About

A hunter who ships the tools

I'm an offensive security researcher who spends equal time breaking applications and building the tooling to break them faster. hackz.blog is where both come together — hands-on security services, backed by a scanner I engineer myself.

How I work

I don't run a scanner, paste the output into a template, and call it a pentest. Every engagement is a manual, impact-first hunt: I map the whole attack surface, work the entire OWASP testing checklist across every role and tenant, and chase the highest-severity outcome the target actually allows — remote code execution, account takeover, cross-tenant data exposure — before I ever write up a low-severity nit.

Automation has its place, and I lean on it hard for breadth. But the bugs that cause real breaches — broken access control, business-logic abuse, chained primitives — are found by a human who understands the application. So that's the balance I bring: machine coverage plus hand-crafted depth.

The principles

  • Impact-first. I optimize for what a real attacker could do to your business, not for a long list of best-practice deviations.
  • No silent skips. I track a per-class coverage matrix so you know exactly what was tested — and can trust the "we didn't find X" as much as the "we found Y."
  • Reproducible or it didn't happen. Every finding ships with live evidence and clear steps, so your team can confirm and fix without guesswork.
  • Severity honesty. I right-size every finding. No inflation to pad a report, no burying a critical under noise.
  • Authorized, in-scope, non-destructive. Always. Testing that respects the rules of engagement and your production stability.

Why the scanner matters

Building hackz — an offline DAST engine covering web, network, and mainframe — forces a depth of understanding you don't get from being a tool operator. When you've written the code that maps a surface, replays requests across identities, and reasons about access control, you know precisely where automation ends and manual attacker creativity has to take over. That knowledge is what you're hiring when you work with me.

Track record

My work is publicly credited. CVE-2026-54551 is a missing-authorization flaw I found in WireGuard Portal's statistics WebSocket, where any low-privilege user could read every peer's and interface's live traffic stats — accepted by the maintainer, fixed in 2.3.0, and published as a GitHub Security Advisory. Alongside that I've reported findings across public bug-bounty programs spanning web, API, cloud, mobile, and AI/LLM surfaces. The blog is where I write up the methodology behind that work — the clearest picture of how I think.

The goal is simple: find what an attacker would find, prove it safely, and give you everything you need to close it — before it's someone else doing the finding.

Let's find your real risk

Tell me what you're building and I'll scope a focused, honest engagement.

Get in touch →