Skip to content
Sma Das

Sma Das is a security engineer based in New York, NY.

FIND THE BREAK.FIX IT FIRST.

Offensive security, application hardening, and practical risk reduction for teams that need clear findings. I work across assessments, cloud environments, and product security reviews with reporting built for engineers and decision-makers.

View projectsRead the blog
03 projects below

About

I am Sma Das, a security engineer with experience across enterprise, consulting, and research settings. Most of my work starts with offensive validation and ends with a remediation path that teams can actually use.

The standard I care about is whether a finding changes the risk posture in practice. That means concise evidence, realistic prioritization, and recommendations that respect delivery pressure.

Core capabilities

Offensive security work with outcomes teams can act on.

The work spans validation, hardening, and reporting, but the goal stays the same: find the highest-leverage issues and make them clear enough to fix.

  • 01

    Application security reviews

    Manual testing and remediation guidance that gives product teams a path to ship safer code.

  • 02

    Web and cloud penetration testing

    Offensive validation across application flows, exposed services, and cloud attack paths.

  • 03

    Cloud hardening and IAM risk reduction

    Focused reviews that tighten permissions, reduce blast radius, and remove risky defaults.

  • 04

    Threat modeling for shipping teams

    Practical control validation that fits delivery pressure instead of slowing releases to a halt.

  • 05

    Security automation

    Python and infrastructure tooling that turns recurring checks into repeatable engineering workflows.

  • 06

    Reporting built for decisions

    Evidence and prioritization mapped to engineering choices, ownership, and real risk reduction.

Approach

Good security work is specific. It should show where the exposure is, why it matters, and what the team can do next without adding unnecessary ceremony.

Find the path that matters

Testing starts by identifying the combinations of access, exposure, and business context that would cause the most damage if they held up.

Keep evidence usable

Findings need to be reproducible and clear enough for engineering teams to validate quickly without a second translation pass.

Prioritize by delivery reality

Recommendations are more useful when they reflect deployment constraints, ownership boundaries, and the cost of changing the system.

Automate selectively

Automation matters when it expands coverage or cuts repeat work. It is not a substitute for judgment on exploitability or impact.

Experience

Roles across consulting, enterprise, and education environments with a consistent focus on practical security outcomes.

Google Cybersecurity Clinic

Security Engineer I

Aug 2023 - Present

New York, NY

  • Led penetration testing, social engineering, and auth analysis across client-facing systems.
  • Reviewed cloud and network security controls to close policy and configuration gaps.
  • Delivered actionable remediation plans for nonprofit and small-business stakeholders.

IBM

Cybersecurity Engineer Intern

May 2023 - Aug 2023

Armonk, NY

  • Executed 20+ security tests across ML and cloud workloads.
  • Partnered with X-Force Red workflows and reported high-impact findings.
  • Strengthened privacy and secure engineering review practices.

UniTech

Cloud Security Engineer Intern

May 2022 - Dec 2022

Remote

  • Automated AWS compliance checks and monitoring workflows with Python and CLI tooling.
  • Improved IAM access boundaries and reduced unauthorized account risk.
  • Integrated cloud-native threat visibility and detection controls.

TryHackMe

Vulnerability Researcher & Penetration Tester Intern

May 2021 - Dec 2021

Remote

  • Performed 30+ penetration tests and uncovered 100+ high/critical findings.
  • Built automation scripts for recon, discovery, and exploitation support.
  • Helped scale security education content consumed by over one million users.

Projects

Selected work across security, developer tooling, and publishing-focused engineering environments.

View all projects
Cover image for the better-swagger-types OpenAPI TypeScript generator

Open Source · npm Package

better-swagger-types

Built and published a Prisma-style generator that turns Swagger and OpenAPI schemas into stable, ergonomic TypeScript output without coupling teams to a specific HTTP client.

2026 · Creator & Maintainer

TypeScript, OpenAPI, CLI, npm

Read case study
Preview of the Sma Das blog site

Writing Platform

Sma Das Blog

Designed and shipped a personal blog that packages technical writing, experiments, and long-form security notes into a fast, focused reading experience.

2026 · Designer & Developer

Next.js, Content, Design, Publishing

Read case study
CPTC competition workspace

Competition

Collegiate Penetration Testing Competition

Delivered offensive security outcomes under live-fire constraints, with a focus on reconnaissance, exploitation, and reporting quality.

2024 · Competitor

Penetration Testing, Reconnaissance, Reporting, NIST

Read case study
Alliance for Downtown New York project overview

Google Cybersecurity Clinic x Alliance for Downtown New York

Cybersecurity Posture Assessment

Ran a comprehensive assessment across web, network, and policy layers to identify high-risk gaps and prioritize remediation.

2023 · Security Consultant

Assessment, Social Engineering, Cloud Security

Read case study
IBM machine learning security initiative

Industry Experience

IBM Federated Learning Security

Contributed to secure and privacy-aware machine learning efforts by strengthening controls and data protection workflows.

2023 · Cybersecurity ML Engineer Intern

Python, Machine Learning, Privacy, Cloud

Read case study

Contact

I'm open to security engineering, offensive security, and application security roles. If your team needs focused testing or remediation support, send a note.

Email meLinkedIn