Abdelhak Kherroubi

• Recognized by Twitter on its Top Security Researchers Acknowledgment Page — ranked 13th globally in 2019.
• Reported 5+ confirmed vulnerabilities to Twitter’s security team, including critical flaws; also submitted critical vulnerabilities to Google (accepted & in process) and Slack (accepted, awarded bounty).
• Acknowledged in Hall of Fame pages for notable vendors including Mimecast, TIBCO, SideFX, and Acronis.
• Discovered vulnerabilities across multiple private programs on HackerOne, including broken access controls, XSS, and authentication flaws.
• Active Capture the Flag (CTF) participant and ranked hacker on Hack The Box — solved various Easy and Medium-rated machines.
• Authored public research on banking and financial application vulnerabilities with critical business logic impact.
  Read: Hacking Banks – Broken Access Control [https://medium.com/@protostar0/hacking-banks-broken-access-control-vulnerability-in-banking-application-part-i-c442ed5ae170]

- Conducted internal and external penetration tests, including phishing simulations and network assessments, to identify and remediate security vulnerabilities.

- Led the implementation and administration of enterprise security solutions, enhancing the organization’s security posture across systems and endpoints.

- Managed and configured tools such as Nexpose, BeyondTrust PRA, Fortinet security suite (FortiGate, FortiSIEM), Sophos, endpoint detection and response (EDR) platforms, and antivirus solutions.

- Collaborated with IT and infrastructure teams to ensure secure deployment and integration of tools across the enterprise environment.

• Conducted full-scope penetration testing on the organization’s assets, including web applications, internal systems, and mobile platforms.
• Performed reverse engineering on Android and iOS mobile applications to uncover hidden behaviors, insecure API calls, and cryptographic flaws.
• Developed custom automation tools using Python and Bash, enhancing the efficiency of repetitive security testing tasks and internal workflows.
• Worked directly with development and infrastructure teams to analyze root causes and implement secure code fixes, strengthening the organization’s overall security posture.

• Led and executed comprehensive penetration testing across the company’s full asset landscape, including web dashboards, mobile SDKs (iOS & Android), and internal APIs.
• Identified and remediated 20+ security vulnerabilities, ranging from logic flaws to critical issues, prior to external assessments by Software Secure—which subsequently found no critical or high-risk vulnerabilities, validating the robustness of internal testing.
• Conducted reverse engineering of heavily obfuscated Android and web applications to uncover hidden APIs and analyze cryptographic implementations for weaknesses.
• Performed in-depth secure code reviews and implemented or recommended fixes across diverse tech stacks:
  PHP (Laravel framework)
  Java (Android)
  Python
  TypeScript
• Built and maintained custom security tools to assist developers in secure coding practices, including automated scripts that scan published platforms for hardcoded credentials, tokens, and API keys.
• Collaborated with engineering teams to integrate security best practices into development workflows and SDLC processes.