Accepting engagements for 2026

We break into things.
So others can't.

Not another scanner shop. We're a small offensive security team that actually exploits stuff — web apps, APIs, cloud infra — and hands you proof, not just a list.

Start a conversation Read our writeups
0+
Vulns found
0+
Engagements
0+
Countries
OWASP Top 10·ISO 27001·OSCP / OSWE / CRTP·PCI DSS·HackerOne / Bugcrowd

What we actually do

Not a buffet. Just the stuff that matters.

Web Application Pentesting

Manual testing. Not Burp suite → export PDF. We spend days on a single app, chain bugs, and show you exactly how someone would wreck your product.

SQLiXSSSSRFRCELogic Flaws

API Security

REST, GraphQL, gRPC — whatever you're running. BOLA, mass assignment, auth bypass, rate limit evasion. We've broken enough APIs to know where they all bleed.

BOLAJWT AbuseGraphQLMass Assign

Full VAPT

Network + application + cloud + endpoints. Good for compliance (ISO 27001, PCI DSS) but we make sure the report is actually useful, not shelf-ware.

NetworkCloudMobileWiFi

Cloud & Infra

AWS, Azure, GCP. IAM screw-ups, exposed storage, container escapes. We've popped enough cloud environments to write a book about it.

AWSAzureDockerK8s

Also: mobile app pentesting, red team exercises, developer security training. Just ask.

Proof, not promises

Real POCs from real engagements.

Sanitized. No client names. But the exploits are real — same bugs, same impact, same chain logic.

CRITICALBlind SQLi → Auth Bypass

Login endpoint. Time-based blind SQL injection.

FinTech SaaS. The login form's email field was vulnerable to time-based blind SQLi. Chained it to bypass MFA, extract the full user table. 2M+ records. Found in under 4 hours.

2026 · Identified in 4h
POST /api/v2/auth/login
{"email":"admin' AND SLEEP(5)--"}
→ 500 · 5.02s delay
→ confirmed: blind sqli
HIGHBOLA in Payment API

Swap an ID, access someone else's payments.

Healthcare payment gateway. The /api/v1/payments/{id}/history endpoint didn't verify ownership. Swapped account_id → got 847 other patients' payment records.

2026 · Identified in 2h
GET /api/v1/payments/{victim_id}
Auth: Bearer {our_token}
→ 200 (not our data)
→ 847 records exposed
CRITICALSSRF → Cloud Metadata → RCE

Image upload → SSRF → IAM creds → full RCE.

E-commerce on AWS. The "fetch image from URL" feature let us hit 169.254.169.254. Got temp IAM creds. Used them to run commands via AWS CLI. Full infra compromise.

2026 · Chain completed in 6h
POST /api/fetch-image
url=http://169.254.169.254/
→ aws temp creds leaked
→ rce via aws cli

Heavily sanitized. Full writeups shared under NDA only. Don't ask for the raw payloads.

Public research

Writeups.

Things we can talk about publicly. Bug bounty writeups, technique deep-dives, tool releases. No client data, no NDA violations.

Critical Mar 2026 · 12 min read

Chain of Fools: SSRF → AWS Metadata → RCE

How an innocent "fetch image from URL" feature turned into full infrastructure compromise. Step-by-step chain breakdown with sanitized payloads.
High Feb 2026 · 8 min read

DOM Clobbering as a CSP Bypass Technique

Most CSP implementations forget about DOM clobbering. Here's how to abuse it for stored XSS in modern SPAs with "strict" CSP policies.
High Jan 2026 · 10 min read

BOLA is Everywhere: A Systematic Approach to Finding It

After finding BOLA in 14 out of 15 API engagements, I wrote down the patterns. This is that methodology — the exact steps I follow to find object-level authorization issues.
Critical Dec 2025 · 15 min read

Blind SQLi in a Login Form — Why WAF Didn't Help

Time-based blind SQLi through a login endpoint that had WAF, rate limiting, and "parameterized queries" (they didn't). Full extraction walkthrough.
Critical Nov 2025 · 20 min read

AWS IAM Privilege Escalation Paths I Keep Finding

The same 5 IAM misconfigurations, over and over. How to detect them, exploit them, and what devs keep getting wrong about least privilege.
All writeups on Medium

Open source & tools

Stuff we've built and shipped.

