- OWASP Top 10 manual testing
- Severity-ranked PDF report
- Business impact per finding
- Remediation guidance included
A breach costs more than a pentest.
I find the vulnerabilities in your systems before someone exploits them. Structured methodology, written deliverables, and a report your team can act on.
[ SERVICES ]
What I do
- Kerberos, ACL & delegation testing
- Severity-ranked PDF report
- Domain compromise path analysis
- Remediation guidance included
All services include a free re-test after fixes are applied.
[ CASE STUDIES ]
Real engagements, real findings
WordPress Intranet — Static Code Analysis
Auth bypass, hardcoded credentials, and XSS in a corporate WordPress stack — all remediated within two weeks.
Active SEO Spam Injection & Full Remediation
Hidden gambling SEO spam and exposed backups on WordPress — full cleanup verified in one session.
[ ABOUT ]
Why work with me
I began as a full-stack developer before moving into offensive security. That foundation is practical: I read application logic and architecture, not just scanner output — so every finding ties to a root cause and remediation your team can implement without guesswork.
I specialize in web application and Active Directory assessments for startups and SMBs. Work follows a structured methodology — scope agreed in writing, manual testing, severity-ranked reports with evidence. The case studies on this site are from real engagements: corporate WordPress intranets, active SEO spam compromises, and post-incident remediation.
You work directly with me — not a sales team or junior tester. Based in Colombia, I deliver remotely across Latin America, the US, and Europe in English or Spanish, with fixed scope and pricing agreed before testing begins.
[ CREDENTIALS ]
Training & Experience
Completed paths
In progress
[ HOW IT WORKS ]
Structured engagement process
-
Scoping & proposal
Free scoping call to define your environment, targets and rules of engagement. You receive a written proposal with scope, methodology, fixed price and NDA — before any work begins.
-
Assessment & testing
Manual offensive testing with progress updates throughout. Critical and high findings are reported immediately — not held for the final report.
-
Reporting & verification
Severity-ranked PDF report with evidence and remediation steps.
[ PRICING ]
Get an instant estimate
Choose your service
Environment parameters
Scope
Complexity
Testing type
Selected service
Web App Pentest
Estimated range
Automated estimate only — not a binding quote.
A signed authorization agreement is required before any engagement begins.
[ FAQ ]
Common questions
Cost, focus, and direct access. As a LATAM-based independent tester, my rates are significantly lower than US/EU firms without sacrificing methodology or quality. You work directly with the person doing the testing — from scoping to final report.
I report it immediately — you don’t wait for the final report. Critical and high findings are communicated as soon as confirmed so your team can begin remediation while the engagement is still active.
Most web app engagements run 1–2 weeks; Active Directory assessments typically 2–3 weeks. Exact timing depends on scope, environment size, and testing type. You get a fixed timeline in the written proposal before work begins.
A short scoping call is enough to start. Before testing begins, you’ll need a signed authorization agreement, a technical point of contact, and access details aligned with the agreed testing type (black-box, grey-box, or white-box). I provide a checklist in the proposal.
Yes. Mutual NDAs are standard and included in the engagement paperwork. Your data, credentials, and findings are handled confidentially — nothing is shared with third parties.
[ SEND A MESSAGE ]