Hello!
I'm Piyush Kumawat
A Product Security Engineer
Currently, I work at Harness

Know Me More
I'm Piyush Kumawat, a Product Security Engineer
Product Security Engineer with a background in penetration testing. I have tested over 250+ applications across web, mobile, and API surfaces. Experienced in threat modeling, DevSecOps tooling, and cloud security reviews across Azure, AWS, GCP, and Alibaba Cloud.
I am passionate about ensuring the security of products and dedicated to staying up-to-date with the latest industry trends and techniques.
My Skills
Tools I Use





Experience
May 2024 - Present Staff Product Security Engineer Harness
- Perform threat modelling, SAST, DAST, and SCA across Harness products to secure the software development lifecycle.
- Lead vulnerability management - triage, prioritise, and drive remediation with cross-functional engineering teams.
- Run and mature the Harness bug bounty programme, validating reports and reducing real-world risk.
- Build and improve DevSecOps guardrails and security frameworks to strengthen overall security posture.
- Conduct manual and automated security assessments across web, API, and cloud mapped to OWASP Top 10, MITRE ATT&CK, and business logic risks.
- Define and enforce security requirements, policies, and guardrails across CI/CD pipelines.
- Work closely with developers to remediate findings and embed secure-by-design practices early in the lifecycle.
- Mentor engineers and security team members to raise the security bar across the organisation.
Jan 2022 - May 2024 Product Security Engineer OLA
- Performed threat modelling, DAST, and SAST on web applications across OLA business groups (Mobility, Electric, Money, Avail Finance, and more).
- Ran web application security assessments for OWASP Top 10, MITRE ATT&CK, and business logic vulnerabilities.
- Managed the OLA bug bounty process and triaged researcher submissions.
- Performed white-box tests and removed false positives from automated scans.
- Worked with developers to remediate findings and mapped risks by business criticality.
- Raised detailed Jira tickets with reproduction steps, remediation guidance, and evidence.
- Conducted retests to verify closure of security risks across web, API, and mobile assessments.
- Supported GDPR and PCI-DSS audit dependencies on application security.
Jun 2019 - Jan 2022 Security Services Associate Consultant Synopsys
- Performed DAST and web application security assessments for OWASP Top 10, MITRE ATT&CK, and business logic issues.
- Ran scans with Burp Suite, Nessus, AppScan, Metasploit, SqlMap, Nmap, OpenVAS, Dirb, Nikto, and related tooling.
- Performed black-box and grey-box security tests and removed false positives.
- Provided executive reports with technical summaries and remediation recommendations.
- Configured DevSecOps tooling such as Checkmarx, WhiteSource, and Burp in CI/CD environments.
- Performed cloud configuration reviews on AWS, Azure, GCP, and Alibaba Cloud.
- Sent daily vulnerability updates and supported parallel revalidation during active tests.
Jan 2019 - May 2019 Cyber Security Intern Synopsys Inc.
- Learned penetration testing fundamentals, application stacks, and OWASP Top 10 in web environments.
- Automated open-source and commercial SAST, SCA, and DAST tools in Jenkins pipelines for efficient security scanning.
Mar 2017 - Apr 2017 System / Network Admin Intern Shah Technical Consultants Pvt. Ltd.
- Managed network and server infrastructure for the organisation.
- Provided proactive solutions for technically challenging operational problems.
Latest From My Blog
View all postsActively Exploited CVEs in June 2026: A Practical Patch-Now Briefing (SimpleHelp, Citrix, ColdFusion, Defender)
June 2026 was a brutal month for anyone who runs internet-facing infrastructure. A run of critical, actively-exploited vulnerabilities landed one…
IDOR Hunting in 2026: A Practical Playbook for Finding Broken Access Control
IDOR is the bug that pays rent for a lot of bug bounty hunters, and it is still the one…
MCP Server Security (2026): A Practical Pentester’s Testing Playbook
If you are running Cursor, Claude Desktop, Windsurf, or a home-grown agent stack in 2026, you almost certainly have MCP…
Let's Connect
Open to security consulting, training, and collaboration.