To keep his edge, international cybersecurity expert Nipun Jaswal does more than stay up on current security threats and trends; he literally keeps his hands in the game, regularly coding—in up to 10 different languages—and doing lab work including exploring attack vectors and hunkering down with disassemblers and debuggers.
Remaining “deeply technical” is not just part of his practice, it’s also fundamental to his leadership philosophy, which centers on staying curious and “close to the core of innovation.”
Jaswal currently works for NTT Data in India, where he’s Global-Capability Leader for Offensive Security. He is also one of Computing’s Top 30 Early Career Professionals for 2024.
In the following Q&A, Jaswal describes
-
-
- How combining deep theoretical grounding with hands-on expertise helps him to lead others with clarity and empathy, as well as sustain his forward-looking approach toward emerging technologies and security.
- His discovery of the zero-day CVE-2017-13696 stack-based buffer overflow vulnerability and the impact that discovery had on the broader cybersecurity learning ecosystem.
- How a challenger’s mindset drives his vulnerability research in a way that complements rather than opposes developers’ work.
- Why cybersecurity training for law enforcement professionals must go beyond theory and tools and focus on hands-on training grounded in context and real-world threat scenarios.
You have authored 12 books on forensics and penetration testing. What inspired you to write these books, and how do you hope they contribute to the field of cybersecurity?
The inspiration came from a very personal place; I didn’t want to write just another book that repeated what was already publicly available. When I began writing Mastering Metasploit, my first book, I spent significant time researching, experimenting, and going beyond conventional documentation. I wanted to create something original, practical, and deeply insightful—something I wished I had when I was starting out.
My goal was to provide hands-on knowledge, real-world techniques, and practical walkthroughs that help professionals truly understand the tools, not just use them. These books reflect that intent, to empower the community with content that’s not just educational but also transformational. If even one reader gains a new perspective or sharpens their thinking because of my work, I consider that a meaningful contribution to the field.
Representing India at the BRICS Cyber Security Challenge and achieving the runner-up position is a significant accomplishment. Can you share your experiences with this competition and the key takeaways?
Being selected to represent India at the BRICS Future Skills Challenge after winning the DSCI Hackathon was a truly surreal experience. I still vividly remember going two straight days without sleep, completely immersed in solving the challenges; it was intense, exhausting, and incredibly fulfilling. Competing on an international stage alongside the best minds from Brazil, Russia, China, and South Africa gave me unmatched exposure to diverse problem-solving approaches and cybersecurity thought processes.
The competition wasn’t just a test of technical ability—it demanded adaptability, quick decision-making, and the ability to collaborate in high-pressure scenarios. One of my biggest takeaways was the importance of understanding adversarial behavior beyond tools and frameworks; it’s about mindset, intuition, and anticipating the unexpected.
The experience also reinforced my belief in the strength of India’s cybersecurity talent pool. We have the capability not only to compete at a global level but also to set new benchmarks. It was more than a competition; it was a moment of growth, pride, and perspective that I carry with me to this day.
Leading the winning team in DSCI’s Capture the Flag competition demonstrates your expertise in cybersecurity. What strategies did you employ to secure the victory, and what were the most challenging aspects of the competition?
The DSCI Capture the Flag competition was a true test of endurance, strategy, and technical depth—a grueling 24-hour nonstop challenge that pushed every limit. What truly made the difference was how we approached it strategically from the start. We structured the team around role specialization, assigning each member to focus on their core strengths, such as reverse engineering, web exploitation, cryptography, binary analysis, and more. This allowed us to work in parallel, maximize efficiency, and solve complex problems simultaneously without bottlenecks.
Interestingly, the most challenging part wasn’t just the technical difficulty, it was maintaining focus, stamina, and clarity under continuous pressure for an entire day. But our synergy, adaptability, and shared trust helped us power through. It was more than a victory, it was a lesson in precision teamwork, resilience, and leading under pressure.
Being named one of Asia’s Top 100 Power Leaders in Technology in 2022 is a notable honor. How do you stay at the forefront of technological advancements, and what advice would you give to aspiring tech leaders?
