Offensive Security · Penetration Tester (Web & Network)
I break access controls, business logic, and SSRF — then write the report that fixes them.
👋 About
Cybersecurity consultant (EY GDS) moving into full-time offensive security. My working hours go to enterprise detection engineering; my off-hours go to breaking web apps and networks. The result: I attack with a defender's context and defend with an attacker's mindset.
🎯 Open to: remote penetration testing / offensive security roles (worldwide or EU-friendly). 🔬 Focus: broken access control & IDOR, business logic flaws, SSRF, and emerging AI/LLM & agent security. 🧠 How I work: systematic and methodology-driven — every finding ends in a clear impact statement and a remediation, not just a flag.
🎓 Certifications
CertificationIssuerStatusPNPT — Practical Network Penetration TesterTCM Security✅ Certified (2026)CPTS — Certified Penetration Testing SpecialistHack The Box🎯 Exam Aug 2026BSCP — Burp Suite Certified PractitionerPortSwigger🎯 Exam Aug 2026Microsoft AI-900 · Zscaler ZDTAMicrosoft / Zscaler✅ Certified
🔗 Verify: Credly · Hack The Box · PortSwigger
🧪 Featured Work
ProjectWhat it demonstrates🗺️ Web App Pentest MethodologyMy end-to-end playbook: recon → enumeration → exploitation → reporting✍️ Security Write-upsHTB machines & PortSwigger labs — full kill-chain, impact, and fix🛡️ Detection RulesSigma/KQL that detects the techniques I exploit (purple-team bridge)🛠️ Recon ToolkitCustom Python tooling for enumeration workflows
🧰 Toolbox
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
Show Image
🌱 Currently
Grinding CPTS (HTB Penetration Tester path) and BSCP — exams Aug 2026 Hunting public bug bounty programs and publishing sanitized findings Exploring AI/LLM and MCP/agent security — an under-served niche I'm betting on early Learning Spanish 🇪🇸 (B1 target)
🤝 Responsible Disclosure & Ethics
Everything here comes from authorized environments only: my own home lab, intentionally vulnerable training platforms (Hack The Box, PortSwigger), and public bug bounty programs tested strictly within scope and disclosure rules. No client data. No exploits against systems I don't own or have explicit permission to test. Findings against real programs are published only after remediation and in line with each program's policy.
📫 Connect
LinkedIn: www.linkedin.com/in/matthewgcaballero Write-ups / Blog: [your portfolio URL] Email: mattcaballero.work@gmail.com