██╗ ██╗██╗████████╗███████╗ █████╗ ███╗ ██╗ █████╗
██║ ██╔╝██║╚══██╔══╝██╔════╝██╔══██╗████╗ ██║██╔══██╗
█████╔╝ ██║ ██║ ███████╗███████║██╔██╗ ██║███████║
██╔═██╗ ██║ ██║ ╚════██║██╔══██║██║╚██╗██║██╔══██║
██║ ██╗██║ ██║ ███████║██║ ██║██║ ╚████║██║ ██║
╚═╝ ╚═╝╚═╝ ╚═╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝
Penetration Tester · Offensive Security Researcher · Vulnerability Disclosure
whoami • Credentials • Impact • Engagements • Projects • Arsenal • ATT&CK • Activity • Connect
CPTS-certified penetration tester and NASA-acknowledged vulnerability researcher who approaches every network, application, and system through the eyes of an attacker. I execute full attack chains aligned with MITRE ATT&CK — from initial reconnaissance through domain compromise — and translate findings into structured, executive-ready reports with actionable remediation guidance.
Currently conducting red team engagements at AI FinchTech targeting web applications and REST/GraphQL APIs, while deepening Active Directory offensive capability and building automated threat hunting tooling that bridges offensive telemetry to SOC workflows.
🎯 Ask me about... (click to expand)
- Active Directory attack paths — Kerberoasting, AS-REP Roasting, Golden/Silver Tickets, DCSync
- Chaining low/medium findings into critical attack paths on live red team engagements
- Building agentless PowerShell threat-hunting tooling from native Windows telemetry
- Mobile application reverse engineering — static/dynamic analysis, Frida instrumentation, APK teardown
- Responsible disclosure workflows and coordinating with vendor security teams (incl. NASA VDP)
- Bridging offensive security findings into SOC-ready SIEM detections
$ certcheck --operator kitsana.thuekoh --verbose| Certification | Authority | Status | |
|---|---|---|---|
| 🔴 | CPTS — Certified Penetration Testing Specialist | HackTheBox | ACTIVE |
| 🟠 | OSCP — Offensive Security Certified Professional | Offsec | ACTIVE |
| 🔵 | PenTest+ | CompTIA | ACTIVE |
| 🟢 | Security+ | CompTIA | ACTIVE |
| 🛰️ | NASA VDP — Letter of Recognition | NASA | AWARDED |
| 🔒 | ISC2 CC | ISC2 | ACTIVE |
🛰️ NASA Recognition — full detail
- Identified critical vulnerabilities in production public-facing NASA systems through authorized testing
- Developed and submitted proof-of-concept exploits with detailed remediation guidance
- All findings accepted and patched by the NASA security team
- Demonstrated disciplined operation within legal scope boundaries and responsible disclosure timelines
|
|
|
|
|
[ROLE] Penetration Tester & Vulnerability Researcher
[EMPLOYER] AI FinchTech (Stealth Startup) — Remote May 2026 – Present
├─ Full-scope red team engagements: web apps & REST/GraphQL APIs
├─ Chained low/medium findings → high-impact attack paths
├─ Custom payloads bypassing WAFs, rate limiting & auth controls
└─ Blind assessments simulating real-world threat actor TTPs
[ROLE] Network Engineer Consultant
[EMPLOYER] Synk, Johannesburg Jan 2024 – Sep 2025
├─ CVSS-triaged vulnerability findings correlated across SIEM & Windows event logs
├─ Python automation reduced manual assessment time by 40%
└─ Technical + executive reporting: attack chains, risk posture, remediation
[ROLE] Cybersecurity Intern
[EMPLOYER] Synk, Johannesburg Jan 2023 – Dec 2023
├─ Structured attack chain documentation & remediation strategy support
├─ Vulnerability scanning, finding triage, critical escalation
└─ IOC correlation across security telemetry
🛰️ NASA Vulnerability Disclosure Program — Letter of Recognition
- Identified critical vulnerabilities in production public-facing NASA systems through authorized testing
- Developed and submitted proof-of-concept exploits with detailed remediation guidance
- All findings accepted and patched by the NASA security team
- Demonstrated disciplined operation within legal scope boundaries and responsible disclosure timelines
🔍 Threat Hunting Automation Framework (PowerShell)
Architected an agentless, zero-dependency PowerShell framework ingesting native Windows telemetry — Event Logs, Sysmon, Defender, Registry, WMI, Scheduled Tasks — across 6 modular risk-classification engines.
FINDINGS → 7 Critical | 71 High-risk (from 6,000+ telemetry events)
DETECTED → PowerShell execution policy bypass
COM object abuse (MITRE T1546.015)
Local group enumeration reconnaissance
Registry-based persistence mechanisms
OUTPUT → Dark-themed HTML dashboard
Sortable risk-prioritized tables
Modular CSV exports for SIEM ingestion / SOC handoff
📱 Mobile Application Reverse Engineering — InsecureBankv2
Full-cycle security assessment of a deliberately vulnerable Android application, mapped to OWASP MASVS, MITRE ATT&CK Mobile, and scored with CVSS 3.1.
