6+ years of authorized enterprise offensive security assessments worldwide. Specializing in red team operations, Active Directory attacks, exploit development, and full-scope adversary simulation under strict NDA engagements.
ISSAInformation Systems Security AssociationProfessional Membership
Ongoing ResearchAdvanced Exploitation & Red Team LabsContinuous Development
Trusted Across Industries
Financial Services
Government & Defense
Healthcare
Technology & SaaS
E-Commerce
Cloud Infrastructure
All engagements conducted under NDA — client identities protected
// 01
Services
Enterprise-grade offensive security under formal NDA and rules of engagement.
01 / Web & API
Web Application & API Penetration Testing
Full-scope web and REST/GraphQL API assessment covering authentication flaws, injection vulnerabilities, IDOR, business logic, and all OWASP Top 10 categories in production and staging environments.
OWASP Top 10API SecurityAuth TestingBusiness Logic
02 / Red Team
Red Team Operations
Full APT-style adversary simulation: reconnaissance → initial access → lateral movement → privilege escalation → domain compromise. Delivered under formal rules of engagement with executive debrief.
Comprehensive AD attack chains: Kerberoasting, AS-REP Roasting, Pass-the-Hash/Ticket, DCSync, BloodHound-guided attack path mapping from misconfiguration discovery to full Domain Admin compromise.
KerberoastingBloodHoundDCSyncDomain Audit
04 / Network
Network & Infrastructure Penetration Testing
Internal and external network assessments: service enumeration, firewall evasion, SMB relay, LLMNR poisoning, pivoting, and tunneling across segmented and isolated network zones.
Internal NetworkFirewall EvasionPivotingSMB Relay
05 / Cloud
Cloud Security Assessment
AWS, Azure, and GCP assessments: IAM misconfiguration exploitation, storage enumeration, privilege escalation chains, cross-account pivoting, metadata service abuse, and cloud-native attack path analysis.
Targeted phishing campaigns, pretexting, and vishing engagements to measure organizational security awareness maturity. Full campaign metrics with behavioral analysis and awareness improvement roadmap.
Binary reverse engineering and shellcode validation
Cloud Attack Tools
AWS/Azure/GCP privilege escalation and IAM abuse
// 03
How We Work Together
A transparent, structured engagement process — from first contact to verified closure.
01
Initial Contact
Reach out via email or phone. I respond within 24 hours. We briefly discuss your security needs, timeline, and what you're looking to assess.
Response within 24h
02
Scoping & Planning
We define the exact scope, target environment, testing boundaries, and objectives. I provide a clear proposal with timeline, methodology, and pricing.
NDA signed at this stage
03
Formal Agreement
A formal Statement of Work is issued defining scope, rules of engagement, timelines, and deliverables. Both parties sign before any testing begins.
SOW · Rules of Engagement
04
Engagement Execution
The assessment is conducted within the agreed scope and timeline. Critical findings are communicated immediately. Full transparency throughout the engagement.
Critical findings flagged immediately
05
Report Delivery
A comprehensive report is delivered — executive summary for leadership, full technical detail for your security team. CVSS v3.1 scoring, PoC evidence, and prioritized remediation.
Executive + Technical Report
06
Re-test & Closure
After your team remediates the findings, I re-test to verify each fix is effective and no regressions were introduced. Full verified closure for all critical and high findings.
Verified fix confirmation
// 03
Core Competencies
Technical depth across the full offensive security spectrum.
Web App Pentesting
SQLi, XSS, SSRF, XXE, IDOR, Deserialization, Auth Bypass — full OWASP Top 10 and beyond.
95%Expert
Active Directory Attacks
Kerberoasting, AS-REP Roasting, Pass-the-Hash/Ticket, DCSync, BloodHound, full domain compromise.
92%Expert
Red Team Operations
Full APT-style simulation: recon → initial access → lateral movement → privilege escalation → compromise.
90%Advanced
Custom Tooling & Automation
Python and Bash automation for recon, exploitation, and post-exploitation. ~40% overhead reduction.
88%Advanced
Network & Infrastructure
Service enumeration, firewall evasion, pivoting, tunneling, SMB relay, LLMNR poisoning.
