI systems.
• Performing data protection and privacy governance tasks aligned with UAE Federal Data Protection Law (PDPL), NEMA
regulations — focusing on lawful data processing, consent management, and cross-border data transfer compliance.
practices, compliance with UAE PDPL, NEMA, and GDPR-equivalent regulations, and reducing organizational risk
through proactive education.
• Tuned F5 WAF policies to reduce false positives.

• Managed CI/CD Pipelines for Integration with SAST Tools like SonarQube, Checkmarx, Fortify using Jenkins, GitLab CI,
Azure DevOps.
• Automated Secure Code Scanning during pull requests and build stages to enforce security gates before deployment.
• Designed, implemented, and managed F5 ASM / Advanced WAF policies to protect enterprise web and API applications
against OWASP Top 10 vulnerabilities.
• Managed end-to-end vulnerability management lifecycle for multiple products, utilizing WIZ.io and Tenable to identify,
track, and remediate vulnerabilities across systems.
• Led penetration testing (VAPT) and subsequent red teaming activities for six product and product domains, conducting
comprehensive security assessments to identify and mitigate potential risks.
• Created and maintained JIRA tickets for identified vulnerabilities, ensuring effective tracking and resolution in
alignment with security protocols.
• Conducted comprehensive source code reviews to identify security vulnerabilities in Applications built on Java, .NET,
Python to ensure secure coding practices are built in.
• Developed and maintained detailed metrics sheets to provide visibility and reporting to CISO and Director, ensuring
alignment with organizational security goals.
• Utilized Tenable for vulnerability scanning of virtual machines (VMs), identifying security gaps, and coordinating
remediation efforts.
• Created and led Vulnerability Remediation coordination pipeline ensuring timely and effective resolution of
vulnerabilities in the system.
• Leveraged WIZs comprehensive cloud security platform for CSPM - Cloud Security Posture Management, CWPP.
• Configured and optimized Imperva WAF policies protecting critical banking and government applications, blocking XSS,
SQLi, CSRF, and session hijacking attacks.
• Enforced application-layer API security, including JWT validation, OAuth token checks, and rate limiting using Imperva.
• Conducted full-stack application penetration testing (Web & API), identifying high-risk vulnerabilities and providing
detailed remediation recommendations.
• Managed F5 BIG-IP LTM and ASM platforms for financial and healthcare sector applications.
• Performed Vulnerability Assessment and Penetration Testing and red teaming activities on various Applications and
created a detailed Vulnerability assessment report.
• Collaborated with the Development and Network team to mitigate the vulnerabilities present in the report. Provided
detailed remediation methodologies for attacks and vulnerabilities.
• Utilized available software systems such as AWS WAF, WIZ Protection and Automation techniques in resolution of
Vulnerabilities and JIRA Automation for quicker resolution of tickets.
• Supported AI Governance initiatives by defining security, privacy and risk controls. Also implemented controls like AI
Usage, access management to ensure AI System security.
• Mapped penetration testing findings to WAF policies (F5 and Imperva), reducing repeat vulnerabilities in production.
• Conducted API security assessments and secure code reviews to enhance application integrity.
• Led end-to-end F5 BIG-IP ASM/Advanced WAF deployment, protecting 20+ web and API applications from OWASP Top
10 and API Top 10 vulnerabilities.

A.
• Conducting Application Security, Vulnerability Assessment and Red teaming activities for various Web Applications on
Energy, Resources, Utilities (ERUI), Banking & Finance based applications.
• Performed Vulnerability Assessment and penetration testing (VAPT) of Web & Mobile applications.
• Identified and exploited various business logic frameworks based on OWASP Top 10 Vulnerabilities, NIST Framework.
• Developing and maintaining Web App Security Risk assessment, Security Assurance Score and Vulnerability Tracker.
• Conducted comprehensive source code reviews to identify security vulnerabilities in Applications built on Java, .NET,
Ruby, GraphQL, Swift, etc to ensure secure coding practices are built in.
• Integrated Jenkins with SonarQube & Checkmarx for automated code scanning for vulnerabilities. (CI/CD Integration
with SAST Tools.)
• Utilizes various Tools such as Burp Suite, Charles Proxy, SpotBugs, Nessus, OpenVAS, Fortify, AppScan as per
requirement to conduct Static Application Security and Dynamic Application Security Testing (SAST+DAST).
• Utilizes the results generated by automated scan and code reviews in the software development process to mitigate
identified vulnerabilities.
• Design the Vulnerable Code and Secure practice-based Codebase to make early prevention of vulnerabilities.
• Maintain Vulnerability Tracker and Remediation portal for identified Vulnerabilities for better communication process.
• Conducted Application Security of 30+ Web Application and identified 200+ Vulnerabilities in Web/Mobile App.
• Created Policies in Azure/ AWS Web Application Firewall (WAF) to mitigate various Vulnerabilities.
• Helped in integration of Microsoft Security Benchmark like RaMP, Secure Score and Defenders with existing resources.
• Conducted and participated in Organization wide Software Security Trainings & Internal Audits. MasterCraft
• Participate and work cross-functionally in secure development of TCS MasterCraft Product - Automation Service.
• Configure Microsoft Defender for Cloud with existing resources for defending attacks and threats.
• Configure Microsoft Sentinel & Azure Arc for management of Alerts and Security Investigation on Cloud & OnPrem
resources.
• Ensures product controls are aligned with Security Frameworks such as Compliance and Audit using Microsoft
Purview.