SCAN 0%
REQUESTING ACCESS — FILE: ASF-ENGAGEMENT-001
VERIFYING CLEARANCE LEVEL...
ACCESS
GRANTED
Hire Me
SANITIZED FOR PUBLIC RELEASE — CLIENT IDENTITIES REDACTED PER NDA — DISTRIBUTION: UNRESTRICTED
FILE: -- / --
Available for Enterprise Engagements

Ayman Mahmoud Jasim

Senior Penetration Tester & Offensive Security Consultant

6+ years of authorized enterprise offensive security assessments worldwide. Specializing in red team operations, Active Directory attacks, exploit development, and full-scope adversary simulation under strict NDA engagements.

FILE: ASF-ENGAGEMENT-001 ACTIVE
0Clients Worldwide
0Years Experience
0Findings Reported
9.8Highest CVSS
Certifications
CRPO Certified Red Team Professional Operator Red Team · Adversary Simulation
CCEP Certified Cybersecurity Expert Practitioner Cybersecurity · Expert Level
CCSC Certified Cyber Security Consultant Security Consulting · Enterprise
CSCSO Certified SOC & Cyber Security Operations SOC Operations · Incident Response
ISSA Information Systems Security Association Professional Membership
Ongoing Research Advanced Exploitation & Red Team Labs Continuous Development

Trusted Across Industries
Financial Services
Government & Defense
Healthcare
Technology & SaaS
E-Commerce
Cloud Infrastructure
All engagements conducted under NDA — client identities protected

// 01

Services

Enterprise-grade offensive security under formal NDA and rules of engagement.

01 / Web & API
Web Application & API Penetration Testing
Full-scope web and REST/GraphQL API assessment covering authentication flaws, injection vulnerabilities, IDOR, business logic, and all OWASP Top 10 categories in production and staging environments.
OWASP Top 10API SecurityAuth TestingBusiness Logic
02 / Red Team
Red Team Operations
Full APT-style adversary simulation: reconnaissance → initial access → lateral movement → privilege escalation → domain compromise. Delivered under formal rules of engagement with executive debrief.
APT SimulationC2 OperationsLateral MovementEvasion
03 / Active Directory
Active Directory Security Assessment
Comprehensive AD attack chains: Kerberoasting, AS-REP Roasting, Pass-the-Hash/Ticket, DCSync, BloodHound-guided attack path mapping from misconfiguration discovery to full Domain Admin compromise.
KerberoastingBloodHoundDCSyncDomain Audit
04 / Network
Network & Infrastructure Penetration Testing
Internal and external network assessments: service enumeration, firewall evasion, SMB relay, LLMNR poisoning, pivoting, and tunneling across segmented and isolated network zones.
Internal NetworkFirewall EvasionPivotingSMB Relay
05 / Cloud
Cloud Security Assessment
AWS, Azure, and GCP assessments: IAM misconfiguration exploitation, storage enumeration, privilege escalation chains, cross-account pivoting, metadata service abuse, and cloud-native attack path analysis.
AWS / Azure / GCPIAM AbuseCloud PrivescMetadata Exfil
06 / Social Engineering
Social Engineering & Phishing Simulation
Targeted phishing campaigns, pretexting, and vishing engagements to measure organizational security awareness maturity. Full campaign metrics with behavioral analysis and awareness improvement roadmap.
Phishing CampaignVishingPretextingAwareness Metrics

// 02

Assessment Methodology

Structured process aligned with PTES, OSSTMM, and MITRE ATT&CK frameworks.

01
Reconnaissance & OSINT
Passive and active intelligence gathering, asset enumeration, DNS mapping, technology fingerprinting, and attack surface scoping.
Passive + Active
02
Attack Surface Mapping
Port scanning, service fingerprinting, directory enumeration, API endpoint discovery, and cloud asset identification.
Full Scope
03
Vulnerability Discovery
Manual and tool-assisted identification across all attack surfaces within the authorized scope.
Manual + Tools
04
Controlled Exploitation
Safe exploitation of confirmed vulnerabilities with full evidence capture and minimal operational footprint.
Authorized Scope
05
Post-Exploitation
Privilege escalation, lateral movement, persistence demonstration, and exfiltration simulation for full business impact proof.
Impact Demo
06
Reporting
Executive and technical reports: CVSS v3.1 scoring, PoC evidence, risk prioritization, and structured remediation roadmaps.
CVSS v3.1
07
Remediation Verification
Post-fix re-testing to confirm effective remediation with no regressions. Tracked until full closure of critical findings.
Post-Fix Validated
08
Debrief & Handoff
Technical debrief with security team, knowledge transfer, and long-term remediation prioritization workshop.
Knowledge Transfer
Burp Suite Pro
Web app assessment, manual testing, active scanning
BloodHound / SharpHound
AD attack path visualization and domain analysis
Impacket Suite
SMB relay, DCSync, Pass-the-Hash, Kerberos attacks
ffuf / Gobuster
Fuzzing endpoints, directories, parameters at scale
Nmap / Nessus
Network discovery and infrastructure vulnerability scanning
Python Automation
Custom exploits, recon automation, post-exploitation
Ghidra
Binary reverse engineering and shellcode validation
Cloud Attack Tools
AWS/Azure/GCP privilege escalation and IAM abuse