Staying ahead in technology requires more than just awareness, it demands active, hands-on involvement. Even today, despite being in a senior leadership role, I remain deeply technical. I work regularly with debuggers and disassemblers, and I continue to code fluently in 8–10 programming languages. I’ve always believed that leadership in tech isn’t about sitting behind PowerPoints and Excel sheets, it’s about staying close to the core of innovation.
I follow a principle that’s served me well: learn, unlearn, and relearn. I dedicate time every week to lab work, reverse engineering, exploring new attack vectors, and engaging in meaningful exchanges with global experts. It keeps me sharp and grounded.
My advice to aspiring tech leaders is simple: stay curious, stay hands-on, and don’t be afraid to get your hands dirty. Real leadership is earned not just through strategy, but through skill. Lead by example—not just with vision, but with action.
You have reported more than 10 zero-day vulnerabilities and have exploits listed on Exploit-DB.com. Can you discuss one of the most impactful vulnerabilities you discovered and how they were addressed?
The first is CVE-2017-13696, a stack-based buffer overflow vulnerability that not only demonstrated a classic exploitation vector but also made a notable impact on the cybersecurity learning ecosystem. It was later incorporated in the OSCP certification as a teaching case for buffer overflow exploitation, before the exploit development section transitioned into the dedicated OSED certification. The fact that this vulnerability was used to train and shape the skills of thousands of cybersecurity aspirants worldwide makes it incredibly special to me.
Another significant discovery was CVE-2018-18913, a search order hijacking vulnerability in the Opera browser. The flaw allowed an attacker to craft malicious HTML pages bundled with a rogue DLL, which could be executed by the browser due to insecure DLL loading mechanisms. This could have led to unauthorized code execution and system compromise on the victim’s machine. I reported the issue through responsible disclosure, and worked closely with Opera’s security team to ensure it was patched promptly. This reinforced the importance of proactive, collaborative disclosure processes in preventing real-world exploitation.
For me, vulnerability research isn’t just about finding flaws, it’s about improving defenses, enabling secure software development, and contributing back to both the industry and the community.
Your work has been recognized by industry leaders like AT&T, Facebook, and Microsoft. How do you approach vulnerability research and reporting to ensure it has a positive impact on cybersecurity?
My vulnerability research is driven by a challenger’s mindset. I see it as a constant push to test the limits of secure development—not to oppose developers, but to complement their work by identifying what might be missed under normal conditions. I take the phrase “100% security is a myth” seriously, so I continually push myself to bypass controls, think like an attacker, and explore unconventional paths.
My approach is methodical, combining deep technical analysis, proof-of-concept development, responsible disclosure, and open communication with vendors. I always aim for constructive collaboration because the goal isn’t just to find flaws, it’s to fix them in a way that strengthens the entire ecosystem.
Recognition from companies like AT&T, Facebook, and Microsoft is humbling, but for me, the real win is in helping make software more resilient and protecting users before attackers ever get a chance.
You have trained law enforcement agencies on advanced topics such as vulnerability analysis and zero-day hunting. How do you approach training and knowledge sharing to ensure it is effective and impactful?
I believe effective cybersecurity training, especially for law enforcement or intelligence departments, must go beyond theory and tools. It needs to be context-driven, hands-on, and grounded in real-world threat scenarios. My approach is to design training modules that replicate the challenges officers would face on the ground, including vulnerability analysis, exploitation, zero-day detection, and post-exploitation forensics.
When it comes to vulnerability research, I don’t just teach the “how”; I also focus on the “why.” I guide participants through the complete lifecycle: understanding software behavior at a low level, identifying attack surfaces, spotting insecure code patterns, reverse engineering binaries, and crafting proof-of-concept exploits. I also emphasize the importance of responsible disclosure frameworks, ensuring that research efforts contribute constructively to the wider cybersecurity ecosystem.
For zero-day hunting, I cover techniques such as fuzzing, memory corruption analysis, bypassing exploit mitigations, and developing strategies to detect sophisticated threats. Each module includes live threat emulation labs with immersive scenarios that push participants to analyze, adapt, and respond instinctively.
