Security Engineer & Penetration Tester

TABARIK

Coca-Cola Hall of Fame — P1
Tecno Hall of Fame — XSS
View My Work Get In Touch
0
Critical Vulns
0
Bugs Found
0
Hall of Fame
// Recognition
Bug Bounty
Hall of Fame
Recognized by global enterprises for responsibly disclosing critical vulnerabilities through Bugcrowd and HackerOne programs.
COCA-COLA
P1 Authentication Bypass
Critical — Full Account Access
PRIORITY 1
Bugcrowd · Submission Shogun L3
TECNO
Cross-Site Scripting (XSS)
High — Stored / Reflected
HIGH SEVERITY
HackerOne
// 01 — Profile

About Me

MTA
TABARIK.DEV
ROLESecurity Engineer
FOCUSAppSec · API · Pentest
LOCATIONPakistan · Remote-Open
CERTSOSCP (prep) · CAP · ISO 27001
STATUSAvailable for Hire

I'm M. Tabarik Asif, a Security Engineer specializing in application security, API security testing, and penetration testing with a focus on fintech and enterprise environments. I find vulnerabilities before attackers do — and I've been formally recognized for it by global companies including Coca-Cola and Tecno.

My day-to-day involves identifying critical vulnerabilities (IDOR, LFI, SQLi, broken authentication, financial data exposures) across web, mobile, and API layers, deploying SIEM solutions, and building security programs that scale. I've led a team of 4 security professionals and driven ISO 27001 compliance in a production fintech environment.

Outside engineering, I'm an active independent researcher on Bugcrowd and HackerOne, an OSCP candidate, and the founder of HissabAI — a WhatsApp-native AI finance platform I built and secured from the ground up.

0Critical Vulns Found
0Bugs Found (Bounty)
0Hall of Fame Awards
// 02 — Capabilities

Expertise

Application Security
End-to-end AppSec across web, Android, iOS, and Flutter — identifying IDOR, LFI, broken auth, and financial data exposures in production systems handling high-value transactions.
OWASP Top 10IDORLFIBroken AuthSecure SDLCMobile AppSec
API Security & Penetration Testing
Full-scope API security assessments — auth bypass, excessive data exposure, injection flaws, and business logic vulnerabilities. Structured reports engineering teams can act on immediately.
Burp Suite ProNmapSQLMapNucleiffufAPI Testing
Cloud & Infrastructure Security
AWS security architecture — IAM least-privilege, KMS encryption, WAF with custom ACLs, Secrets Manager, S3 hardening. Zero secrets in codebases, zero-trust network segmentation.
AWS IAMAWS WAFKMSSecrets ManagerLinux HardeningOPNsense
SIEM & Incident Response
Deployed Wazuh SIEM for continuous threat detection. DLP preventing PII/financial data exfiltration. Contained a 12M-request attack in under 4 hours with zero accounts compromised.
WazuhSplunk (SPL)DLPWiresharkThreat DetectionIR
Vulnerability Management
Formal vuln management programs — automated scanning, triage, risk scoring, remediation coordination. 15+ critical findings (IDOR, LFI, financial exposures) remediated in production.
ISO 27001Risk AssessmentNucleiCVE TriageDevSecOpsPECA 2016
Security Leadership
Led and mentored a team of 4 security professionals. Built security programs from zero — policies, compliance frameworks, ISO 27001 alignment across a production fintech environment.
Team LeadershipISO 27001Policy WritingGRCRisk Assessment
// 03 — Experience

Work History

Jan 2025 — Present
Fintech Platform
Pakistan
Security Engineer
Leading full-spectrum security operations for a high-volume fintech platform — from penetration testing production systems to designing cloud architecture that protects them.
Built and led a 4-person security team — security reviews, task delegation, upskilling across web, mobile, and infrastructure
Identified and remediated 15+ critical vulnerabilities (IDOR, LFI, financial/PII exposures) before any exploitation occurred
Reduced MTTD for infrastructure threats by deploying and tuning Wazuh SIEM across Linux and Windows servers
Prevented unauthorized data exfiltration by implementing DLP controls protecting sensitive financial and PII data
Achieved ISO 27001 alignment through continuous risk assessments and formal security policy implementation
Contained a 12M-request credential stuffing attack in under 4 hours — zero accounts compromised
CURRENT
Jun 2024 — Jan 2025
Fintech Platform
Pakistan
Security Specialist
Focused application security assessment across Android, iOS, Flutter, and web applications in a production fintech environment.
Assessed 5+ production applications — identifying critical IDOR, LFI, and PII/financial data exposure vulnerabilities
Evaluated APIs, databases, and network infrastructure; enforced least-privilege and timely remediation
Implemented encryption, secure authentication, and DevSecOps practices across the SDLC
PROMOTED
2020 — 2024
Bugcrowd & HackerOne
Independent
Security Researcher
Independent bug bounty researcher discovering and responsibly disclosing high-impact vulnerabilities. Hall of Fame recognition from two global brands.
Coca-Cola Hall of Fame — P1 Authentication Bypass (Bugcrowd Submission Shogun L3)
Tecno Hall of Fame — XSS (HackerOne)
Discovered SQLi, XSS, IDOR, Broken Auth, and sensitive data exposures across multiple programs
HOF ×2
// 04 — Skills

Skill Matrix

APPLICATION SECURITY95%
API SECURITY & PENETRATION TESTING92%
VULNERABILITY MANAGEMENT90%
CLOUD SECURITY (AWS)85%
SIEM & INCIDENT RESPONSE83%
MOBILE SECURITY (Android/iOS/Flutter)80%
INFRASTRUCTURE & NETWORK SECURITY82%
Full Toolset
Burp Suite ProNmapNuclei SQLMapffufNikto MetasploitWiresharkWazuh SplunkGoPhishAWS WAF AWS IAMKMSOPNsense WireGuardSuricataUniFi PythonBashPowerShell Node.jsPostgreSQLRedis
// 05 — Selected Work