// 03

How We Work Together

A transparent, structured engagement process — from first contact to verified closure.

01
Initial Contact
Reach out via email or phone. I respond within 24 hours. We briefly discuss your security needs, timeline, and what you're looking to assess.
Response within 24h
02
Scoping & Planning
We define the exact scope, target environment, testing boundaries, and objectives. I provide a clear proposal with timeline, methodology, and pricing.
NDA signed at this stage
03
Formal Agreement
A formal Statement of Work is issued defining scope, rules of engagement, timelines, and deliverables. Both parties sign before any testing begins.
SOW · Rules of Engagement
04
Engagement Execution
The assessment is conducted within the agreed scope and timeline. Critical findings are communicated immediately. Full transparency throughout the engagement.
Critical findings flagged immediately
05
Report Delivery
A comprehensive report is delivered — executive summary for leadership, full technical detail for your security team. CVSS v3.1 scoring, PoC evidence, and prioritized remediation.
Executive + Technical Report
06
Re-test & Closure
After your team remediates the findings, I re-test to verify each fix is effective and no regressions were introduced. Full verified closure for all critical and high findings.
Verified fix confirmation

// 03

Core Competencies

Technical depth across the full offensive security spectrum.

Web App Pentesting
SQLi, XSS, SSRF, XXE, IDOR, Deserialization, Auth Bypass — full OWASP Top 10 and beyond.
95%Expert
Active Directory Attacks
Kerberoasting, AS-REP Roasting, Pass-the-Hash/Ticket, DCSync, BloodHound, full domain compromise.
92%Expert
Red Team Operations
Full APT-style simulation: recon → initial access → lateral movement → privilege escalation → compromise.
90%Advanced
Custom Tooling & Automation
Python and Bash automation for recon, exploitation, and post-exploitation. ~40% overhead reduction.
88%Advanced
Network & Infrastructure
Service enumeration, firewall evasion, pivoting, tunneling, SMB relay, LLMNR poisoning.
88%Advanced
Binary & Exploit Dev
Buffer overflow, custom shellcode, ASLR/DEP awareness, Ghidra analysis, AV/EDR evasion.
78%Proficient
Burp Suite ProMetasploitNmapBloodHoundMimikatzCrackMapExecEvil-WinRMImpacketSQLmapffufGobusterNessusWiresharkGhidraKali LinuxPythonBashCVSS v3.1

// 04

Professional Experience

Enterprise offensive security consulting under NDA across multiple industry verticals.

2018 — Present
Senior Penetration Tester & Offensive Security Consultant
Independent Security Consultant · Remote · Worldwide Clients
  • Conducted 150+ authorized security assessments for enterprise clients in finance, government, healthcare, and technology sectors worldwide under formal NDA and rules of engagement
  • Delivered full-scope red team operations simulating APT actors from reconnaissance to full domain compromise
  • Executed comprehensive Active Directory attack chains: Kerberoasting, DCSync, BloodHound-guided privilege escalation to Domain Admin
  • Performed advanced web and API assessments covering OWASP Top 10, GraphQL, OAuth abuse, JWT attacks, and business logic flaws
  • Identified multiple CVSS 9.0–9.8 findings in production systems preventing real data breaches
  • Engineered custom Python and Bash automation tooling reducing assessment overhead by ~40%
  • Delivered executive and technical reports with CVSS v3.1 scoring, PoC evidence, and risk-prioritized remediation roadmaps
  • Conducted phishing simulations and social engineering campaigns measuring organizational security awareness maturity

// 05

Sanitized Assessment Findings

A curated sample from 300+ findings across authorized engagements worldwide.

TLP:AMBER SANITIZED ASSESSMENT FINDINGS — LIMITED DISCLOSURE

The findings below represent a curated sample from authorized penetration testing engagements. All client identities and infrastructure details are fully sanitized per confidentiality agreements. Full portfolio available under NDA upon formal request.

