Dhaka, Bangladesh · Full Stack · DevSecOps · ASPM · Cloud Native

Nayeem Uzzaman

Full Stack & DevSecOps Engineer

I build secure, cloud-native software systems across full-stack engineering, DevSecOps, application security, and ML-assisted security automation.

  • Python
  • TypeScript
  • FastAPI
  • React
  • Kubernetes
  • AWS
  • Terraform
  • Semgrep
  • Trivy
  • LLM Agents
Portrait of Nayeem Uzzaman

About

Full-stack engineering with a security backbone.

I'm a full stack developer with hands-on DevSecOps and ML/LLM-assisted security experience. My work spans backend systems, frontend interfaces, cloud infrastructure, Kubernetes-based delivery, and application security automation — the whole path from writing a feature to shipping it securely on cloud-native infrastructure.

At the core of that is platform work: I've built internal tooling that continuously scans repositories, cloud accounts, containers, and domains, combining multiple security tools into unified workflows. I care about turning fragmented security signals into pipelines that engineers can actually act on.

Outside of work, I'm learning Japanese and aiming for JLPT N3 — an interest that turned into JPLens, a real-time on-screen translation tool I built for my own study. I like building the tools I wish existed.

Education

University of Dhaka

B.Sc. in Computer Science and Engineering

CGPA: 3.45 / 4.00
2019 – 2023 · Graduated Jan 2024
Dhaka, Bangladesh

Experience

Where I've built and shipped.

  1. KraitLabs

    Sep 2024 – Present

    R&D Engineer — Application Security Posture Management (ASPM)

    Dhaka, Bangladesh

    Working on an internal ASPM platform focused on continuous security visibility across repositories, cloud environments, containers, and domains — combining full-stack development, cloud-native infrastructure, DevSecOps pipelines, and agentic vulnerability analysis.

    • Built and maintained an internal ASPM platform that continuously scans repositories, cloud accounts, containers, and domains.
    • Unified SAST, DAST, dependency scanning, container-image scanning, secret scanning, cloud posture scanning, and domain scanning into a single pipeline — integrating Semgrep, Trivy, Gitleaks, Prowler, Nuclei, and OWASP ZAP.
    • Designed a call-graph API scanner that parses backend repositories using LSP and tree-sitter, auto-discovering API endpoints and building function call graphs reachable from route entry points.
    • Supported backend frameworks including FastAPI, Spring Boot, ASP.NET Core, Express, and Laravel.
    • Developed LLM-driven agents that traverse generated call graphs to identify exploitable vulnerabilities and generate API inventories.
    • Shipped and scaled workloads on AWS EKS using ArgoCD GitOps and Karpenter autoscaling, orchestrating on-demand security scans as Kubernetes Jobs.
    • Hardened infrastructure with least-privilege IAM, AWS Secrets Manager, network segmentation, TLS/SSL, and OWASP-aligned practices.
    • Provisioned AWS and GCP Cloud Run infrastructure with Terraform; built CI/CD pipelines using GitHub Actions and Jenkins; containerized workloads with Docker and Kubernetes.
  2. Penta Global Limited

    Mar 2024 – Jul 2024

    Software Engineer

    Dhaka, Bangladesh

    Worked on frontend and API integration features for the national Birth Registration Information System (BDRIS).

    • Built registration form flows, admin panels, and backend API integrations for BDRIS.
    • Delivered frontend features using React Vite, TypeScript, Redux Toolkit, and RTK Query.
    • Collaborated using GitLab-based workflows.

Featured Projects

Personal tools, built end to end.

Side projects where I own the whole stack — from OCR pipelines and morphological analysis to agentic automation.

JPLens

Real-time on-screen Japanese morpheme translation

A desktop and Android language-learning tool that highlights and translates Japanese morphemes on-screen in real time. It combines native Windows OCR and Android ML Kit for text capture, MeCab for morphological analysis, and the Google Translate API for translation.

Built to make Japanese games easier to understand and to accelerate my own Japanese study on the way to JLPT N3 — a tool I use because I needed it.

  • C#
  • Kotlin
  • WinRT OCR
  • Android ML Kit
  • MeCab
  • Google Translate API

Discord MCP Toolkit

AI-driven Discord automation over MCP

An MCP tool suite that lets AI-driven Discord bots execute commands and functions from natural-language instructions. An experimental developer-tooling project exploring how agentic AI can operate real platforms through well-defined tool interfaces.

  • C#
  • Python
  • MCP
  • Discord Bots
  • Automation

Skills

Tools I work with every day.

Languages

  • Python
  • C#
  • Java
  • C++
  • JavaScript
  • TypeScript
  • Kotlin

Backend & Web

  • FastAPI
  • Spring Boot
  • ASP.NET Core
  • Express.js
  • React Vite
  • Redux Toolkit
  • RTK Query
  • Astro

Cloud & DevOps

  • AWS EKS
  • ECR
  • S3
  • ALB
  • IAM
  • AWS Secrets Manager
  • RDS
  • GCP Cloud Run
  • Docker
  • Kubernetes
  • ArgoCD
  • Terraform
  • Karpenter
  • GitHub Actions
  • Jenkins

Security / DevSecOps

  • ASPM
  • SAST
  • DAST
  • Dependency Scanning
  • Container Image Scanning
  • Semgrep
  • Trivy
  • Gitleaks
  • Prowler
  • Nuclei
  • OWASP ZAP
  • OWASP Top 10
  • Least-Privilege IAM
  • TLS/SSL

Databases

  • PostgreSQL
  • Amazon RDS
  • Firebase

Other

  • LSP
  • tree-sitter
  • Git
  • GitLab
  • Linux
  • LLM Agents
  • Static Analysis

DevSecOps Focus

Security engineering across code, cloud, containers, and APIs.

Applied engineering experience from building an ASPM platform — not checkbox security, but pipelines and tooling that run continuously in production.

Application Security Automation

Unified SAST, DAST, dependency scanning, and secret scanning into continuous pipelines, with automated vulnerability analysis replacing one-off manual scans.

  • SAST
  • DAST
  • Dependency Scanning
  • Secret Scanning

API Discovery & Call Graphs

Parsing backend repositories with LSP and tree-sitter to discover routes across FastAPI, Spring Boot, ASP.NET Core, Express, and Laravel, and to build route-to-function call graphs.

  • LSP
  • tree-sitter
  • Route Discovery
  • Call Graphs

Cloud-Native Security

Running scan workloads as Kubernetes Jobs on AWS EKS with ArgoCD, Karpenter, and Terraform — hardened with least-privilege IAM, Secrets Manager, network segmentation, and TLS.

  • AWS EKS
  • Kubernetes Jobs
  • ArgoCD
  • Terraform
  • IAM

ML / Agentic Analysis

LLM-driven agents that analyze generated call graphs to surface exploitable paths and build automated API inventories — applied engineering to reduce manual triage.

  • LLM Agents
  • Call-Graph Analysis
  • API Inventories
  • Triage Automation

Certifications & Achievements

Credentials and competition results.

Personal

Beyond engineering: language learning and tool building.

I'm learning Japanese and working toward JLPT N3. What started as an interest in the language became an engineering problem: reading Japanese games and media is slow when you're constantly looking up words.

So I built JPLens— a tool that highlights and translates Japanese morphemes on-screen in real time. It's the clearest example of how I like to work: find a real problem in my own life, then build a precise, technical solution for it.

Contact

Let's talk.

Interested in full-stack, DevSecOps, cloud-native, or application security engineering roles? I'm open to conversations with teams building secure and scalable software.

n.nayeem.rm@gmail.com · Dhaka, Bangladesh