STATIC → JADX-GUI / apktool decompilation, manifest & permission audit
DYNAMIC → Frida & Objection instrumentation, runtime hooking, SSL pinning bypass
NETWORK → Burp Suite MITM proxy, Wireshark capture, cleartext HTTP transmission analysis
EXPLOIT → Hardcoded crypto keys, insecure local storage, exported component abuse
🌐 Web Application Security Portfolio (12+ CVSS-scored Reports)
Methodology-driven assessments against Juice Shop, DVWA, and PortSwigger Web Security Academy, aligned with OWASP Testing Guide v4.2.
| Vector | Technique |
|---|---|
| SQL Injection | Union-based → Blind Boolean → Time-based inference; bypassed input validation without error feedback |
| XSS | Chained Stored XSS with session hijacking → full account takeover; DOM-based XSS in client-side sinks |
| Auth Bypass | JWT algorithm confusion (none/HS256), weak secret brute-forcing |
| IDOR | Unauthorized record access via object reference manipulation |
| SSRF / CSRF | Internal network probing; authenticated action execution without user consent |
⚡ Vulnerability Assessment — CVE-2010-4221 (CVSS 10.0)
Authorized penetration test against Ubuntu 16.04.3 LTS identifying ProFTPD 1.3.3c backdoor — a decade-old unpatched vulnerability exposing unauthenticated remote root access.
RECON → Nmap service/version enumeration identified ProFTPD 1.3.3c on non-standard port
RESEARCH → Correlated version fingerprint to CVE-2010-4221; validated backdoor presence
EXPLOIT → Weaponized Metasploit module → unauthenticated root-level RCE
POST-EXPL → /etc/shadow extraction · process enumeration · lateral movement analysis
Offensive Frameworks
Active Directory
Mobile & Reverse Engineering
Network & Analysis
SIEM & Detection
Development
RECONNAISSANCE T1595 Active Scanning · T1589 Credential gathering
INITIAL ACCESS T1190 Exploit Public-Facing Application · T1566 Phishing simulation
EXECUTION T1059 PowerShell · Bash · T1203 Exploitation for Client Execution
PERSISTENCE T1546 COM Hijacking (T1546.015) · T1053 Scheduled Tasks · T1547 Registry Run Keys
PRIVILEGE ESCAL. T1548 SUID/SGID Abuse · T1055 Process Injection · T1134 Token Manipulation
CREDENTIAL ACCESS T1003 OS Credential Dumping · T1558 Kerberoasting · T1110 Brute Force
LATERAL MOVEMENT T1550 Pass-the-Hash · T1021 Remote Services · T1563 Remote Session Hijacking
IMPACT T1485 Data Destruction · T1490 Inhibit System Recovery
$ cat /ops/current_focus.log
[ACTIVE] Active Directory attack path deepening
└─ Kerberoasting, AS-REP Roasting, Golden/Silver Ticket, DCSync
[ACTIVE] PortSwigger Web Security Academy
└─ 50+ labs completed: SQLi, XSS, CSRF, SSRF, JWT, API security
[ACTIVE] VulnHub / HackTheBox
└─ 20+ machines rooted across Windows & Linux environments
[ACTIVE] TryHackMe
└─ Junior Penetration Tester & Red Teaming paths completed
[BUILDING] Reverse-Engineering-In-Mobile-Application (InsecureBankv2 assessment)
[BUILDING] Lab rebuild automation scripts (clean pentesting environments)
[BUILDING] Secure-by-default SaaS architecture research$ tail -f /var/log/contribution_grid.log --follow
⚙️ Set up the animated snake + activity graphs on your own profile
Snake game (contribution grid animation):
- In the
vetementsvmnts/vetementsvmntsprofile repo, add.github/workflows/snake.ymlusing Platane/snk. - The action pushes rendered SVGs to an
outputbranch on a schedule (e.g. every 24h). - Reference the
outputbranch SVGs viaraw.githubusercontent.comas shown above.
Activity graph / stats / streak / trophies: These are hosted, self-updating services that read live from the GitHub API — no action required, just reference the image URL with your username. If a service is rate-limited or down, self-host it by forking the corresponding repo and deploying to Vercel.
| 📧 | kitsanathuekoh@gmail.com |
| 💼 | linkedin.com/in/kitsana-thuekoh |
| 🐙 | github.com/vetementsvmnts |
| 📍 | Johannesburg, South Africa — Open to Remote |
Penetration Tester · Offensive Security Researcher · NASA VDP Recognized
