DEEV PAL

XSS Reviewer Agent

Built a multi-tier Confucius agent specifically targeting ServerHTML and dangerouslySetInnerHTML sinks across Meta's React/JS codebase. Started with a 2-agent architecture (Main Agent + Hop Analyzer) and iterated it into a full 5-tier fan-out system with specialized subagents:

• Tier 0 — Orchestrator: Finds all sinks, coordinates fan-out, aggregates final verdicts
• Tier 1 — Source Tracker: Backward data-flow analysis across JS/PHP/Hack/GraphQL boundaries
• Tier 2 — User Control Check: Determines if sources can be influenced by any user
• Tier 3 — Security Reviewer: Deep review with 7-question decision tree and 18+ source type matrix
• Tier 4 — Security Critique: Adversarial review with 17-item gap checklist and fabrication detection

Follow-up: Added batch-mode fast-path with streaming results and crash recovery. Also ported the entire agent as a Claude Code plugin with 4 skills for the prodsec-review pipeline. Built an XSS remediation skill that generates prioritized code fixes (P0–P5) with BEFORE/AFTER diffs.

Sever-Agent (ACL Risk Scanner)

Designed and built an automated ACL risk assessment agent that scans and secures insecure access controls across Meta's entire infrastructure. The agent systematically evaluates whether Keychain secret ACLs should be restricted or remain open, using a Security Triager Agent pattern.

• Built PZM verifiers (ThriftServiceInsecureACLVerifier) to detect overly permissive ACL configurations on Thrift services
• Added support for Crypto Project and Laser Tier ACL analysis with consolidated task-per-target approach
• Integrated with Perpetrator for security event tracking, routing events to different queues by L2 surface
• Maintained insecure identity blocklists and configured async tier jobs via Butterfly + Conveyor

Follow-up: Developed AQF (Automated Quality Framework) rules for automated ACL security checks at production across 5+ asset categories. Created rules to flag high-SIR TIER ACLs with overly permissive “open to ALL” access entries.

AI Security Consultant (MFT)

Built a multi-agent AI system to automate the triage and analysis of MFT (Money Flow Transfer) security consult requests. The agent processes Office Hours documents, evaluates them against Paysec/PCI DSS frameworks, and generates structured risk assessments with severity ratings.

• Iterated through 3 output formats: Google Docs → JSON → Structured JSON for pipeline integration
• Separated OH documents into batches for parallel processing, fixing corner cases in risk scoring
• Added risk review score and severity rating to final output for automated downstream routing
• Upgraded to Claude Sonnet 4.5 with improved security-focused prompts

Follow-up: Used the agent to process real MFT consults including Crypto Projects security reviews, FI FinNet assessments, and Billing ML Feature Table privacy evaluations.

AI Security Crawler

Built an AI-powered security crawler that continuously monitors Workplace groups for security-relevant feature launches and risks. The system automatically analyzes posts, crawls linked Google Docs and wiki pages, and generates security risk assessments routed to the Perpetrator event system.

• Migrated from Metamate (M8) LLM pipeline to Devmate agent via Sandcastle for better reliability
• Built end-to-end Butterfly Bot integration with async jobs for automated workplace post monitoring
• Fixed subagent JSON passthrough, streamlined Perpetrator UI, added linked docs tracking
• Onboarded WhatsApp groups, Lite experiment discussions, and Mobile Web surfaces

Follow-up: Generalized the crawler into a full Security Design Review Agent (V0.1) supporting multiple input surfaces with risk scoring and structured analysis output.

MFT Credentials Security Review

Led a comprehensive security review of Meta's Money Flow Transfer credential systems. Identified critical transitive access issues in ACLs that could enable unauthorized money transfers. Reviewed Card Network Tokenization flows, NFC Payments (Malibu), Pay-with-X Shopify link account linking, and ASA Support Agent payment/financial agentic tools.

Security Oncall & Vulnerability Triage

Served on 3 Prodsec oncall rotations at Meta, triaging a broad range of security issues at scale. Discoveries included XSS via Google-served documents, SQL injection vulnerabilities, and Remote Code Execution (RCE) vectors. Published oncall shift summaries and drove remediation across multiple product teams.

API Fuzzer

Developed a custom fuzzing tool designed to test AI-based APIs at SAP. Supported multiple payload types including image uploads, CSV injection, and NLP-based payloads to test model endpoints for input validation flaws, injection attacks, and unexpected behavior under adversarial inputs.

LogsDigger

Built an automation utility that scans application log files to identify sensitive data leaks — PII, credentials, tokens, API keys, and other secrets accidentally logged by developers. Reduced the risk of data exposure through log aggregation systems and helped enforce secure logging practices across SAP products.

FioriDAST

Created a custom web vulnerability scanner built on top of OWASP ZAP, specifically tailored for SAP's Fiori/SAPUI5 framework and OData services. Addressed the unique challenges of scanning single-page applications with OData backends. Migrated the build system from Maven to Gradle for improved CI/CD integration.

Open Source Security Automation

Automated open-source dependency scanning workflows at SAP using MEND, Blackduck, Trivy, and Grype. Built custom PowerShell scripts integrated with Bamboo CI/CD pipelines and Docker containers to continuously scan for vulnerable dependencies, license violations, and supply chain risks across SAP's product portfolio.