← Back to blog

Hi folks! My name is Riyaz Walikar and I’m a seasoned security researcher, trainer, and offensive security expert with over 18 years of hands-on experience across industry verticals and technology stacks.

My work spans Web, API, Mobile, Thick Client, Windows and Linux systems, Internal and Internet-facing Infra, Wireless, Cloud, Containers, Kubernetes, and more recently, Agentic AI and MCP security.

Professionally, I’ve led penetration testing and security research teams at Microland, PwC, Citrix, Appsecco, and Kloudle. I now work independently as a full-time security researcher and consultant, while continuing to mentor, teach, and train at conferences and private programs. I have spoken and trained at several leading security and hacker conferences around the world, including Black Hat, DEF CON, OWASP AppSecUSA, nullcon, and c0c0n.

When I’m not breaking things or poking around systems, I enjoy stargazing, photography, travel, googling easy weight-loss solutions, and cracking terrible jokes in the hope of gaining more followers.

Professional Career

Company Time Period Role Responsibilities
Independent May 2026 - Present Security Researcher Full-time vulnerability research, security mentorship, and consulting AI and Cloud first developer and security teams. Finding new and novel ways of exploiting AI, Agentic, MCP and Cloud native services, speaking at conferences and publishing tools and methodologies around this. Upcoming conferences include Blackhat, Defcon, VulnCon, c0c0n. AWS Community Builder (Security) for 3+ years now.
Kloudle September 2021 - April 2026 Co-Founder & Chief of R&D Co-founded Kloudle, a cloud security automation platform. Led R&D - worked on the security scanning engine covering 350+ cloud security issues, building the detection rules framework across 6+ cloud providers. Kubernetes RBAC auditing, multi-cloud security research.
Appsecco April 2016 - April 2026 Principal Security Consultant and Chief Hacker Led application security assessments, penetration tests, and security training for global clients. Led a strong team of pentesters and security testers, performed assessment on over a hundered apps across industry verticals and technologies including fintech, medtech, edtech, cloud and container orchestration products, security software, shipping and marine engineering and telecommunications. Worked closely with a lot of developer, engineering and security customer teams to mentor, aid and assist in evaluating and explaining risks versus product security testing issues uncovered.

Created tools and pentesting methodologies for web, cloud, mobile, APIs, network penetration testing, MCP and AI Agentic systems. Authored several body of works, knowledgebases, methodologies, process documents, blogs, spoke at several conferences and sessions, published video content and delivered hands on training at several industry favorite conferences. Was also in charge of technical pre-sales, product discovery/scoping and customer management along with company wide compliances and admin.
Citrix R&D December 2014 - February 2016 Product Security Manager Drove product security for Citrix’s product portfolio. Led security design reviews, threat modeling, and penetration testing. Conducted independent vulnerability research resulting in multiple CVEs and bug bounty findings at Facebook, Yahoo, Adobe, and Twitter. Worked as a liaison with the dev teams, management and the security teams to ensure communication clarity and release maintenance
PwC SDC February 2012 - December 2014 Sr. Software Engineer Performed security assessments, vulnerability research, and penetration testing for PwC’s global clients - several of which were Fortune 500. Discovered several vulnerabilities in public software, assigned CVEs for them. Published research on SSRF/XSPA attacks - went on to speak at BlackHat Asia 2012 and OWASP AppSecUSA 2012. Built foundation for offensive security career through enterprise security exposure.
Microland July 2007 - January 2012 Solutions Architect - Professional Services Built expertise in networking, systems administration, and IT infrastructure. Hands-on systems and network knowledge that became the foundation for understanding how to break and secure complex systems. Web Application Security Consulting for Fortune 500 customers. Several onsite engagements to test on-prem network infrastructure and apps. Created testing frameworks for teams and clients and built several internal security service processes for the organisation.

Timeline of Talks/Research/Conferences

Important events, tool releases, vulnerability disclosures and public research, talks, presentation, training programs and conferences I have spoken at.

