Skip to Content(

Hi, my name is

Shivam Saraswat.

I build things for the security.

I’m a security engineer (R&D) specialized in building exceptional security solutions. Currently, I’m focused on building dev-centric security products (using shift-left approach) at PayPal.

About Me

Hello! My name is Shivam. I stop bad packages before they reach your developers.

Over the past 4+ years, I've built enterprise security platforms that reduce risk without slowing engineering down — at PayPal, IKEA, and Tekion. My focus: SSDLC automation, container and supply chain security, and building security tooling that developers actually want to use, not tools they route around.

Committed to bridging the gap between development and security teams to create resilient, scalable, and efficient systems.

Here are a few technologies I’ve been working with recently:

  • SSDLC
  • Supply Chain Security
  • DevSecOps
  • Cloud Security
  • Security Automation
  • Vulnerability Management
  • Github Actions, GitLab CI/CD, Harness CI/CD
  • Docker, Kubernetes
  • Google Cloud, AWS
Headshot

Where I’ve Worked

Senior Product Security Engineer @ PayPal

April 2025 - Present

  • Built an org-wide supply chain firewall that blocks malicious/vulnerable packages before they reach Artifactory.
  • Deployed container security across 3,100+ CI/CD pipelines, improving vulnerability detection by 50%.
  • Standardized container vulnerability policy enforcement to 100% compliance org-wide.
  • Built a CVE/package/version deduplication system that cut alert fatigue and improved patch efficiency by 30%.
  • Prototyped an AI-powered SCA system for reachability analysis, safe-version recommendations, and fix suggestions across Maven & npm.
  • Detected and neutralized the Shai-Hulud self-replicating worm and similar supply chain attacks before credential theft or spread.
  • Built an automated third-party vendor image scanning pipeline with a Slack AI bot for on-demand scans.
  • Authored container security ADRs and guides that cut developer onboarding time by 40%.

Some Things I’ve Built

Other Noteworthy Projects

view the archive
  • PGrab

    PGrab is a banner grabber tool used to gather information about a remote server or device, specifically the banner or header information that is sent when a connection is made.

    • Python
    • Banner Grabbing
    • Network
  • crt.sh Domain Finder

    It can retrieve all the domains and the subdomains associated with a domain using crt.sh. It can also be used in conjunction with other tools (such as httpX) to know the active domains.

    • Python
    • Subdomain Enumeration
  • WebXCrawler

    WebXCrawler is a fast static crawler to crawl a website and get all the links. It is useful for web developers and security professionals to identify the links present on a website. It is built using Python and BeautifulSoup.

    • Python
    • Web Crawler
    • BeautifulSoup
  • SSH Bruteforcer and Bruteforce Detector

    It is a tool for brute-forcing the SSH service, allowing for testing and analysis of SSH security measures, and it also comes with option to detect brute-force attacks on the SSH service.

    • Python
    • SSH
    • Security
  • Refinements In Zeek Intrusion Detection System

    Designed and implemented custom scripts for improving the logging capability of the Zeek IDS. Also, published a paper in the IEEE Conference on the topic – Refinements in Zeek Intrusion Detection System.

    • Zeek IDS
    • Intrusion Detection System
    • Network Security
  • NETMAPPY

    This is a basic port scanner written in Python 3. It is a simple script that uses the socket module to scan the ports of a given IP address. It is a useful tool for security professionals and network administrators to check the open ports on a server to ensure that only the necessary ports are open.

    • Python
    • Networking
    • Port Scanner

What’s Next?

Get In Touch

My inbox is always open. Whether you have a question or just want to say hi, I’ll try my best to get back to you!

)