Security testing, done by a specialist who cares about your fix
I'm Jalwan — an independent web application penetration tester. I help SaaS companies, startups, and product teams find the vulnerabilities that matter and fix them with confidence.
I've spent years breaking into web applications so the right people can fix them first. My work sits at the intersection of deep technical testing and clear communication — because a vulnerability report only matters if your team can act on it.
Most security testing on the market leans on automated scanners and generic templates. That approach misses the flaws that actually get companies breached: broken access control, subtle authentication bypasses, and business logic that behaves in ways nobody intended. Those take a human. That's the work I do, by hand, on every engagement.
Working with a freelance specialist means you deal directly with the person doing the testing. No layers of account management, no junior hand-offs. Just senior-level testing, direct answers, and reports written to be used — not filed away.
Focus areas
- Web application penetration testing
- REST & GraphQL API security
- Multi-tenant SaaS security
- Authentication & authorization
- Business logic & workflow abuse
By the numbers
- 30+
- Engagements
- 100+
- High/critical findings
- 4
- Years experience
- 10 days
- Avg turnaround
Connect
Principles behind every engagement
Depth over checklists
I test the way an attacker thinks — chaining small issues into real impact — rather than ticking boxes on a template.
Honest severity
No inflated criticals to justify an invoice. You get findings rated on genuine business impact, so you can trust the numbers.
Clarity for everyone
Reports that speak to executives and engineers alike, because a finding nobody understands never gets fixed.
Standards you can defend
Work aligned to OWASP, PTES, and NIST so your test holds up to auditors, customers, and your own board.
Ready to find your vulnerabilities before attackers do?
Book a security assessment and get a clear, prioritized picture of your application's real risk. No obligation, no automated-scan fluff.