Dec 2024 – Feb 2025 · 2 mos · London Area, United Kingdom · Remote

• Supported the DevOps team of a UK-based dating platform to embed security into the SDLC and reduce risk exposure across AWS-hosted infrastructure.
• Discovered and reported high-impact API vulnerabilities, including business logic flaws and endpoints that leak user Personally Identifiable Information (PII), such as emails and phone numbers, mitigating potential GDPR violations.
• Conducted SAST using Semgrep, reducing production bugs by 40% and ensuring compliance with the OWASP Top 10 standards.
• Strengthened AWS cloud security by configuring CloudFront, Cloudflare WAF, and IAM policies, blocking more than 10,000 unauthorized requests per week, and preventing asset enumeration.
• Hardened content delivery configurations to prevent unauthorized downloads and hotlinking of premium content.
• Implemented a real-time threat detection stack combining:
• AWS GuardDuty : threat intelligence and anomaly detection
• AWS CloudTrail + CloudWatch : for event monitoring and alerting
• Wazuh : for endpoint threat visibility and log correlation
• Reduced attack surface by 70%, prevented customer data leakage, and helped the company avoid potential fines of £100,000+ under UK data protection laws.

Sep 2024 – Jun 2025 · 9 mos · Lagos State, Nigeria · Hybrid

• Executed advanced red team assessments for 12+ organizations in the banking, pension, and fintech sectors, including Trustfund Pensions, Olive Microfinance Bank, DLM, and Gateway Mortgage Bank, simulating real-world adversaries to uncover systemic weaknesses.
• Uncovered critical vulnerabilities that could have resulted in more than 300 million ($250,000 +) in potential financial losses, helping clients avoid data breaches and regulatory penalties.
• Gained domain admin access in multiple internal network assessments via techniques such as Zerologon exploitation, NTLM hash relay, and password spraying targeting weak corporate credentials (e.g. P@ssw0rd123, hyosung).
• Leveraged tools like BloodHound and PingCastle to map domain privilege paths and expose risky Active Directory configurations.
• Successfully bypassed Rublon MFA on Remote Desktop services by extracting browser-saved credentials with LaZagne, simulating adversary-in-the-middle scenarios.
• Uncovered critical ATM application vulnerabilities during an internal banking assessment, gaining authorized Windows host access and demonstrating transaction workflow manipulation and internal fund redirection under strict rules of engagement.
• Authored comprehensive reports with executive summaries, technical findings, and prioritized mitigation steps, directly leading to security policy revisions and patch management strategies.
• Strengthened clients’ internal security posture, reduced attack surface by 65%, and improved incident response maturity across multiple organizations.

Feb 2024 – Feb 2025 · 1 yr · United Kingdom · Remote

• Conducted comprehensive web application security assessments focusing on common vulnerabilities such as SQL injection, XSS, CSRF, and IDOR, using tools like Burp Suite, OWASP ZAP, and Nessus.
• Specialized in API security testing for RESTful and GraphQL APIs, identifying misconfigurations, insecure data exposure, and access control issues using Postman, FFuF, and custom scripts to ensure robust API security measures.
• Collaborated directly with clients to understand their security needs, tailoring security assessments and remediation plans to align with their specific business objectives and compliance requirements (e.g., GDPR, PCI-DSS, ISO 27001).
• Provided security recommendations based on OWASP Top 10 and SANS Top 25 vulnerabilities, ensuring adherence to best practices in secure software development across the SDLC for web applications and APIs.
• Performed continuous security monitoring of client environments, integrating SIEM tools (e.g., Splunk, Wazuh, Suricata) to detect and respond to security incidents, including unauthorized access attempts on APIs and web platforms.
• Developed and enforced secure API gateway policies and authentication mechanisms, such as OAuth2, JWT, and API key management, ensuring secure client-server communication and access control.
• Maintained and deployed Web Application Firewalls (WAF) and API gateways, ensuring protection from attacks like DDoS, Botnet attacks, and API-specific threats such as GraphQL injections or excessive data exposure
• Applied SAST and DAST tools (e.g., SonarQube, Veracode) to perform static and dynamic analysis of web applications, identifying vulnerabilities in both code and runtime environments, and ensuring that security is integrated throughout the development lifecycle.

Feb 2022 – Aug 2023 · 1 yr 6 mos · Federal Capital Territory, Nigeria · Hybrid

• As a Network Penetration Tester at WTCN Solutions, my primary responsibility is to conduct thorough assessments of network infrastructures, with a focus on Active Directory environments and Web application vulnerability assessments. My duties involve identifying vulnerabilities, misconfigurations, and weaknesses within AD setups, simulating real-world attack scenarios to assess the security posture of client organization and writing standard reports with recommendations for remediation.
• Some of the key tasks I performed include:
• Utilize tools like Nmap, LDAP enumeration tools (such as ADExplorer), Bloodhound, Kerbrute and PowerShell scripts (Powersploit) to gather information about the Active Directory environment, including domain controllers, user accounts, group memberships, etc.
• Utilized tools like Hydra, CrackMapExec, or Mimikatz for password attacks.
• Checked for password policy enforcement and complexity requirements.
• Attempted to escalate privileges by exploiting vulnerabilities like Kerberos attacks (Golden Ticket, Silver Ticket), pass-the-hash attacks, and ACL exploits.
• Test for the effectiveness of network segmentation and access controls.
• Attempt to exfiltrate sensitive data from the network to assess the effectiveness of data loss prevention (DLP) controls.
• Used the GPMC to create GPOs that define registry-based polices, security options, software installation and maintenance options, scripts options and folder redirection options to better secure AD infrastructure.
• Also Participated in client penetration tests, utilizing tools such as Burp Suite, OWASP ZAP, and Nessus to identify and remediate security vulnerabilities.
• Provided training and awareness sessions for IT staff and end-users to improve security awareness and best practices.
• Provided clear recommendations for mitigating each vulnerability and configuration changes.
• Document all findings, including vulnerabilities, exploited paths, and recommendations for remediation.

Aug 2021 – Nov 2021 · 3 mos · India · Remote

• As a Web Application Penetration Tester at SenseLearner Pvt Ltd, I was responsible for identifying and assessing vulnerabilities within web applications to ensure the security and integrity of these systems. My work involved:
• Scanning and Enumeration: Utilizing various tools such as Burp Suite, OWASP ZAP, or Nmap to scan and enumerate the target web applications for potential vulnerabilities including open ports, exposed services, and web application frameworks.
• Vulnerability Assessment: Conducting thorough assessments of web applications to identify common vulnerabilities such as SQL injection, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), security misconfigurations, and authentication flaws.
• Exploitation and Proof of Concept: Actively exploiting discovered vulnerabilities to demonstrate their impact and severity to stakeholders. This involves crafting and executing exploits to gain unauthorized access or manipulate sensitive data.
• Reporting and Documentation: Compiling comprehensive reports detailing identified vulnerabilities, their potential impact, and recommended remediation steps. Effective communication of findings to developers and management is crucial for ensuring timely mitigation of security risks.
• Security Testing Methodologies: Applying industry-standard methodologies such as OWASP Top 10, PTES (Penetration Testing Execution Standard), or OSSTMM (Open Source Security Testing Methodology Manual) to guide my testing approach and ensure thorough coverage of potential attack vectors.
• Continuous Learning and Research: Staying updated with the latest security trends, techniques, and vulnerabilities by actively participating in forums, attending conferences, and conducting independent research. This allows me to adapt your testing methodologies to evolving threats and technologies.