Cybersecurity
entrepreneur.
I've been writing code for 10 years and breaking into systems for the last 3. OSCP certified, built vulnerable machines for OffSec Proving Grounds. Now I'm on the other side — building security products for companies that actually need them.
Things I shipped.
Automated vulnerability tracking for security teams. Continuous visibility across your stack — from disclosed CVEs to the patch landing in production.
Landing page → promo video in 30 seconds. Shipped in 2026, shut down shortly after — lessons stayed, the domain didn't.
Vulnerable machines I designed.
Five vulnerable machines shipped to OffSec Proving Grounds — each a chained exploit scenario, designed to teach the path from foothold to root.
disposeDocument() → webshell RCE, then tar wildcard injection in a root cron → root.
Mar 2026
pending
phpSelection field in CyberPanel, unauthenticated request → root.
Feb 2025
↗
03
Leyla
SSTI chained with a WordPress plugin flaw CVE-2024-8352 — directory traversal in the Social Web Suite plugin, then privesc to root.
Dec 2024
↗
04
Jordak
Exploitation of CVE-2023-26469 on an exposed service, followed by privilege escalation via SUDO permission abuse.
Sep 2024
↗
05
Vmdak
Web enumeration and exploitation, MySQL enumeration, and a chained local privilege escalation path.
Aug 2024
↗
About.
Hey, I'm Ali. I'm a software developer and security researcher with 3+ years of experience in web and mobile security, local network assessments, and Active Directory exploitation. I worked at startups and a telecom company.
OSCP certified. I build vulnerable machines for OffSec Proving Grounds.
Now I'm turning my security work into products by building a cybersecurity company.
Build-in-public.
Notes from an indie founder. Occasional, when there's something worth saying.