Mar 2022 – Mar 2023 · 1 yr · Amsterdam, North Holland, Netherlands

• Anatolii had a strong focus on offensive security, conducting network and Active Directory penetration tests to identify privilege escalation paths, lateral movement opportunities, and critical misconfigurations. Performed web and mobile application penetration testing and developed mobile security testing guidance to standardize assessment approaches and improve testing quality. Delivered clear, actionable remediation recommendations to strengthen client security posture across environments.

Oct 2019 – Feb 2022 · 2 yrs 4 mos · Wrocław, Dolnośląskie, Poland

• Performed penetration tests of mobile applications related to finances, education, logistics, client services, and others. Basically, tests included four phases: threat modeling, security testing (ST/DT), recommendations report writing, and fixes reassessment. During Dynamic Testing, besides the mobile-related issues, Anatolii also evaluated the security of the back-end components, APIs, and implementation of transport security mechanisms. During Static Testing, he investigated the source code, looked for extraneous functionality presence and sensitive data hardcoding, and estimated the overall code quality.
• Anatolii also conducted vulnerability assessments of web applications and related server-side components. Among the solutions were banking, trading, healthcare, resources management, client services, streaming, traveling, and others. The tests included black-box testing, as well as white-box ones. All of them were based on compliance regulations such as GDPR, PCI DSS, and the OWASP project.
• Being engaged in penetration testing of connected devices (IoT), Anatolii evaluated the security mechanisms implemented by the devices. I rarely found that the devices mutually authorized services while protecting the confidentiality, integrity, and privacy of the data they collected and shared between the endpoints.
• During the testing, I faced an increasing number of cloud-based solutions. As organizations continue to develop new applications or migrate existing applications to cloud-based services, new potential vulnerabilities appear. Lately, I've been identifying different authorization and authentication issues within the implementations of the Amazon solutions (e.g., AWS Cognito, AWS S3), Okta, Azure, and other popular cloud providers.

Sep 2018 – Oct 2019 · 1 yr 1 mo · Kiev Region, Ukraine

• Performed technical evaluations of the client's solutions to identify risks and to assess the design and effectiveness of controls established to ensure confidentiality, integrity, and availability of the systems and data.
• Conducted black box as well as grey box network penetration testings using Metasploit Framework, Nessus, Netsparker, and other automated scanners to uncover vulnerabilities or loopholes in the infrastructures of international companies. Advised developers on impacts from assessments and potential solutions for fixing the issues identified.
• Conducted Web/Mobile Applications Vulnerability Assessments for banking and healthcare applications using Burp Suite, OpenVAS, Nikto, OWASP ZAP, SQLmap, and other open-source tools. During penetration tests of mobile applications and related infrastructure, I used the following software: networking (Proxyman, Wireshark, Nessus, Nmap), Swiss knife (Passionfruit, Cydia tweaks, Frida with modules, Metasploit Framework), static and dynamic analysis (Drozer Framework, MobSF, Cycript, Sonarqube), reverse engineering (apktool, d2j-dex2jar, Hopper), transport security (testssl), development and source code analysis (Android Studio, Xcode). Additionally, for some projects, I built custom tools for security audits of the solutions.
• After each testing was completed, I prepared reports containing detailed information about the identified vulnerabilities, efforts required for the remediation, and assisted customers in filling the security gaps that were identified.

Jun 2018 – Aug 2018 · 2 mos · Kiev Region, Ukraine