I execute end-to-end penetration testing across Web, API, and AD/Enterprise surfaces, with targeted coverage of cloud attack paths and DevSecOps pipelines. Delivery is mapped to OWASP (ASVS/WSTG/MSTG), PTES, NIST 800-115, and MITRE ATT&CK for defensible findings, measurable risk reduction, and rapid developer remediation. Toolchain spans Burp Suite Pro, Nmap/Masscan, ffuf/feroxbuster, sqlmap, nuclei, gobuster, jwt-tool, and AD tradecraft (BloodHound/SharpHound, Impacket, CrackMapExec, Rubeus, Kerberoasting/AS-REP, ADCS abuse).
- Password/Hash Ops —
gitea-crack-passwords: PBKDF2-SHA256 dictionary cracking at scale. - Recon/Deobfuscation —
download_js_map_files: automated.js.mapdiscovery & extraction. - Payload Engineering —
sqlmap-temper-scripts: evasive SQLi tamper pipelines (WAF-aware). - Binary/Algo Exploration —
XOR-key-bruteforce: brute-force XOR key/message search. - CTF Workflow —
add-creds-rofi: high-velocity credential ops for engagements. - AppSec R&D —
java-STTI(Spring SSTI file exfil) andeos(Enemies Of Symfony tooling). - Legacy Ops —
DirectadminAudit: pragmatic operational automation.
Explore the repos for full delivery details.
Python · JavaScript/Node.js · PHP/Symfony · Shell/Bash · C++ · SCSS/CSS · Solidity · Perl
- Web & API Pentesting: AuthN/AuthZ bypass, IDOR, SSRF, deserialization, template injection, GraphQL abuse, JWT/crypto flaws, rate-limit evasion.
- AD/Enterprise: Enumeration → lateral movement → privilege escalation; Kerberos attacks, constrained/unconstrained delegation, ADCS, ACL abuse.
- Cloud & CI/CD: IAM misconfig, metadata pivots, secret sprawl, artifact poisoning, supply-chain hardening.
- Detection & Reporting: ATT&CK mapping, reproducible PoCs, prioritized remediation with developer-ready guidance.
- Hack The Box: CPTS (Certified Penetration Testing Specialist) · CBBH (Certified Bug Bounty Hunter)
- Profiles
