VASCO0X4

Penetration Tester · Security Researcher

Find it before they do.Web & API · LLM & Chatbot Security · Source-code Review

Research
Projects
Contact

About.

I am a penetration tester and security researcher. For the past year I have worked as a pentester at a leading European security firm, running engagements across web applications, APIs and modern cloud and low-code stacks.

My research focuses on finding and responsibly disclosing real vulnerabilities — work that has led to several published CVEs in widely-used software, including a critical unauthenticated RCE. I also explore the security of LLMs and AI assistants, from prompt injection to agent abuse.

Current Focus:

  • - Web & API penetration testing
  • - LLM & chatbot security (prompt injection, data leakage, agent abuse)
  • - Source-code & low-code review — the origin of my CVEs
  • - Exploit development and responsible disclosure

Security Research.

Published vulnerabilities (CVE)

5 advisories · peak CVSS 10.0 · responsibly disclosed

CVE-2026-49869kestra-io/kestraCritical · 10.0

Unauthenticated RCEAuthentication bypass in AuthenticationFilter leading to unauthenticated remote code execution.

CVE RecordAdvisory
CVE-2026-50189appsmithorg/appsmithHigh · 8.9

Remote Code ExecutionRemote code execution via newline injection in the environment variable endpoint.

CVE RecordAdvisory
CVE-2026-55469grokability/snipe-itModerate · 6.5

Path TraversalAuthenticated path traversal in the CSV import image field allows deletion of arbitrary server files.

CVE RecordAdvisory
CVE-2026-32034openclaw/openclawMedium · 5.6

Session HijackingInsecure HTTP transport permits session hijacking.

CVE RecordAdvisory
CVE-2026-49979appsmithorg/appsmithModerate · 5.1

SSRFSSRF via the SMTP test endpoint enabling internal port scanning.

CVE RecordAdvisory

Expertise.

What I do

(01)

Web & API Pentesting

Black-box and authenticated testing of web apps and APIs.

OWASP · AUTHZ · SSRF
(02)

LLM & Chatbot Security

Prompt injection, data leakage and agent abuse.

PROMPT INJ · RAG · AGENTS
(03)

Source-code & Low-code Review

Code audits — the origin of my CVEs.

SAST · LOW-CODE · CVE

Projects.

What I build — open-source on GitHub

Flagship · LLM Autonomous Pentester

AIDA

Turn any LLM into an autonomous pentester. You define the scope, the agent does the work, you review the findings.

415
Neo-AIPython

AI integrated into the Linux terminal.

137
ShadeLoaderC++

Shellcode loader that bypasses most AV.

45
ShellLoader_HubC

A library of shellcode loaders.

15
SimpleProcessHollowingC++

Process hollowing injector for Windows.

15
loader_myphPython

Alternative Myph loader for Havoc C2.

8
CS-Beacon-NotifierPython

Cobalt Strike beacon notifier via Telegram.

5

In development — Neptun C2, a custom Rust C2 framework.

View all on GitHub

Certifications.

Credentials & training

INE eJPT

Junior Penetration Tester

Completed
INE · 2026

Microsoft SC-900

Security, Compliance & Identity Fundamentals

Completed
Microsoft · 2024

OSCP

Offensive Security Certified Professional

In Progress
OffSec

CPTS

Certified Penetration Testing Specialist

In Progress
Hack The Box

Blog.

Notes on web, API and LLM security — more coming soon.

Process Hollowing & Process Injection Techniques

2024

Read article

Direct Syscalls: Bypassing EDR

Soon

Coming soon

Prompt Injection in Production RAG Applications

Soon

Coming soon

Contact.

Get in touch

Interested in collaborating on cybersecurity projects or need expertise in penetration testing and network security? Feel free to reach out.