Tools, scripts, and projects we use internally that we decided to open source. All on GitHub.

Active

ReconPilot

Automated recon framework for web apps. Subdomain enum, port scanning, endpoint discovery, tech fingerprinting. The stuff we run before manual testing.

840 127 Python
Active

APIScope

API fuzzing + BOLA detection tool. Feeds it a swagger/openapi spec, automatically tests for broken object-level auth, mass assignment, and injection points.

520 68 Go
Beta

CloudPeek

AWS/Azure/GCP security auditor. Checks for exposed storage, IAM misconfigs, public instances, over-permissive roles. Outputs a clean JSON report.

310 45 Python
Live

CTFGame.com

Our CTF platform. 200+ challenges, global leaderboard, free tier. Web, pwn, reversing, crypto, forensics. Built because existing platforms suck.

5K+ users 200+ challenges Full stack
Fork

XSStrike-Mod

Fork of XSStrike with added DOM clobbering payloads, CSP bypass vectors, and polyglot support. The tool I actually use for XSS testing.

195 32 Python
Active

Bug Bounty Profiles

Public profiles on HackerOne, Bugcrowd, Intigriti. Disclosed reports visible where allowed. This is where the public POCs come from.

$50K+ earned 80+ reports Top 1%

Client work (sanitized)

Numbers from actual engagements.

FinTech · VAPT
47 vulns
6 critical · 98% fixed
Healthcare · API
32 API vulns
5M+ records at risk
E-Commerce · Cloud
3 RCE chains
$2M+ risk avoided
Government · Red Team
72h to DA
14 attack paths
Shakti Thakur
$ whoami
shakti_thakur
$ cat certs
OSCP · OSWE · CRTP
Available

Who runs this

Shakti Thakur

I started OblivionSec in 2026 because I was tired of seeing companies pay for "pentests" that were just Nessus exports with a logo on the cover. That's not security. That's theater.

I've got OSCP, OSWE, and CRTP — not because certifications matter that much, but because it tells you I've done the hours. I've also reported critical bugs through HackerOne and Bugcrowd, broken into things for Fortune 500s, government systems, and startups that thought they were fine.

We're a small team. We don't have a sales department. You'll talk to me (or someone who's actually done the work). That's the point.

OSCP
Offensive Security Certified Pro
OSWE
Offensive Security Web Expert
CRTP
Certified Red Team Pro
Top 1%
Bug Bounty Platforms
X/Twitter LinkedIn GitHub Telegram YouTube

Side project

Want to learn this stuff?

I built ctfgame.com — a CTF platform with 200+ challenges. Web, pwn, reversing, crypto, forensics. It's where I sharpen my own skills.

Free tier. No credit card nonsense. Just pick a category and start solving.

ctfgame.com

How it works

Simple. No surprises.

01

Scope it

Tell us what you want tested. We sign an NDA. You give us URLs, IPs, credentials.

02

We break it

Days of manual testing. We chain bugs. We document everything with screenshots and videos.

03

Report + POC

Working POCs, severity ratings (CVSS), exact remediation steps your devs can follow.

04

Re-test

Free re-test after you fix things. We don't close until the criticals are gone.

From clients

"Three other firms gave us clean reports. OblivionSec found 6 criticals in the first day — with working exploits. We don't use anyone else now."

RK
Rajesh K.
CTO · FinTech · India

"The API report was insane. They didn't just say 'BOLA found.' They showed the exact request, the exact response, and how to fix it. Our team actually read this one."

SM
Sarah M.
VP Eng · SaaS · USA

"Shakti is the real deal. No fluff, no corporate speak. Just straight 'here's what's broken, here's how bad it is, here's how to fix it.' Retained quarterly."

AH
Ahmed H.
CISO · Healthcare · UAE

Get in touch

Tell us what you need.

Fill the form or email directly. Every inquiry gets a response within 24 hours. No sales team, no CRM funnel.

contact@oblivionsec.com
Direct email. No ticket system.
@oblivionsec
Telegram. Faster for quick questions.

This goes directly to contact@oblivionsec.com. No middleman.

Sent.
We'll reply within 24h.
Fix the errors above.
Fill all required fields.