The 19 Years Old Who Learned to Break In. Now He Helps You Stay Safe.

At 19, most people are figuring out what they want to do. Rhythm Bhattarai, based in Kathmandu, Nepal, had already spent years inside financial infrastructure, building payment and remittance systems for fintech companies, and quietly doing something else on the side: finding holes in things that weren't supposed to have them.

Bug bounty research has a way of changing how you see the internet. You stop looking at products and start looking at attack surfaces. You stop seeing a login page and start seeing what's behind it, what's exposed, what an attacker would find in the first thirty seconds.

"Finding real vulnerabilities in real systems made it obvious how much exposure goes unnoticed," he says.

That observation sat with him for a long time. Then it became a product. He co-founded VeilScan together with his co-founder Kishmat Bhattarai.

The Gap Nobody Was Filling

The problem wasn't that security tools didn't exist. The problem was who they were built for.

Enterprise-grade scanners cost thousands a year and require a dedicated security team to interpret the output. Everything else was either too technical, too shallow, or too expensive for the people who actually needed it most: small teams shipping fast, founders pushing to production on a Friday afternoon, startups that had a landing page live before they had a privacy policy.

"Nobody stops to ask: what can an attacker see right now?" he says. "The tools that answer that question are either enterprise-priced, deeply technical, or both."

VeilScan was built to fill that gap. Enter a domain. Get a report in 60 seconds. Subdomain enumeration, exposed secrets, misconfigured headers, stack fingerprinting, live API key validation that actually confirms whether a leaked key still works. Not a list of warnings nobody understands. A clear picture of what's exposed and what to do about it.

Months of Building Things Nobody Documents

The CLI MVP came together in a few weeks. Turning it into an actual product took months.

Not because the technology was the hard part. The hard part was everything around it: billing, auth, scan pipelines, reports. And the endless debugging of things nobody writes documentation about.

"Like why a payment provider's API behaves differently from what their own docs say," Rhythm says, with the kind of matter-of-fact tone that comes from having lived through it.

The scanning engine came together cleanly. The go-to-market side was a different story.

Trust Is the Product

Security is a strange market to sell into. The product works. The problem is real. But getting someone to point a scanner at their own infrastructure requires something a good product page can't give you on its own: trust.

"Security buyers are cautious, and trust is earned slowly," Rhythm says. "Building that trust, especially as a young team, is the real challenge."

He's 19. He and Kishmat are building from Kathmandu. They have no enterprise sales team, no VC backing yet, and no famous logo customers to put on a homepage. What they have is a working product, real scans running, and a small number of early users who actually care about the problem.

They're not chasing vanity metrics. They're deliberate about it.

"We'd rather earn a small number of users who find genuine value than inflate numbers that don't mean anything."

Where It Goes From Here

The goal for the next six months is to get VeilScan into the hands of SMBs and early-stage startups who can genuinely benefit from continuous attack surface monitoring. Not scan-on-demand. A full autonomous monitoring layer that watches for new exposure as teams ship, as infrastructure changes, as the attack surface quietly grows.

A pre-seed round is on the horizon. The product is already ahead of it.

Rhythm's advice to anyone building in the same space is direct and earned: ship early, get real users running real scans on their own domains, and don't overbuild in private.

"A working product with one honest case study beats a polished deck every time."

He knows. He's been inside enough systems to understand what real looks like.

VeilScan is live at veilscan.net.