Projects

Network Security · On-Premises
Enterprise OPNsense Firewall & VLAN Architecture
Designed and deployed a high-availability OPNsense firewall with enterprise-grade network segmentation. Multi-WAN routing, policy-based traffic management, and IDS/IPS using Suricata with custom rule tuning for real-time threat blocking.
Technical Architecture
FirewallOPNsense — multi-WAN, policy routing, NAT, anti-spoofing
SegmentsPayment · Mgmt · Staff · Guest · IoT · Servers (6 VLANs)
WirelessUniFi APs — VLAN-aware SSID segmentation per user group
IDS/IPSSuricata — custom rule sets, live threat blocking
VPNWireGuard site-to-site + remote access with strict auth
HardeningDNS filtering, secure mgmt access, centralized log auditing
6
Isolated Network Segments
IDS/IPS
Suricata — Live Threat Blocking
WG
WireGuard — Encrypted Remote Access
OPNsenseSuricataWireGuardUniFiProduction
Incident Response
DDoS & Credential Stuffing — Live IR
Detected and contained a 12 million request automated attack campaign against a fintech login endpoint over 18 hours. Zero accounts compromised. Full containment under 4 hours.
Response Chain
DetectWazuh SIEM + Cloudflare analytics spike alert
ContainASN blocking, WAF rules, Bot Fight Mode
MitigateSliding-window rate limiting + IP reputation lists
T1110.003Cloudflare WAF12M Blocked
Security Tool · Python
ShieldVortex — Automated Vulnerability Scanner
Final year project — Python-based automated web vulnerability scanner covering OWASP Top 10. Detects SQLi, XSS, LFI, broken auth, and misconfigurations with payload injection and structured report generation.
Technical Stack
LanguagePython — requests, BeautifulSoup, custom payloads
CoverageSQLi · XSS · LFI · Auth bypass · Header analysis
PythonOWASP Top 10SQLiXSS
Offensive Tool · Python
Python Keylogger
Cross-platform Python keylogger for security research — captures keystrokes, active window titles, and clipboard content with AES-encrypted local logging. Designed with AV evasion analysis in mind.
Technical Details
CaptureKeystrokes, window context, clipboard monitoring
StorageAES-encrypted local log with timestamping
PythonpynputAESResearch
Automation · Bug Bounty
Bug Bounty Recon Automation
Automated reconnaissance pipelines for large-scale bug bounty — combining subdomain enumeration, port scanning, screenshot capture, and Nuclei template scanning into a single continuous discovery workflow.
NucleiSubfinderAmassPythonBash
Penetration Test
API Security Assessment
Authorized black-box pentest of a production API. Discovered a chain enabling full account takeover and database schema exposure without authentication.
CRITCredentials in nginx access logs via plaintext GET params
HIGHJWT without server-side revocation on logout
HIGHRaw SQL errors exposing full DB schema (CWE-209)
OWASP A02CWE-209JWTBurp Suite
Founder · Secure SaaS
HissabAI — AI Finance Platform
Founded HissabAI — a WhatsApp-native AI finance tracker for Pakistani SMEs — with security-first design: AWS KMS encryption, Secrets Manager, HMAC webhook validation, zero secrets in source code.
Node.jsAWS KMSSecrets Managerhissabai.comLive
Security Awareness
Internal Phishing Simulation
Deployed Gophish on Ubuntu for controlled internal phishing campaigns — SMTP relay configuration, realistic pretext design, per-employee click tracking, and post-campaign awareness reporting.
GophishSMTP ConfigUbuntuCampaign Tracking
// 06 — Live Intelligence

Threat Feed

Global Attack Telemetry
Recent Indicators
TIMESOURCETYPE
Threats This Session
0
System Uptime
00:00:00
CVE Spotlight
CVE-2025-58360
GeoServer XXE · CVSS 9.8
// 07 — Interactive

Terminal

tabarik@tabarik.dev — bash
TABARIK-OS 6.1.0 // Security Engineering Interface
Type help for available commands.
 
tabarik@tabarik.dev:~$ 
Try:
// 08 — Credentials

Certifications

OSCP
OffSec Certified Professional
Offensive Security
IN PROGRESS
CAP
Certified AppSec Practitioner
SecOps Group · Dec 2022
ACTIVE
ISO
ISO/IEC 27001 InfoSec Associate
SkillFront · Jan 2023
ACTIVE
IBM
Cybersecurity Analyst Professional
IBM Technologies · 2024
ACTIVE
GCP
Google Cybersecurity Professional
Google · Dec 2023
ACTIVE
SEC+
CompTIA Security+
CompTIA · Self-Study 2024
PREPARATION
// 10 — Writing

Latest Writeups

Apr 26 2026
EASY · LINUX
BoardLight
Dolibarr CVE-2023-30253 PHP injection for foothold, Enlightenment SUID binary for root
CVESUIDLinux
Apr 22 2026
MEDIUM · LINUX
Monitored
SNMP credential leak + Nagios XI SQLi + npcd service hijack
SNMPSQLiNagios
Apr 02 2026
EASY · LINUX
CozyHosting
Spring Boot Actuator session leak + command injection via SSH
Spring BootRCELinux
View All Writeups →
// 09 — Let's Talk

Contact

Let's find vulnerabilities in your systems before attackers do.
Available for security engineering roles, penetration testing engagements, AppSec consulting, and speaking. Based in Pakistan — open to remote globally.
GitHub — m-tabarik LinkedIn — mtabarikasif HackTheBox Profile Bugcrowd — alqursaan mtabarikasif@gmail.com