┌──────────────────────────────────┐
│  PROFILE - KABILAN SAKTHIVEL     │
└──────────────────────────────────┘
Kabilan Sakthivel avatar

KABILAN SAKTHIVEL

game0v3r

_

Open to Opportunities

Senior security researcher with 8+ years experience in information security and 4+ years of work experience spanning red teaming, vulnerability research, and enterprise security operations. Focused on building secure-by-design product architecture and vulnerability management programs. Deep expertise in browser security, AI application security, and client-side attack surfaces.

[ blog ]
┌──────────────────────────────────┐
│  IMPACT  //  research & writing  │
└──────────────────────────────────┘

PR Newswire: MCP API Security Breach in Comet Browser

Media coverage of critical vulnerability enabling full device control via AI browsers

Silent Sabotage: How Hidden Prompts Can Hijack AI Summaries

Research on invisible prompt injection attacks targeting AI summarization tools using CSS techniques to embed malicious instructions

GhostPoster Never Dies: 100K+ Users Affected With New Variant

Analysis of WhatsUp+ malicious Chrome extension using image-based steganography for command-and-control targeting WhatsApp Web users

AI Browser Vulnerabilities Research

Comprehensive research on vulnerabilities in AI-enhanced browser environments

AI Sidebar Spoofing Attack Pattern

Novel browser extension attack pattern targeting AI sidebar interfaces

Comet MCP API Vulnerability Discovery

Critical RCE vulnerability discovered in Perplexity Comet AI browser

SiliconANGLE: Hidden API Enables Device Takeover

Industry coverage of Perplexity Comet browser security vulnerability

CVE-2024-32838: Apache Fineract SQL Injection

SQL injection vulnerability discovered in Apache Fineract

CVE-2026-6339: Mattermost Server Validation Error

Origin validation error in Mattermost Server burn-on-read reveal endpoint

CVE-2026-8683: Mattermost Desktop Insecure Permission

Insecure permissions vulnerability in Mattermost Desktop application

CVE-2026-3471: Mattermost Desktop Authorization Issue

Improper authorization in Mattermost Desktop custom URL scheme handler

QVI Streaming Identity Theft: 60 Extensions Steal 1.1M Users Data

Investigation revealing how 60 Chrome extensions harvested sensitive information from streaming subscribers through surveillance infrastructure

Hidden in Plain Sight: Multi-Extension Malware Campaign

Coordinated campaign uncovered involving three malicious Chrome extensions stealing authentication data from cryptocurrency trading platforms

┌──────────────────────────────────┐
│  WORK EXPERIENCE  //  timeline   │
└──────────────────────────────────┘

Zscaler

Product Security Engineer (Security Researcher)

Feb 2026 – Present

Vulnerabilities Discovered:
  • Leading security posture management and risk assessment for the SquareX acquisition integration, coordinating alignment of security controls and compliance frameworks across merged infrastructure
  • Worked on "Mythos" to create an automated vulnerability reproduction and remediation harness, standardising the security assessment workflow across teams and reducing manual triage effort by 80%
  • Develop remediation guidance and fix recommendations for vulnerabilities identified across integrated platforms, partnering directly with engineering to close gaps
  • Lead cross-functional security initiatives during the acquisition transition, working with compliance, engineering, and product stakeholders to maintain enterprise wide security posture

SquareX

Product Security Engineer (Security Researcher)

Sep 2025 – Feb 2026

Acquired by Zscaler, February 2026

  • Led "Year of Browser Bugs," a research initiative analyzing attack surfaces in AI-enhanced browsing environments to directly inform the product security roadmap and defensive control development
  • Identified a critical RCE vulnerability in the Perplexity Comet AI browser's MCP API integration and worked with the vendor through disclosure to validate fixes and close the attack chain
  • Designed and published "AI Sidebar Spoofing," a novel browser extension attack pattern, contributing to browser defense research (BDR) guidelines used to harden product-facing controls
  • Partnered with cross-functional engineering teams to translate offensive research findings into detection and prevention mechanisms for browser-based AI threats

Zoho Corporation

Red Teamer

Jul 2022 – Sep 2025

Vulnerabilities Discovered:
  • Conducted penetration testing across web applications, internal networks, and cloud environments, delivering risk-prioritized remediation guidance to engineering teams
  • Designed and ran phishing simulation campaigns to assess organizational security awareness, informing company-wide security training programs
  • Built and ran the internal vulnerability triage process — analyzing reported issues, prioritizing by business risk, and collaborating with development teams on remediation timelines
  • Delivered detailed security assessment reports and risk documentation that shaped organization wide security best practices
┌──────────────────────────────────┐
│  INDEPENDENT SECURITY RESEARCHER │
│  Jan 2019 – Present              │
└──────────────────────────────────┘
┌──────────────────────────────────┐
│  CONTACT ME  //  channels        │
└──────────────────────────────────┘

available for security research collaborations and speaking engagements. reach out directly — i respond fast.