Ethical Hacker Who Got Recognised By Meta & WeWork For Hunting Bugs, Starts A Cybersecurity Co.; His ‘AppSecure’ Now Serves Clients Globally

In the vibrant Indian startup ecosystem, stories of grit and innovation often emerge from unexpected corners. Sandeep Hodkasia, a 29-year-old from the serene small town of Bhadra in Rajasthan's Hanumangarh district, embodies this spirit.

Born into a middle-class family, his early fascination with computers during school years in Rajasthan set the stage for a remarkable foray into ethical hacking and entrepreneurship.

Introduced to white-hat hacking by his elder brother while still in school, Sandeep honed his cybersecurity skills long before the term became a buzzword.

By the time he completed his grade 12 in Pilani, Rajasthan, in 2014, he was already experimenting with bug bounty hunting. This passion propelled him to pursue a bachelor's degree in computer science engineering at Jaypee University of Information Technology in Himachal Pradesh, starting in 2016.

Launching AppSecure: Spotting the Gap in the Cybersecurity Landscape

Barely into his first year of engineering, Sandeep found a glaring gap in the cybersecurity market.

In 2016, India lacked firms offering proactive, hacker-led penetration testing; most focused on compliance-driven checks for standards such as SOC 2 or GDPR.

Inspired by the more advanced approaches in the USA and Europe, he founded AppSecure Security in May 2016, registering it as a Singapore startup to tap international opportunities.

“Back in 2016, security-focused VAPT was rare in India; most firms provided cybersecurity services just to tick compliance boxes for their clients. My vision was clear: build a one-stop shop for real-world threat simulation, blending compliance with genuine security engineering,” says Sandeep Hodkasia, now the founder & CEO of AppSecure.

Sandeep founded this cybersecurity company with a special focus on providing Vulnerability Assessment and Penetration Testing (VAPT), red teaming services, and offensive cybersecurity solutions to tech-driven organizations worldwide.

Also read: This mechanical engineer quit high-paying job to rescue bees - Now clocks Rs. 65 Lakh annual turnover (startuppedia.in)

Navigating Challenges: The Early Battles

However, the initial hurdles were steep for this bootstrapped startup.

With barely any initial investment, Sandeep juggled engineering studies, sales, marketing, operations, HR, and finance single-handedly.

Hiring skilled white-hat hackers proved tough, as back then, only a handful in India were trained in advanced penetration testing operations or red teaming as a service.

Client acquisition emerged as a persistent challenge in the cost-sensitive Indian market, where cybersecurity awareness was low.

Sandeep's big breakthrough came in early 2017, when a tech company came on board as AppSecure’s first client, followed by referrals that kept costs low and quality high.

The COVID-19 pandemic disrupted momentum, forcing a strategic pivot. Amid lockdowns, Sandeep refocused on international expansion, eyeing the Asia-Pacific region.

In 2021, the move to Singapore strengthened ties with Southeast Asian clients, transforming AppSecure into a top cybersecurity company in Singapore.

"We turned the pandemic into an opportunity to rethink our approach. This shift not only diversified our clientele—spanning the APEC countries, the US, UK, and India—but also highlighted our startup's resilience," shares Sandeep Hodkasia during an exclusive interview with Startup Pedia.

To date, AppSecure has served over 400 clients globally, including fintech leaders like Groww, banking firms such as SBI General Insurance, and tech companies like Truecaller and MyGate.

With a team of over 20 employees, AppSecure acts as an extended security team for its clients, building long-term relationships based on trust and collaboration.

Big Bug Bounty Triumphs: Case Studies That Redefined Ethical Hacking

Sandeep's prowess as a legendary bug bounty hunter has thrust AppSecure into the spotlight, underscoring the importance of ethical white-hat hacking and vulnerability testing.

This hands-on expertise not only elevates his status in the cybersecurity industry but also shines a light on AppSecure's offensive cybersecurity offerings.

Here are a few case studies that highlight how Sandeep’s discoveries have secured digital platforms for millions, blending personal feats with company growth.

Case Study 1: Meta AI

More recently, in early 2025, Sandeep exposed a vulnerability in Meta AI's GraphQL API, allowing unauthorised users to access private AI interactions, including prompts and generated images.

He spotted the flaw while analysing network traffic during prompt editing, noting that Meta's servers assigned easily guessable unique numbers to each interaction without proper authorization checks.

Sandeep found out that the prompt numbers were "easily guessable," posing a severe threat if exploited maliciously.

Responsibly reported by Sandeep, the issue was acknowledged by Meta, which implemented a temporary fix in January 2025 and a permanent solution by April 2025.