Conducted 150+ authorized security assessments for enterprise clients in finance, government, healthcare, and technology sectors worldwide under formal NDA and rules of engagement
Delivered full-scope red team operations simulating APT actors from reconnaissance to full domain compromise
Executed comprehensive Active Directory attack chains: Kerberoasting, DCSync, BloodHound-guided privilege escalation to Domain Admin
Performed advanced web and API assessments covering OWASP Top 10, GraphQL, OAuth abuse, JWT attacks, and business logic flaws
Identified multiple CVSS 9.0–9.8 findings in production systems preventing real data breaches
Engineered custom Python and Bash automation tooling reducing assessment overhead by ~40%
Delivered executive and technical reports with CVSS v3.1 scoring, PoC evidence, and risk-prioritized remediation roadmaps
Conducted phishing simulations and social engineering campaigns measuring organizational security awareness maturity
// 05
Sanitized Assessment Findings
A curated sample from 300+ findings across authorized engagements worldwide.
The findings below represent a curated sample from authorized penetration testing engagements. All client identities and infrastructure details are fully sanitized per confidentiality agreements. Full portfolio available under NDA upon formal request.
ASF-001Critical
DOM XSS → ATOWeb · Prod
Authenticated DOM XSS Leading to Full Account Takeover
innerHTML sink in file import interface injects live HTML inside authenticated form, bypassing CSRF and enabling full account ownership transfer to attacker-controlled mailbox.
URL parameter passed directly to SQL query without parameterization. Automated extraction confirmed 24 internal databases fully accessible without any authentication on a government sector client.
9.8 CVSSGov sector · 3-day assessmentRemediated
ASF-003Critical
Auth Bypass → ATOWeb · Prod
Authentication Bypass Enabling Mass Account Takeover
Password reset workflow performs no session binding on the target account parameter. Attacker resets credentials for any registered user using only a known email address, enabling mass ATO at scale.
9.8 CVSSRemediated
ASF-004Critical
ORM SQLiAPI · Prod
ORM SQL Injection — Complete Access Control Bypass
ORM query assembly uses unsafe string formatting for logical connector. User-controlled _connector key injects raw SQL into WHERE clause, bypassing all access control filters and returning privileged records.
9.5 CVSSMitigated
ASF-005Critical
Path Traversal → RCEInfra · Prod
SFTP Path Traversal → Arbitrary File Write & RCE
File transfer library fails to sanitize ../ sequences in SFTP QUOTE paths. Authenticated user writes arbitrary files outside home directory, enabling SSH key injection and persistent RCE on the target server.
9.1 CVSSMitigated
ASF-006High
Mutation XSSWeb · Prod
Stored Mutation XSS Bypassing Client-Side HTML Sanitization
Rich text editor vulnerable to MathML DOM mutation chain bypassing DOMPurify. Malicious content persists in database and executes JavaScript in every viewer's browser session context.
8.2 CVSSRemediated
ASF-007High
Blind SSRFAPI · Prod
Blind SSRF via Webhook Enabling Internal Network Pivot
Export endpoint accepts unvalidated webhookUrl. Server issues unauthorized outbound requests to attacker infrastructure, enabling internal service enumeration and cloud metadata exfiltration.
8.1 CVSSRemediated
ASF-008High
Blind SQLiAPI · Prod
Boolean-Based Blind SQLi in REST API Path Parameter
URL path segment passed unsanitized to database query. Boolean differential responses confirm injection. DB fingerprinted as PostgreSQL 14.8. Full unauthenticated record extraction confirmed.
8.0 CVSSRemediated
ASF-009High
XXE — OOBService · Prod
OOB XXE in Data Ingestion Service Exposing Internal Infrastructure
XML pipeline parses external documents without disabling entity resolution. Attacker-controlled DTD triggers out-of-band requests exfiltrating internal host identifiers and cloud metadata.
7.7 CVSSRemediated
ASF-010High
BOLA / IDORAPI · Prod
BOLA Enabling Cross-Account Profile Manipulation via API
Account management endpoint accepts user identifier without server-side ownership verification. Any authenticated session silently overwrites arbitrary account profile data by substituting target identifier.
7.5 CVSSRemediated
ASF-011AD Critical
Kerberoasting → DAAD · Internal
Kerberoasting Attack Chain Leading to Domain Admin Compromise
Multiple service accounts with weak passwords and SPN registrations enumerated via BloodHound. Offline cracking of Kerberos TGS tickets yielded plaintext credentials, enabling full Domain Admin escalation within 2 hours of initial access.
9.6 CVSSFinancial · 2h to Domain AdminMitigated
ASF-012AD Critical
DCSync → Credential DumpAD · Internal
DCSync Attack Enabling Full NTDS.dit Credential Extraction
Over-privileged service account held DS-Replication-Get-Changes-All right. Exploited via Impacket secretsdump to replicate all Active Directory credentials including KRBTGT hash, enabling persistent Golden Ticket generation.