ASF-001Critical
DOM XSS → ATOWeb · Prod
Authenticated DOM XSS Leading to Full Account Takeover
innerHTML sink in file import interface injects live HTML inside authenticated form, bypassing CSRF and enabling full account ownership transfer to attacker-controlled mailbox.
9.3 CVSSRemediated
ASF-002Critical
SQLi UnauthWeb · Prod
Unauthenticated SQL Injection — 24 Internal Databases Exposed
URL parameter passed directly to SQL query without parameterization. Automated extraction confirmed 24 internal databases fully accessible without any authentication on a government sector client.
9.8 CVSSGov sector · 3-day assessmentRemediated
ASF-003Critical
Auth Bypass → ATOWeb · Prod
Authentication Bypass Enabling Mass Account Takeover
Password reset workflow performs no session binding on the target account parameter. Attacker resets credentials for any registered user using only a known email address, enabling mass ATO at scale.
9.8 CVSSRemediated
ASF-004Critical
ORM SQLiAPI · Prod
ORM SQL Injection — Complete Access Control Bypass
ORM query assembly uses unsafe string formatting for logical connector. User-controlled _connector key injects raw SQL into WHERE clause, bypassing all access control filters and returning privileged records.
9.5 CVSSMitigated
ASF-005Critical
Path Traversal → RCEInfra · Prod
SFTP Path Traversal → Arbitrary File Write & RCE
File transfer library fails to sanitize ../ sequences in SFTP QUOTE paths. Authenticated user writes arbitrary files outside home directory, enabling SSH key injection and persistent RCE on the target server.
9.1 CVSSMitigated
ASF-006High
Mutation XSSWeb · Prod
Stored Mutation XSS Bypassing Client-Side HTML Sanitization
Rich text editor vulnerable to MathML DOM mutation chain bypassing DOMPurify. Malicious content persists in database and executes JavaScript in every viewer's browser session context.
8.2 CVSSRemediated
ASF-007High
Blind SSRFAPI · Prod
Blind SSRF via Webhook Enabling Internal Network Pivot
Export endpoint accepts unvalidated webhookUrl. Server issues unauthorized outbound requests to attacker infrastructure, enabling internal service enumeration and cloud metadata exfiltration.
8.1 CVSSRemediated
ASF-008High
Blind SQLiAPI · Prod
Boolean-Based Blind SQLi in REST API Path Parameter
URL path segment passed unsanitized to database query. Boolean differential responses confirm injection. DB fingerprinted as PostgreSQL 14.8. Full unauthenticated record extraction confirmed.
8.0 CVSSRemediated
ASF-009High
XXE — OOBService · Prod
OOB XXE in Data Ingestion Service Exposing Internal Infrastructure
XML pipeline parses external documents without disabling entity resolution. Attacker-controlled DTD triggers out-of-band requests exfiltrating internal host identifiers and cloud metadata.
7.7 CVSSRemediated
ASF-010High
BOLA / IDORAPI · Prod
BOLA Enabling Cross-Account Profile Manipulation via API
Account management endpoint accepts user identifier without server-side ownership verification. Any authenticated session silently overwrites arbitrary account profile data by substituting target identifier.
7.5 CVSSRemediated
ASF-011AD Critical
Kerberoasting → DAAD · Internal
Kerberoasting Attack Chain Leading to Domain Admin Compromise
Multiple service accounts with weak passwords and SPN registrations enumerated via BloodHound. Offline cracking of Kerberos TGS tickets yielded plaintext credentials, enabling full Domain Admin escalation within 2 hours of initial access.
9.6 CVSSFinancial · 2h to Domain AdminMitigated
ASF-012AD Critical
DCSync → Credential DumpAD · Internal
DCSync Attack Enabling Full NTDS.dit Credential Extraction
Over-privileged service account held DS-Replication-Get-Changes-All right. Exploited via Impacket secretsdump to replicate all Active Directory credentials including KRBTGT hash, enabling persistent Golden Ticket generation.
9.8 CVSSHealthcare sector · Internal ADMitigated
ASF-013AD High
AS-REP RoastingAD · Internal
AS-REP Roasting Exposing Pre-Authentication Disabled Accounts
17 domain accounts discovered with Kerberos pre-authentication disabled. Offline cracking of AS-REP responses yielded 9 plaintext passwords including two accounts with local administrator rights on critical servers.
8.8 CVSSRemediated
ASF-014Critical
Unauthenticated RedisNetwork · Prod
Unauthenticated Redis Master Node Exposed — Full Cache Read Access with Unrestricted ACL
Redis master node accessible from the public internet with no authentication and ACL configured as +@all. Live production cache confirmed with 155 keys including sensitive user data and OTP metadata.
9.8 CVSSReported
ASF-015AD Critical
Pass-the-HashAD · Internal
NTLM Pass-the-Hash Enabling Lateral Movement to Domain Controller
Captured NTLM hash of a privileged service account via Responder on the internal network. Hash relayed without cracking to authenticate directly to the Domain Controller, achieving full DC access within 25 minutes of network entry.
9.8 CVSSFinancial sector · Internal ADMitigated
ASF-016AD High
Golden TicketAD · Internal
Golden Ticket Forged via Stolen KRBTGT Hash — Persistent Domain Access
Following KRBTGT hash extraction via DCSync, forged Golden Ticket granting persistent Kerberos authentication as any domain user. Ticket remained valid 10 hours post password reset, demonstrating full persistence even after incident response.
9.6 CVSSGov sector · Red TeamMitigated
ASF-017AD High
ACL AbuseAD · Internal
Abusive ACL Misconfiguration Granting WriteDACL Over Domain Admins Group
BloodHound analysis revealed a regular domain user holding WriteDACL rights over the Domain Admins group. Exploited to grant the compromised account full GenericAll rights, then added it to Domain Admins — zero detection from existing monitoring.
8.8 CVSSTech sector · Internal ADRemediated
ASF-018AD High
AD CS AbuseAD · Internal
AD Certificate Services ESC1 — Low-Privilege User Obtains Domain Admin Certificate
Misconfigured certificate template (ESC1) allowed any authenticated user to request a certificate for an arbitrary UPN including Domain Admins. Used Certipy to request and authenticate as a DA account, bypassing all traditional credential controls.
9.1 CVSSHealthcare sector · AD CSRemediated

