Open for new engagements

Penetration tests
that find what
others miss.

Independent security researcher and freelance penetration tester. I help product teams ship safer software through manual, source-aware testing across web, mobile, API, infrastructure, cloud, and AI surfaces.

Start a project View public record
// numbers

Quiet receipts.

A small, verifiable footprint. Public CVEs, coordinated disclosure, and a steady cadence of work for vendors and platforms.

0
Public CVEs
Coordinated through Wordfence Threat Intel
0
Programs reported
HackerOne, Bugcrowd, vendor VDPs
0
Specialties
Web, API, mobile, infra, cloud, code, LLM, thick
0
Response time
From inquiry to a scoped proposal
// about

A decade deep in offensive security.

I have spent the better part of ten years finding the bugs that ship past code review and scanners. From WordPress plugins to enterprise GraphQL gateways to mobile apps with eight figure user counts, my work has been shipped, patched, and publicly disclosed across hundreds of programs.

I work the way I would want a tester to work for my own product: manual first, source aware, with reports your engineers can act on without translation. No inflated severities, no vague paragraphs, no proprietary scanner outputs dressed up as findings. Reproducible PoCs, severity rationale you can defend in a triage meeting, and remediation guidance that ships.

  • Independent. No agency overhead, you talk to the operator who is testing your asset.
  • Disclosure-friendly. Coordinated through Wordfence, HackerOne, Bugcrowd, and direct vendor channels.
  • Source aware. I read the code where I can. Findings improve when you understand intent.
  • NDA on request. Mutual NDA before any scoping detail leaves the call.
// experience

From CTFs to senior engineer.

  1. 2016 to present

    Bug bounties and CTFs

    Started on bug bounty platforms and weekend CTFs in 2016. Have not stopped since. Coordinated 18 plus CVEs through Wordfence Threat Intel and a steady cadence of disclosures across HackerOne, Bugcrowd, and vendor VDPs.

  2. 2022

    Security Engineer, in house

    Joined a product security team. Drove threat models, led red team engagements, and built internal tooling for surface enumeration and bundled JavaScript forensics, all while continuing the bug bounty cadence on the side.

  3. 2024 to present

    Senior Security Engineer

    Promoted into the senior track. Now also taking selected freelance engagements for product teams that want manual depth instead of checkbox audits.

// public record

Eighteen advisories, one researcher.

A rotating sample of CVEs I have authored. The full list is on Wordfence Threat Intel.

CVE-0000-0000 high
Date
8.8

Title

Type

Plugin WordPress ecosystem
// where I'm useful

Eight surfaces, one operator.

Manual-first, tooling-assisted, source-aware. Picked because each one has shipped real findings to vendors and platforms.

VAPT

Web applications

Authentication and session flaws, IDOR, SSRF, XSS chains, CSRF, CORS abuse, race conditions, business logic. OWASP ASVS aligned.

VAPT

APIs and GraphQL

SDL recon, introspection abuse, depth and complexity DoS, auth-layer drift across environments, unsafe mutations, BOLA and mass assignment.

AI red team

LLM and AI surfaces

Prompt injection (direct and indirect), tool and RAG abuse, agent jailbreaks, system-prompt exfiltration, data leakage. OWASP LLM Top 10.

VAPT

Mobile applications

Android and iOS. APK and IPA reversing, JADX, Frida hooks, native lib triage, deeplink and intent abuse, secrets and config exfiltration. MASVS aligned.

VAPT

Infrastructure

External and internal network testing, host hardening, segmentation review, exposed admin services, lateral movement and privilege escalation.

Audit

Cloud misconfiguration

AWS, GCP, Azure. Open buckets, exposed metadata, IAM blast-radius, Kubernetes and Envoy admin leaks, CDN cache abuse, Firebase rules.

Audit

Source code review

Secure code review across JavaScript, TypeScript, Python, Go, PHP. Bundled JS forensics, supply chain triage, prototype pollution, SAST validation.

VAPT

Thick clients

Windows desktop and Electron applications. IPC abuse, DLL hijack, registry and filesystem hardening, traffic interception, binary patching.

// engagement

A simple, predictable engagement.

Four steps, fixed deliverables, no surprises. NDA on request before scoping.

  1. 01

    Scope, no charge

    A 30 minute call to agree targets, depth, exclusions, timeline, and the shape of the deliverable.

  2. 02

    Threat model

    Surface mapping and a prioritized attack plan. You sign off before active testing begins.

  3. 03

    Manual testing

    Daily updates, immediate notice on Critical findings, full audit trail of requests and tooling.

  4. 04

    Report and retest

    Executive summary, per-finding writeups with PoCs, severity rationale, and remediation guidance. One free retest after fixes.

// engagements

Three ways to work together.

Engagements are scoped against the testing methodology that fits your asset and timeline. Black box, grey box, or white box.

black box

Outside in

No internal info, no credentials, no source.

  • Pure attacker perspective from the public surface
  • Recon, fingerprinting, exploitation against shipped assets
  • One to three week engagement
  • Closest to a real adversary's view
Discovery depth
2 / 5
Best for external assurance, attacker simulation, and pre launch sanity checks.
grey box

Partial access

Credentials, partial docs, sometimes a staging URL.

  • Authenticated and unauthenticated paths in scope
  • Architecture handover and basic threat modeling
  • Two to four week engagement
  • Best balance of realism and depth for most teams
Discovery depth
3 / 5
Best for production audits, customer demos, and most freelance engagements.
white box · highest yield

Full transparency

Source, docs, architecture, and engineering access.

  • Manual source review backed by Semgrep / CodeQL
  • Threat modeling and architectural risk callouts
  • Dynamic exploitation against staging or production
  • Pairing sessions with engineering on request
  • Highest concentration of impactful findings, by far
Discovery depth
5 / 5
Best for security sensitive features, compliance audits, and engagements where time and budget are aligned with risk.

Same operator. Same severity rationale. Yield scales with the access you grant. Pricing on inquiry.

// surfaces touched
// next move

Let's talk.

Tell me what the asset is and what worries you. You will get a scoped proposal and start date inside 24 hours.

hello@rasiafeef.com
HackerOne → Wordfence →