┌──────────────────────────────────┐ │ PROFILE - KABILAN SAKTHIVEL │ └──────────────────────────────────┘

KABILAN SAKTHIVEL
game0v3r_
Open to Opportunities
Senior security researcher with 8+ years experience in information security and 4+ years of work experience spanning red teaming, vulnerability research, and enterprise security operations. Focused on building secure-by-design product architecture and vulnerability management programs. Deep expertise in browser security, AI application security, and client-side attack surfaces.
════════════════════════════════════
┌──────────────────────────────────┐ │ IMPACT // research & writing │ └──────────────────────────────────┘
PR Newswire: MCP API Security Breach in Comet Browser
Media coverage of critical vulnerability enabling full device control via AI browsers
Silent Sabotage: How Hidden Prompts Can Hijack AI Summaries
Research on invisible prompt injection attacks targeting AI summarization tools using CSS techniques to embed malicious instructions
GhostPoster Never Dies: 100K+ Users Affected With New Variant
Analysis of WhatsUp+ malicious Chrome extension using image-based steganography for command-and-control targeting WhatsApp Web users
AI Browser Vulnerabilities Research
Comprehensive research on vulnerabilities in AI-enhanced browser environments
AI Sidebar Spoofing Attack Pattern
Novel browser extension attack pattern targeting AI sidebar interfaces
Comet MCP API Vulnerability Discovery
Critical RCE vulnerability discovered in Perplexity Comet AI browser
SiliconANGLE: Hidden API Enables Device Takeover
Industry coverage of Perplexity Comet browser security vulnerability
CVE-2024-32838: Apache Fineract SQL Injection
SQL injection vulnerability discovered in Apache Fineract
CVE-2026-6339: Mattermost Server Validation Error
Origin validation error in Mattermost Server burn-on-read reveal endpoint
CVE-2026-8683: Mattermost Desktop Insecure Permission
Insecure permissions vulnerability in Mattermost Desktop application
CVE-2026-3471: Mattermost Desktop Authorization Issue
Improper authorization in Mattermost Desktop custom URL scheme handler
QVI Streaming Identity Theft: 60 Extensions Steal 1.1M Users Data
Investigation revealing how 60 Chrome extensions harvested sensitive information from streaming subscribers through surveillance infrastructure
Hidden in Plain Sight: Multi-Extension Malware Campaign
Coordinated campaign uncovered involving three malicious Chrome extensions stealing authentication data from cryptocurrency trading platforms
┌──────────────────────────────────┐ │ WORK EXPERIENCE // timeline │ └──────────────────────────────────┘

Zscaler
Product Security Engineer (Security Researcher)
Feb 2026 – Present
- Leading security posture management and risk assessment for the SquareX acquisition integration, coordinating alignment of security controls and compliance frameworks across merged infrastructure
- Worked on "Mythos" to create an automated vulnerability reproduction and remediation harness, standardising the security assessment workflow across teams and reducing manual triage effort by 80%
- Develop remediation guidance and fix recommendations for vulnerabilities identified across integrated platforms, partnering directly with engineering to close gaps
- Lead cross-functional security initiatives during the acquisition transition, working with compliance, engineering, and product stakeholders to maintain enterprise wide security posture

SquareX
Product Security Engineer (Security Researcher)
Sep 2025 – Feb 2026
Acquired by Zscaler, February 2026
- Led "Year of Browser Bugs," a research initiative analyzing attack surfaces in AI-enhanced browsing environments to directly inform the product security roadmap and defensive control development
- Identified a critical RCE vulnerability in the Perplexity Comet AI browser's MCP API integration and worked with the vendor through disclosure to validate fixes and close the attack chain
- Designed and published "AI Sidebar Spoofing," a novel browser extension attack pattern, contributing to browser defense research (BDR) guidelines used to harden product-facing controls
- Partnered with cross-functional engineering teams to translate offensive research findings into detection and prevention mechanisms for browser-based AI threats

Zoho Corporation
Red Teamer
Jul 2022 – Sep 2025
- Conducted penetration testing across web applications, internal networks, and cloud environments, delivering risk-prioritized remediation guidance to engineering teams
- Designed and ran phishing simulation campaigns to assess organizational security awareness, informing company-wide security training programs
- Built and ran the internal vulnerability triage process — analyzing reported issues, prioritizing by business risk, and collaborating with development teams on remediation timelines
- Delivered detailed security assessment reports and risk documentation that shaped organization wide security best practices
┌──────────────────────────────────┐ │ INDEPENDENT SECURITY RESEARCHER │ │ Jan 2019 – Present │ └──────────────────────────────────┘
Groww Live Hacking Event - Most Valuable Hacker (2024)
Recognized as the Most Valuable Hacker at Groww's live hacking event, demonstrating critical vulnerability discovery skills in a competitive setting
TCS HackQuest Season 6 - Title Winner (2022)
Secured first place as Title Winner in TCS HackQuest Season 6, a national-level cybersecurity competition
CCoE Hyderabad Great AppSec Hackathon - Top 10 (2022)
Placed in Top 10 at the Center for Cyber Security's Application Security Hackathon in Hyderabad
OPPO Security Response Center - Top 20 Most Valuable Researcher (2021)
Ranked among Top 20 Most Valuable Security Researchers in OPPO's Security Response Center for high-impact vulnerability discoveries
OWASP Las Vegas CTF - Winner (2021)
First place winner at OWASP Las Vegas Capture The Flag competition
OPPO Security Response Center - Yearly Leaderboard Top 9 (2021)
Secured 9th position on OPPO's yearly security researcher leaderboard
NOVA CTF - Winner (2020-21)
Winner of NOVA CTF cybersecurity competition across 2020 and 2021 seasons
OPPO Security Response Center - Yearly Leaderboard Top 10 (2020)
Achieved Top 10 ranking on OPPO's yearly security researcher leaderboard
Tamil Nadu Police Hackathon - Winner (2019)
First place winner at Tamil Nadu Police Department's cybersecurity hackathon
┌──────────────────────────────────┐ │ TALKS // conference & events │ └──────────────────────────────────┘
Breaking AI Browsers: Hidden APIs, Agentic Chaos, and the Race Toward Secure Architecture
Conference talk at Nullcon on AI browser security vulnerabilities and architectural security challenges
Breaking AI Browsers
Conference talk at BSides Kerala 2026 on AI browser security vulnerabilities
HTML Parsers, Mutation & the Road to mXSS
Talk at IIT Madras on HTML parser mutation vulnerabilities and mutation-based XSS attacks