Security researcher.
Bug bounty hunter.
Aspiring pentester.
I'm Sai — a Computer Science student specializing in Cyber Security. This is where I document how I test, break, and understand web applications, on the way to a career in VAPT and penetration testing.
How I got here
I started learning web application security the slow way — from zero, through PortSwigger's Web Security Academy and Burp Suite, working through SQL injection, XSS, authentication flaws, and access control fundamentals one lab at a time.
From there I moved to live testing: running structured bug bounty campaigns against public programs, methodically working through attack surfaces — IDOR, JWT and session confusion, SSRF, SSO isolation issues, and injection points — and treating a clean result as valuable data, not a dead end.
I'm currently building toward a career in VAPT (Vulnerability Assessment & Penetration Testing), aiming for junior penetration tester roles where I can apply that same methodical testing approach professionally.
- Focus
- Web App Pentesting · VAPT · Bug Bounty
- Trained on
- PortSwigger Web Security Academy
- Aiming for
- Junior Penetration Tester roles
What I test and build with
VAPT Methodology
Structured, repeatable vulnerability assessment and testing workflows.
Web App Pentesting
OWASP Top 10, auth & access control, injection, SSRF.
Bug Bounty Hunting
Live testing on public programs, methodical and documented.
Burp Suite
Proxy-based manual testing, repeater, intruder workflows.
OSINT
Reconnaissance and information gathering as a first step, not an afterthought.
Network Fundamentals
TCP/IP, addressing, and the plumbing security testing depends on.
Python Tooling
Scripting for reconnaissance and testing — including a multithreaded port scanner.
Documentation
Writing up methodology, not just findings — the process is the point.
The path so far
PortSwigger Web Security Academy
Worked through SQL injection, XSS, authentication, and access control from first principles using Burp Suite.
Multithreaded Python port scanner
Built a foundational reconnaissance tool to understand what testing tools are actually doing under the hood.
Structured bug bounty campaigns
Ran full-scope testing passes on public programs — IDOR, JWT confusion, SSRF, SSO isolation, and injection points — with documented methodology.
Working toward VAPT & junior pentester roles
Continuing coursework in Cyber Security while applying to internships and entry-level penetration testing opportunities.
Recent write-ups
Notes on methodology and testing approach. Full posts coming soon — this is the running index.
A methodical approach to IDOR, JWT confusion & SSRF testing
Breaking down a full-scope testing pass on a mature program — what to check, in what order, and why.
Why "no vulnerability found" is still a useful result
Building a testing methodology that produces confidence, not just findings.
From academy labs to live programs: what actually transfers
What PortSwigger's labs prepare you for — and where real-world testing diverges.
Subdomains
A few separate spaces under sai-dev.me, each with its own purpose.
Case studies and a fuller picture of my testing work and projects.
Visit ↗Small security utilities I've built and use myself, starting with a JWT inspector.
Visit ↗A clean, fast weather app — built to be genuinely useful.
Visit ↗A mountain expedition planning app — routes, elevation, and logistics.
Visit ↗Let's talk
For internships, VAPT/pentesting opportunities, or questions about a write-up — email is the best way to reach me.
contact@sai-dev.meThis domain is kept intentionally separate from my personal profiles.