2026 - present
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008
  • January - December - Built internal tools and delivered sessions at Microland for various teams.
2007
  • July 16th - Joined Microland - Systems Engineer - First job - Diving deeper into appsec, networking, systems administration, and security fundamentals
2006

Books

πŸ“˜ Hands-On Application Penetration Testing with Burp Suite
Packt Pub β€’ February 2019 β€’ Co-authored with Dhruv Shah & Carlos A. Lozano
πŸ”— Packt Pub
πŸ“˜ A Beginner's Approach to Windows
Scribd β€’ Early career publication on Windows fundamentals
πŸ”— Scribd

Awards & Recognition

  • πŸ† Web Hacking Top 10 Techniques (2012) β€” “Cross Site Port Attack (XSPA)” recognized as one of the top 10 new web hacking techniques of 2012 by the security community.
  • 🎀 Conference Speaker β€” Presented at BlackHat Abu Dhabi (2012), OWASP AppSecUSA (2012), c0c0n (2011, 2013, 2015, 2016), JSFoo (2017, 2018, 2019), nullcon Delhi/Goa/Bangalore/Hyderabad (2012–2023), fwd:cloudsec (2021), BSides Bangalore (2024), Seasides (2025, 2026), BSides London (2025), VulnCon (2026), OWASP Bay Area (2019, 2025), DeveloperWeek Europe (2021), KubeSec Online (2021), Rippling AI Security Event (2026).
  • πŸ’€ Defcon USA Trainer β€” Trainer at Def Con 24 (2016) and Def Con USA (2026, upcoming).
  • πŸŽ“ Conference Trainer β€” Delivered multi-day training programs at nullcon Goa (2012–2023), nullcon Bangalore (2016, 2018, 2019), nullcon Hyderabad (2017), c0c0n (2015, 2016), and Seasides (2025, 2026). Training topics: Xtreme Web Hacking, Cloud Security for Devs & Ops, Breaking and Pwning Apps and Servers on AWS/Azure/GCP, Ninja Level Infrastructure Monitoring.
  • πŸ“‹ BSides Bangalore CFP Review Board β€” Served on the Call for Papers review committee.
  • πŸ‘₯ null Community β€” Active contributor since 2010. Delivered 40+ talks, workshops, and hands-on training sessions across null Bangalore, null Bhopal, null Chennai, and null Dubai chapters. Topics covered: web application security, Windows privilege escalation, AWS/cloud security, SQL injection, XXE, DevSecOps, Sysinternals, and CTF training.
  • ☁️ AWS Community Builder (Security) β€” 3+ year recognition by AWS for security community contributions (2023–Present).
  • πŸ“˜ Published Author β€” “Hands-On Application Penetration Testing with Burp Suite” (Packt Pub, 2019, co-author) and “A Beginner’s Approach to Windows” (Scribd, 2007).

Key Vulnerabilities & CVEs

  • CVE-2010-1649 β€” Multiple Joomla! XSS Vulnerabilities (2010)
  • CVE-2011-1077 β€” Apache Archiva Multiple XSS Vulnerabilities (2011)
  • CVE-2011-1026 β€” Apache Archiva Multiple CSRF Vulnerabilities (2011)
  • CVE-2019-12148 β€” Sangoma SBC 2.3.23-119-GA Authentication Bypass (2019)
  • CVE-2019-12147 β€” Sangoma SBC 2.3.23-119-GA Unauthenticated User Creation (2019)
  • Twitter Wipe Addressbook CSRF β€” Reported to Twitter Security (2012)
  • Adobe Omniture SSRF/XSPA β€” Reported to Adobe Security (2013)
  • Facebook Developer App SSRF/XSPA β€” Bug bounty finding (2013)
  • Yahoo! Developer Network SSRF/XSPA β€” Reported to Yahoo! Security (2013)

Areas of Expertise

  • Web Application Security - XSS, CSRF, SSRF, SQL Injection, XXE, RCE exploitation chains
  • Cloud Security - AWS exploitation, IAM/RBAC abuse, serverless security, Kubernetes security
  • Windows Security - UAC bypass, privilege escalation, malware analysis, WSL attack surface
  • Open Source Tools - Python, Go, shell scripting - offensive security automation
  • Training & Mentoring - SQL injection workshops, AWS security training, conference speaking, community building

Certifications

Certification Status Notes
OSCP - Offensive Security Certified Professional βœ… Active Offensive Security
CEH - Certified Ethical Hacker βœ… Active EC-Council
CKA - Certified Kubernetes Administrator ⏳ Expired CNCF - previously held
CKAD - Certified Kubernetes Application Developer ⏳ Expired CNCF - previously held
AWS Community Builder (Security) βœ… Active 3+ years - AWS community program

This page is a living document β€” last updated June 2026. If you spot gaps or want to add details, reach out on Twitter or LinkedIn.