OFFENSIVE SECURITY RESEARCHER

Chowdhury Faizal

Ahammed
$

Senior Cloud IAM Engineer at Synchrony Financial. Building secure systems by knowing exactly how they break.

View My WorkGet in Touch
7+
Years
6
CVEs
24
CTF Wins
5
Certs
// about me

About Me

Breaking things to make them stronger

~/about/stats.sh
$ cat stats.json | jq '.'
{
"CVEs_Published": "6",
"CTF_Wins": "24",
"Certifications": "5",
"Years_Experience": "7+",
"Tools_Built": "3",
"Status": "Breaking Things"
}
$

I'm a 24-year-old security enthusiast who's been breaking things since my teens. With 7+ years in offensive security, I've evolved from curious script kiddie to a seasoned penetration tester and cloud security architect.

Currently serving as a Senior Cloud IAM Engineer at Synchrony Financial, I architect enterprise-scale identity and access management solutions while maintaining my offensive edge through red teaming and bug bounty hunting.

I hold multiple CVEs across SSRF, RCE, IDOR, and XSS vulnerability classes, and I've competed in CTFs at both national and international levels. My unique blend of offensive security and cloud engineering gives me an attacker's perspective on defense — I build secure systems because I know exactly how they break.

// cve discoveries

CVE Discoveries

Vulnerabilities responsibly disclosed across SSRF, RCE, IDOR, and XSS classes

CVE-2026-27129
CVE-2026-27129High
SSRF

Server-side request forgery allowing internal network access and cloud metadata exfiltration.

CVE-2026-27127
CVE-2026-27127Critical
RCE

Remote code execution via unsafe deserialization of user-controlled input.

CVE-2026-25498
CVE-2026-25498High
IDOR

Insecure direct object reference enabling unauthorized access to user resources.

CVE-2025-68454
CVE-2025-68454Critical
RCE

Remote code execution through command injection in file processing pipeline.

CVE-2025-67436
CVE-2025-67436High
SSRF

Server-side request forgery via URL parameter manipulation in API endpoint.

CVE-2022-2170
CVE-2022-2170Medium
XSS

Stored cross-site scripting through unsanitized user input in application interface.

// certifications

Certifications

Validated offensive security expertise

OSCP+

OffSec Certified Professional+

OffSec

CRTA

Certified Red Team Analyst

CyberWarFare Labs

AD-RTS

Certified AD Red Team Specialist

CyberWarFare Labs

CNPen

Certified Network Pentester

The SecOps Group

CAP

Certified AppSec Practitioner

The SecOps Group

// ctf achievements

CTF Achievements

National and international competition wins

24
Competition Wins
Across national & international CTFs
Runner Up
Blackhat USA CTF
BugCrowd
5th Place
Blackhat Asia CTF
BugCrowd
// arsenal

Arsenal

Languages, tools, and techniques in the toolkit

Python
Bash
Golang
JavaScript
AWS
Terraform
CloudFormation
Cloud Security Architecture
Red Teaming
Penetration Testing
Vulnerability Research
Exploit Development
Reverse Engineering
AppSec (SAST/DAST)
Sliver C2
Cobalt Strike
Caldera
Agentic AI Development
// open source

Open Source

Security tools built and released for the community

~/projects/adcsdumper
>

ADCSDumper

Active Directory Certificate Services enumeration and exploitation tool for red team operations.

PythonActive DirectoryRed TeamADCS
View on GitHub
~/projects/catrole
>

catrole

AWS IAM role enumeration and privilege escalation discovery tool for cloud security assessments.

PythonAWSIAMCloud Security
View on GitHub
~/projects/tfswitch
>

tfswitch

Terraform version manager for seamless switching between Terraform versions in your workflow.

GoTerraformDevOpsCLI
View on GitHub
// contact

Contact

Let's connect

~/connect.sh
visitor@faizal:~$ ./connect.sh
[*] Establishing secure connection...
[+] Available channels:
GitHubLinkedInTwitterEmail

Available for security consulting, bug bounty collaboration, red team engagements, and speaking opportunities.