For his findings, Meta rewarded Sandeep with $10,000 for the primary issue and an additional $12,550 for related vulnerabilities.

Even though Meta confirmed no evidence of abuse, the incident underscored privacy risks in AI tools. This case highlighted how the bug could enable automated scraping of sensitive content, potentially including personal or explicit material.

Also read: “Typing ‘I love you’ never feels the same as saying it" - Meet Hyderabad founder who launches a voice-first app for real human connections (startuppedia.in)

Case Study 2: WeWork India

In July 2022, Sandeep uncovered a critical flaw in WeWork India's online check-in app, exposing personal identifiable information such as names, phone numbers, email addresses, and images through manipulable user IDs.

He discovered the bug by testing the app's functionality, revealing that simply incrementing or decrementing sequential user IDs allowed access to thousands of unencrypted records from an internet-facing tool.

Sandeep made the vulnerability public through social media and communicated details to media outlets like TechCrunch, which verified his findings. The vulnerability affected tens of thousands of visitors across WeWork India's coworking spaces. 

WeWork India responded swiftly after TechCrunch's notification, pulling the app from its website and confirming the bug allowed "unintentional access to basic visitor information."

Sandeep's findings and responsible disclosure exemplified the value of white-hat hackers in real-world threat simulation, mirroring AppSecure's focus on proactive security testing to close such gaps before exploitation.

This case study amplified security awareness in India's coworking sector, preventing potential data breaches and highlighting systemic lapses in the country's tech ecosystem.

Sandeep emphasizes,“My work and AppSecure’s platform are not about chasing bounty rewards but about securing systems relied upon by millions. At AppSecure, our hands-on approach to security testing helps companies identify and fix hidden risks before they escalate into major threats. We focus extensively on security research for large enterprises like Meta, PayPal, Google, and Microsoft, uncovering critical security loopholes to protect their internet assets. At the same time, this work helps us market AppSecure and build our reputation.”

Also read: Gurugram Engineer Starts A Cybersecurity Co. From Home; His Startup Now Serves 800+ Clients Globally & Generated ₹25 Cr+ Rev During Last FY (startuppedia.in)

Services and USPs: A Hacker-Focused Edge in a Booming Market

AppSecure's offerings stand out in the global cybersecurity market, projected to grow from USD 218.98 billion in 2025 to USD 562.77 billion by 2032 at a 14.4% CAGR.

Its clients value the measurable ROI from proactive threat avoidance, far beyond traditional cybersecurity tools.

The above-mentioned feats have positioned AppSecure as a leader in offensive cybersecurity, with solutions like Pentest as a Service (PTaaS) and Redteaming as a Service (RTaaS) drawing from these real-world insights.

AppSecure’s PTaaS integrates continuous penetration testing into DevOps cycles, providing real-time vulnerability detection, proof-of-exploit reports, and automated retesting for compliance like PCI DSS or ISO 27001.

Similarly, its RTaaS simulates multi-stage attacks—reconnaissance, phishing, lateral movement—over weeks, uncovering gaps in people, processes, and technology as per MITRE ATT&CK frameworks. This proactive stance helps fintech, banking, and tech companies mitigate risks in digital environments.

What sets AppSecure apart?

"We deliver ROI-driven services with hacker-led simulations that regular cybersecurity tools miss, saving clients on bounties while ensuring compliance. Our USPs include custom security testing for sectors like tech, manufacturing, and healthcare, plus a focus on vulnerabilities overlooked by scanners," Sandeep explains.

Charting the Future: A Long-Term Vision

Bootstrapped and cashflow-positive since inception, AppSecure has reinvested revenues without external funding, a rarity in the startup landscape.

This self-sustained model fuels steady growth, with no immediate plans for raising investor money. Sandeep prioritizes organic scaling over rapid valuation chases.

Looking ahead, future plans centre on global reach.

"At AppSecure, our goal is to make offensive cybersecurity services accessible to internet companies globally, helping them secure their online presence and proactively avoid threats. Beyond simply increasing revenue, our long-term vision is to impact the general public by protecting their data, transactions, and online interactions. As AppSecure expands globally, we are adding more clients and opening offices across the Asia-Pacific region and the US. With a growing client base, we will also increase our workforce, creating more job opportunities worldwide," Sandeep Hodkasia envisions.

As the cybersecurity industry evolves, AppSecure's commitment to ethical hacking and its client-centric approach promise a lasting impact. 

From Rajasthan's heartland to Singapore's tech hubs, Sandeep's journey reminds us: true vision starts with curiosity, courage, and innovation. 

Also read: Meet these two 22-YO engineers who built India’s first AI-powered Robot that burns weeds with lasers instead of pesticides (startuppedia.in)