// 06

Research & Lab Environment

Active offensive security research and self-maintained lab infrastructure.

Active Directory Labs
Multi-domain AD environments for attack chain development, BloodHound path testing, and post-exploitation validation.
Cloud Attack Simulations
AWS and Azure labs for IAM exploitation, S3 enumeration, privilege escalation, and cross-account pivot research.
Vulnerable Docker Environments
Custom vulnerable containers for web exploitation research, API security testing, and PoC validation.
Malware Analysis VMs
Isolated VMs for behavioral analysis, AV/EDR evasion research, and payload development testing.
Browser Exploitation
Client-side attack surface research, XSS payload development, and sandbox escape technique investigation.
EDR Evasion Research
Payload obfuscation, AMSI bypass, process injection, and living-off-the-land evasion strategy development.

// 07

Engagement Impact

Measurable outcomes from authorized assessments delivered worldwide.

0
Enterprise clients served globally across finance, government, healthcare, and technology sectors
0
Security findings reported — curated sample shown; full portfolio available under NDA
9.8
Highest CVSS finding identified in production, preventing real-world data breaches and business disruption
0
Efficiency gain via custom Python and Bash automation tooling across engagements

// 08

Engagement Outcomes

Anonymized summaries from real authorized engagements — client identities protected under NDA.

Assessment identified a critical unauthenticated SQL injection chain exposing 24 internal databases — a vulnerability that had been present in the production environment for over 18 months without detection by the internal security team.

Government Sector Client
External Web Application Assessment · Q3 2024
9.8 CVSS

A full Active Directory compromise was demonstrated within 4 hours of initial network access — from unauthenticated foothold to Domain Admin — through a Kerberoasting chain that bypassed existing perimeter controls entirely.

Financial Sector Client
Internal Red Team Operation · Q1 2025
9.6 CVSS

A publicly exposed Redis master node with no authentication and unrestricted ACL was discovered during an external infrastructure assessment — 155 live production keys including OTP metadata were accessible to any internet-connected host.

Technology Sector Client
External Network Assessment · Q2 2025
9.8 CVSS

// 08

Engage My Services

Available globally — remote-first, enterprise-grade confidentiality on every engagement.

Available for full-scope penetration tests, red team operations, web and API assessments, Active Directory audits, cloud security reviews, and offensive security consulting. All engagements conducted under formal statement of work with NDA, defined scope, rules of engagement, and professional technical reporting.

Response within 24 hours. References available upon request.

All enquiries handled under strict confidentiality. No data is stored or shared.
Currently Available for New Engagements
NDA · Formal SOW · Rules of Engagement
Global · Remote · Enterprise-Grade