Arun Modi

Cybersecurity Professional | OSCP | OSWA | CEH | CVE Author

Profile

Cybersecurity expert with over 9 years of experience in offensive security, specializing in penetration testing and red teaming. Proven track record of leading high-impact security assessments, identifying critical vulnerabilities, and implementing robust defenses across web, network, and infrastructure environments. Adept at mentoring, process improvement, and aligning security goals with business objectives.

---

Certifications

• Offensive Security Certified Professional (OSCP), OffSec — August 2024
• Offensive Security Web Assessor (OSWA), OffSec — April 2024
• Certified Ethical Hacker (CEH), EC-Council — July 2017

---

Education

• Post Graduate Diploma in IT Infrastructure, Systems, and Security — CDAC, Bengaluru (August 2015)
• Bachelor of Engineering in Computer Science — RGPV, Bhopal (August 2014)

---

Professional Experience

Senior Penetration Tester @ Experian (October 2021 – Present, Remote)

• Conduct red teaming simulations and advanced penetration tests mimicking real-world attack scenarios.
• Implement defensive strategies against modern attacks (e.g., XSS, SQLi, IDOR, file upload bypass, privilege escalation).
• Lead and mentor team members, manage project timelines, and ensure SLA compliance.
• Identify and close process gaps, improve internal testing methodologies.
• Perform technical reviews and quality assurance for deliverables and third-party assessments.

Associate - Information Security @ Goldman Sachs (September 2020 – October 2021, Remote)

• Executed web and infrastructure penetration testing along with physical security reviews.
• Managed the Bug Bounty program and collaborated with external researchers.
• Delivered remediation reports and strategic feedback to internal IT teams.

Security Signature Engineer @ Qualys (December 2018 – September 2020, Pune)

• Researched zero-day vulnerabilities and attack vectors using CVE and threat intel feeds.
• Simulated attacks and verified vulnerabilities in enterprise environments.
• Key contributor to SolarWinds Firewall RCE analysis: CVE-2015-2284

Security Analyst @ Fujitsu (September 2015 – December 2018, Pune)

• Performed vulnerability assessments using Nessus and other enterprise tools.
• Liaised with service owners for timely remediation of critical issues.
• Participated in internal CTF competitions to strengthen offensive security skills.

---

Key Skills & Tools

Assessment Types: Black Box, Gray Box
Exploitation Techniques: Active Directory attacks, local/remote privilege escalation, post-exploitation
Scripting: Python, PowerShell
Tunneling & Pivoting: Ligolo-ng, Chisel, ProxyChains
Security Tools:

• Scanning: Nmap, Dirbuster, wfuzz, Nikto
• Exploitation: Metasploit, Sqlmap
• Cracking: Hydra, Hashcat, John the Ripper
• Scanners: Nessus, Qualys, Rapid7, Wiz
• Testing: Burp Suite, OWASP ZAP, Postman, SoapUI
• Enumeration: Mimikatz, WinPEAS, LinPEAS
  Platforms: Kali Linux, Windows

---

CVE Disclosures

I’ve independently discovered and responsibly disclosed the following vulnerabilities, which have been assigned CVEs:

• CVE-2025-25775 – SQL Injection
  Identified and exploited a SQL injection vulnerability affecting a public-facing endpoint. The flaw allowed an unauthenticated attacker to execute arbitrary SQL queries and access sensitive data.

• CVE-2025-25776 – Stored Cross-Site Scripting (XSS)
  Discovered a persistent XSS vulnerability that enabled attackers to inject malicious JavaScript, which was executed in the context of victim users — leading to session theft and privilege abuse.

• CVE-2025-25777 – Insecure Direct Object Reference (IDOR)
  Reported an IDOR vulnerability that allowed unauthorized access to user data by manipulating object identifiers in the request, bypassing access controls.

---

Featured Research & Write-Ups

• SolarWinds Firewall Security Manager RCE Analysis
  Deep analysis and verification of a remote code execution vulnerability in SolarWinds Firewall Security Manager, resulting in advisory reports shared within the security community.

• Microsoft Teams Squirrel – Uncontrolled Endpoints & Arbitrary Code Execution
  Explores a vulnerability in Microsoft Teams’ Squirrel update mechanism that could lead to arbitrary code execution via uncontrolled endpoints.

• iOS Application Pentest – Getting Started
  A primer for performing security assessments on iOS apps, covering tools, common pitfalls, and effective techniques to uncover vulnerabilities.

• Application Security: Starting From Scratch
  A foundational guide for beginners stepping into the world of AppSec — covering key concepts, tools, and how to get started with secure coding and testing.

• Knowledge Base (GitBook)
  A concise, beginner-friendly knowledge base covering core Penetration testing concepts. Includes notes on common vulnerabilities, tools, payloads, and testing methodology — aimed at helping newcomers grasp the foundations of web security.

---

Let’s Connect

📧 modi.arun91@gmail.com
🔗 LinkedIn