Offensive security · built, not bought

I break your apps
before someone else does.

Boutique penetration testing, API & web application security, and source-code audits — delivered by a hunter with a live CVE record, and powered by hackz, the DAST scanner I build and battle-test myself.

CVE-2026-54551 credited OWASP WSTG · API Top 10 Web · API · Cloud · Mobile · AI
CVE
Credited security researcher (CVE-2026-54551)
11
OWASP WSTG categories, every engagement
10
OWASP API Top 10 classes, fully covered
DAST
Own offline scanner engine (hackz)
What I do

Security testing that reads like a real attacker's playbook

No checkbox scan-and-forget. Every engagement is a manual, impact-first hunt across the full OWASP surface — with the noise stripped out and only exploitable, business-relevant findings reported.

01

Web Application Pentest

Full WSTG coverage — auth/session, access control, injection, business logic, and client-side. Manual exploitation, not a scanner dump.

02

API Security Testing

OWASP API Top 10: BOLA/BFLA, mass assignment, broken auth, excessive data exposure, GraphQL abuse, rate-limit & resource limits.

03

Source-Code Audit

Read the code, find the sink. SQLi/SSTI/deserialization, authz gaps, secrets, and logic flaws — mapped to live, exploitable paths.

04

Cloud & SaaS Review

Misconfig, subdomain takeover, SSRF-to-metadata, IAM over-permissioning, and tenant-isolation breaks across AWS / Azure / GCP.

05

LLM / AI Feature Testing

Prompt injection (direct & indirect), system-prompt extraction, insecure tool use, and excessive-agency abuse against AI features.

06

Continuous Attack-Surface

Recurring recon & monitoring — new subdomains, exposed services, leaked secrets — so your surface never drifts unwatched.

Why work with me

Most consultants run a scanner.
I build one.

hackz is my own offline DAST engine — the same tool I use to find access-control and injection bugs at scale. Building a scanner means I understand exactly where automation stops and a human attacker begins. You get both: machine breadth and hand-crafted depth.

  • Impact-first. I chase the highest-severity outcome the surface allows — RCE, ATO, cross-tenant data — not P5 header nits.
  • Real proof. Every finding ships with a reproducible PoC and a clear business-impact narrative, not a raw tool export.
  • Full coverage, honestly tracked. A per-class coverage matrix means nothing is silently skipped.
Flagship product

hackz — the offline DAST scanner

An air-gapped, corporate-grade vulnerability scanner covering web, network, and mainframe. Multi-user access-control engine, Nessus-style setup, fully offline — no data ever leaves your environment.

  • Offline / air-gapped. Runs fully self-contained — ideal for regulated & isolated networks.
  • Authz engine. Logs in as each role, auto-maps surface, cross-tests IDOR / BOLA / BFLA.
  • Web + network + z/OS. One tool across your whole estate.
  • Deployable. Single binary or Docker image, first-run admin setup like Nessus.
How an engagement runs

Clear scope in. Actionable findings out.

01

Scope & rules

Define targets, access, and rules of engagement. Non-destructive, in-scope only, always.

02

Recon & map

Enumerate the full attack surface — subdomains, APIs, services — and build a coverage matrix.

03

Hunt & exploit

Manual, impact-first testing across every WSTG class, with reproducible PoCs captured live.

04

Report & retest

Prioritized report with clear remediation, plus a free retest once you've shipped the fixes.

Ready to find out what an attacker sees?

Tell me about your app, API, or environment. I'll scope a focused engagement and give you a straight answer on where the real risk is.

Book a security assessment →