17 domain accounts discovered with Kerberos pre-authentication disabled. Offline cracking of AS-REP responses yielded 9 plaintext passwords including two accounts with local administrator rights on critical servers.
8.8 CVSSRemediated
ASF-014Critical
Unauthenticated RedisNetwork · Prod
Unauthenticated Redis Master Node Exposed — Full Cache Read Access with Unrestricted ACL
Redis master node accessible from the public internet with no authentication and ACL configured as +@all. Live production cache confirmed with 155 keys including sensitive user data and OTP metadata.
9.8 CVSSReported
ASF-015AD Critical
Pass-the-HashAD · Internal
NTLM Pass-the-Hash Enabling Lateral Movement to Domain Controller
Captured NTLM hash of a privileged service account via Responder on the internal network. Hash relayed without cracking to authenticate directly to the Domain Controller, achieving full DC access within 25 minutes of network entry.
9.8 CVSSFinancial sector · Internal ADMitigated
ASF-016AD High
Golden TicketAD · Internal
Golden Ticket Forged via Stolen KRBTGT Hash — Persistent Domain Access
Following KRBTGT hash extraction via DCSync, forged Golden Ticket granting persistent Kerberos authentication as any domain user. Ticket remained valid 10 hours post password reset, demonstrating full persistence even after incident response.
9.6 CVSSGov sector · Red TeamMitigated
ASF-017AD High
ACL AbuseAD · Internal
Abusive ACL Misconfiguration Granting WriteDACL Over Domain Admins Group
BloodHound analysis revealed a regular domain user holding WriteDACL rights over the Domain Admins group. Exploited to grant the compromised account full GenericAll rights, then added it to Domain Admins — zero detection from existing monitoring.
8.8 CVSSTech sector · Internal ADRemediated
ASF-018AD High
AD CS AbuseAD · Internal
AD Certificate Services ESC1 — Low-Privilege User Obtains Domain Admin Certificate
Misconfigured certificate template (ESC1) allowed any authenticated user to request a certificate for an arbitrary UPN including Domain Admins. Used Certipy to request and authenticate as a DA account, bypassing all traditional credential controls.
9.1 CVSSHealthcare sector · AD CSRemediated
// 06
Research & Lab Environment
Active offensive security research and self-maintained lab infrastructure.
Active Directory Labs
Multi-domain AD environments for attack chain development, BloodHound path testing, and post-exploitation validation.
Cloud Attack Simulations
AWS and Azure labs for IAM exploitation, S3 enumeration, privilege escalation, and cross-account pivot research.
Vulnerable Docker Environments
Custom vulnerable containers for web exploitation research, API security testing, and PoC validation.
Malware Analysis VMs
Isolated VMs for behavioral analysis, AV/EDR evasion research, and payload development testing.
Payload obfuscation, AMSI bypass, process injection, and living-off-the-land evasion strategy development.
// 07
Engagement Impact
Measurable outcomes from authorized assessments delivered worldwide.
0
Enterprise clients served globally across finance, government, healthcare, and technology sectors
0
Security findings reported — curated sample shown; full portfolio available under NDA
9.8
Highest CVSS finding identified in production, preventing real-world data breaches and business disruption
0
Efficiency gain via custom Python and Bash automation tooling across engagements
// 08
Engagement Outcomes
Anonymized summaries from real authorized engagements — client identities protected under NDA.
Assessment identified a critical unauthenticated SQL injection chain exposing 24 internal databases — a vulnerability that had been present in the production environment for over 18 months without detection by the internal security team.
Government Sector Client
External Web Application Assessment · Q3 2024
9.8 CVSS
A full Active Directory compromise was demonstrated within 4 hours of initial network access — from unauthenticated foothold to Domain Admin — through a Kerberoasting chain that bypassed existing perimeter controls entirely.
Financial Sector Client
Internal Red Team Operation · Q1 2025
9.6 CVSS
A publicly exposed Redis master node with no authentication and unrestricted ACL was discovered during an external infrastructure assessment — 155 live production keys including OTP metadata were accessible to any internet-connected host.
Technology Sector Client
External Network Assessment · Q2 2025
9.8 CVSS
// 08
Engage My Services
Available globally — remote-first, enterprise-grade confidentiality on every engagement.
Available for full-scope penetration tests, red team operations, web and API assessments, Active Directory audits, cloud security reviews, and offensive security consulting. All engagements conducted under formal statement of work with NDA, defined scope, rules of engagement, and professional technical reporting.
Response within 24 hours. References available upon request.
Currently Available for New Engagements
NDA · Formal SOW · Rules of Engagement Global · Remote · Enterprise-Grade