Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.
Cobalt PtaaS + DAST combines manual pentests and automated scanning for comprehensive applications security.

A pentester's guide to entrepreneurship

Shashank was Cobalt's first-ever pentester. Now he is the CEO and Founder of his company CredShields, a security audit company, while still testing in the Core.

First, tell me a little about yourself.

I am Shashank, co-founder and CEO of CredShields. I started my career in web2 security at the age of 14-15, almost ten years back as a bug bounty hunter, and found valid bugs in Facebook, Google, Apple (CVE-2017-7063 CVE-2017-7062 CVE-2017-2458), Microsoft, Dropbox, Coinbase, and 40+ big companies who had their responsible disclosure programs. Later during college, I worked as a security consultant for, and then after college, in 2019, I joined HackerOne as a security analyst. 

Some lesser-known facts about me are that I was a national-level basketball player and played under 16 nationals during my school days. I also love reading. I have read more than 400 novels, mostly fiction and classics. 

How did you come up with the idea to start CredShields?

During the end of 2019 and early months of 2020, I was reading about all blockchain and smart contracts getting hacked, but I didn’t have time to do a lot of in-depth analysis. Then in March, I decided to quit my job to take a break. During this break, I was reading more and more and doing an in-depth analysis of all these crypto hacks. After doing the research for the entire three months after quitting my job, I noticed a few problem statements: 

  1. There was a lack of talent in the blockchain security industry. 
  2.  No one was adequately doing automation security in blockchain security. 

And I was familiar with these problem statements when I started web2 security. So I decided to pin down algorithms to detect vulnerabilities and pitched them to a couple of great developers from my college. I also pitched it to some great web2 security people to train and help them to get into web3 security and asked them to join my team. They liked the idea, and that’s how CredShields product SolidityScan to find smart contract vulnerabilities in an automated manner was born. 

What did the process of starting it look like?

CredShields is one year old now, and the journey has been amazing. I started it with an idea, listed 20-25 algorithms to detect smart contract vulnerabilities, and pitched it to some amazing developers I knew from college. Three joined and developed the frontend, backend, and infrastructure, working part-time alongside their full-time job. When the MVP was ready, an angel investor showed interest, and that's when people left their jobs to work on it full-time. After our seed round, we expanded the team and are nine full-timers. So we kind of followed the general tradition -> create an idea > create a team > make an MVP > Raise funds > expand. 

Why did you want to start your own business?

I have always wanted to do a tech startup, and Credshields is my 2nd proper attempt. Yeah, I did fail one startup during my college days. (Explore more on the topic of startup security.)

I am quite addicted to problem-solving as a security geek. Running a business is quite thrilling. You have to solve problems on the fly, and there is no option to back off. The best part is when running a business, you learn a lot while networking, which is not limited to technical skills. You have to have people skills and be a great storyteller; you learn to represent yourself in the best manner and so many things.     

What exactly is CredShields?

CredShields is a web3 security company that does audits for blockchain applications and smart contracts. Our company empowers developers to build credible solutions as we care for their security. The knowledge gained from audits is used to fuel the research of our product, SoldidityScan. 

How does the SolidityScan work?

SolidityScan is a cloud-based SmartContract security scanner. You can say it is like Nessus/Acuntix for smart contracts, but we have some advanced features, which is a requirement in the web3 industry. At, a developer or an auditor can upload their SmartContracts via Github, file upload, or by passing the contract address through scanning for 130+ security vulnerabilities, including best coding practices and gas optimization suggestions, as each transaction costs money in the world of blockchain. We also have a great feature that allows any developer or auditor to generate an audit report after addressing all the vulnerabilities at a click of a button. In the blockchain world, no one will interact with your contract if there is no public audit report. Hence this greatly reduces time, effort, and cost for smart contract developers or auditors. 

What different services do you offer? 

We offer all kinds of security audit services like blockchain node security, wallet security, smart contracts security, web3 web applications, mobile application, cloud configuration security of node servers, etc.  

What’s next product-wise?

Our security research team is working hard to find more and more vulnerability detections, and we are actively deploying them on our product. Very soon, we will launch our public APIs that will give the security score of any contract based on the overall security of the SmartContract. 

How did you meet Aditya? Do you guys ever work together at Cobalt?

It is the best coincidence in my life. Aditya is my father’s best friend’s nephew. Whenever my family used to go to Patna (his hometown), we used to play video games together. We were kids at that time. Later on, we both noticed that we independently started doing bug bounties. So we started collaborating and did a lot of pentest together at Cobalt. Since I was a few years older than Aditya, I would guide him in university exam preparations and make sure he didn’t make the mistakes I made. He always respected me for that and promised me that when I started my own company, he would join without a doubt. And he kept his promise. I am super lucky that I have a friend like Aditya. 

What advice would you give someone interested in creating their own product or company? 

I learned a few things from my past start-up failure, which is especially applicable and common for techies who want to be entrepreneurs. A great product or a company is not about making a perfect product and writing high-quality codes. There are a lot of other aspects that are equally important, like marketing, storytelling, creating a vision that everyone can trust, scalability, market fit, etc. If, as a company or a product owner, we fail in any of the above, it can lead to an overall failure in the beginning or at some point in the future. 

Back to Blog
About Shelby Matthews
Shelby Matthews is a Community Content Associate at Cobalt. She works to empower the Cobalt Core of professional pentesters, by providing them with a platform to produce content and showcase their expertise. She graduated from the University of Missouri with a degree in Journalism and uses it to bring the Cobalt Core's stories to life. More By Shelby Matthews
Source Code Review
Are you checking your new products for vulnerabilities in all capacities? Ninad Mathpati shares what you need to be doing during your Source Code Review and what attackers look for.
Nov 9, 2022
Pentester Spotlight: Alexis Fernández, Retired Developer takes on Pentesting
Alexis Fernandez has been a member of the Cobalt Core for a little over a year now. He started in security as a Web Developer before switching to ethical hacking.
Oct 26, 2022
What it means to be in the Cobalt Core
What does it mean to be in the Cobalt Core? I asked some of our Core Pentesters about their experiences in the Core and what has been most memorable for them.
Oct 18, 2022