My goal is not just to transfer skills but to cultivate a mindset of critical thinking and proactive defense. I want every participant to leave the session not only with new capabilities, but with the ability to think like an adversary, stay curious, and continue evolving as cybersecurity professionals.
Reflecting on your career journey—from your education at Lovely Professional University to your roles at NTT Data, Protiviti, and BDO India—what are some key lessons you have learned, and how have they shaped your approach to cybersecurity and leadership?
Looking back, one of the most important lessons I’ve learned is that technical excellence is just the foundation; true impact happens when you scale it through people. My journey began at Lovely Professional University, where I built the strong technical foundation and problem-solving mindset that still guides me today. Early in my career, I was focused on mastering the depths of cybersecurity. exploring reverse engineering, exploitation, forensics. That passion still drives me today. But as I’ve grown into leadership roles, I’ve realized that the ability to mentor, guide, and inspire others is what truly amplifies that impact.
No matter how advanced the technology, at the end of the day, it’s the people who defend systems, write code, respond to incidents, and innovate solutions. Building a high-performance team requires more than skill. It takes empathy, trust, and vision. I’ve learned to balance my hands-on technical engagement with the responsibility of being a leader who listens, empowers, and enables others to thrive.
Another lesson that has stayed with me is that cybersecurity isn’t just about protecting systems. It’s about earning and maintaining trust. Whether it’s the trust of a client, a user, or a team member, everything we do in this field ultimately comes down to ensuring safety, reliability, and confidence in a digital world that’s constantly evolving.
That belief shapes my leadership style: being empathetic, strategic, and always future-ready. I still write code, reverse-engineer binaries, and dive deep into technical work, not because I have to, but because I believe a leader should never lose touch with the ground realities. It helps me stay authentic, relevant, and connected with the technology and the people I lead.
If there’s one thing I’d share with anyone reading this—especially those at the start of their journey—it’s this: Don’t chase titles; chase mastery. Stay hands-on. Stay curious. Never stop learning. The titles will come, but what truly sets you apart is your ability to combine deep technical thinking with human leadership. That’s what builds careers, teams, and a cybersecurity culture that truly makes a difference.
Bio: Nipun Jaswal
Nipun Jaswal is an internationally recognized cybersecurity expert, author, and thought leader with more than a decade of groundbreaking contributions to the field of information security. As a seasoned practitioner and innovator, his career is marked by profound technical expertise, relentless curiosity, and a passion for empowering the global cybersecurity community.
Currently Global-Capability Leader for Offensive Security at NTT Data, Jaswal leads strategic initiatives across Red Teaming, AI/LLM security, vulnerability research, and breach assessments. In addition to playing a managerial role, he architects next-generation security solutions, builds high-performance cybersecurity teams, and drives large-scale technology assessment projects for global enterprises.
Jaswal wrote his first book, Mastering Metasploit, in 2014 after realizing the gap between theoretical content and real-world application. His immense research effort ensured that the book provided practical depth, which he felt was missing in most public resources. That book marked the beginning of a prolific writing journey; to date, he has written 12 books on penetration testing, network forensics, and exploit development that are widely used by professionals and students alike.
Jaswal proudly represented India at the BRICS Future Skills Cyber Security Challenge, securing a runner-up position after an intense multi-national competition. That experience was born out of his DSCI Hackathon victory and was marked by sleepless nights, intense challenges, and unmatched exposure to global cybersecurity thought leadership.
At BDO India, Jaswal was instrumental in establishing the Cyber Security Operations Center (CSOC), leading Red Team engagements, and building a custom Vulnerability Management Dashboard that transformed how clients prioritized and addressed security risks.
Among Jaswal’s many honors are the Technology Leadership Award (2017), Award of Excellence from the National Cyber Defense and Research Center (2015), and a spot on Asia’s Top 100 Power Leaders in Technology (2022).
Dig Deeper
To learn more about Jaswal,
Over the next few months, Tech News will highlight different Top 30 honorees each week. For a full list, see Computing’s Top 30 Early Career Professionals for 2024.
To read more about how IEEE Computer Society supports our world and its innovative thinkers through funding, education, and activities, check out its other contributions to the computing community.
