[ 00 ] identity

notes from a pentester.

$ whoami → Jay Patel // pentester, bug hunter, perpetual learner

This is my personal corner of the internet — write-ups, half-baked thoughts, field notes from eight years of breaking things for a living. Nothing here speaks for any employer. Just me, after hours, with coffee.

→ read the notes about me ◆

currently_reading:

08+years on offence

200+pentests completed

12+public write-ups

OSCP+ EWPTXv2 · AZ-500

scroll

[01] writing

what i'm
thinking about.

Topics I keep coming back to. Rough map of my obsessions — each card is a cluster of posts, CTF notebooks and late-night rabbit holes.

web & api internals

Notes on chaining business-logic flaws, auth bypasses, SSRF, race conditions and IDORs. The subtle stuff that scanners never find on their own.

burp
caido
nuclei
postman

infrastructure notes

Lab write-ups on misconfigs, weak service accounts, unpatched edges — the long quiet walk from initial foothold to domain admin.

nmap
crackmapexec
bloodhound
impacket

mobile ios / android

Runtime hooking with Frida, SSL pinning bypasses, insecure storage — the stuff that surprises me every time I pick up a new app.

frida
mobsf
objection
ghidra

cloud — aws / azure / gcp

IAM abuse paths, over-permissive roles, metadata attacks, cross-account trust. One leaked key, mapped out end to end.

pacu
scoutsuite
prowler
rusty-hog

// most-read

ctf & lab journals

HackTheBox, TryHackMe, personal lab machines — unfiltered notes including the wrong paths, the dead ends, and the moment something finally clicks.

htb
thm
vulnhub
home lab

tooling & snippets

Small Python utilities, Burp extensions, semgrep rules and shell one-liners I keep rewriting. Posting them here so future-me can find them again.

python
bash
burp ext
semgrep

[02] about

dossier — subject: jay_p

I started breaking things legally in 2018, straight out of a Master's in Info Tech at Victoria University, and I haven't really stopped since. 200+ pentests later — across banks, government, fintech and healthcare — I've seen one forgotten SSRF turn into domain-wide compromise through AWS SSM — no 0day required.

This site is my personal notebook. It's where I dump write-ups, CTF notes, half-finished exploit chains and the occasional opinion. Nothing here represents any employer, client, or platform I've ever worked with.

If something here helped you, or if I got something wrong — I'd genuinely love to hear about it. That's half the reason I keep posting.

classification: public JAP-0041

callsignghostshift

basedMelbourne, AU

disciplineoffensive security

educationM.IT — Victoria Uni

languagesen · hi · gu

drink of choicelong black, no sugar

statusposting semi-regularly

trait

web app depth

cloud (aws)

active directory

mobile

reverse engineering

[03] experience

mission log.

Each role, in reverse-chronological order. Longest current deployment in bold.

2022.09 → now

analyst, offensive security

National Australia Bank · Melbourne

enterprisefinancebug triagesast
2021.12 → 2022.09

technical consultant, pentester

DXC Technology · Australia

goventerpriseconsulting
2019.04 → 2021.12

associate consultant, technical

DXC Technology · Australia

sdlcthreat modelling
2018.03 → 2019.04

penetration tester

Global Garner Sales Services · India

webwafbounty-ops

[03.b] research & bug bounty

after hours.

Side work on curated pentest platforms. Conducted entirely off-hours on personal tooling, with zero overlap with full-time employment.

2021.12 → now
core lead penetration tester

Cobalt (PtaaS Platform) · Remote
- Contributed to over 100 penetration testing engagements through Cobalt's Pentesting as a Service platform, covering cloud environments, internal and external networks, APIs, mobile applications, and PCI scoped systems.
- Led and executed full assessment cycles, including testing, documentation, reporting, and client communication, ensuring high quality and actionable outcomes.
- Collaborated with global security professionals and supported peers during engagements, acting as a technical point of contact for client discussions and coordination.
ptaas100+ engagementspciclient-facing
2025.01 → now
pentester

HackerOne · Remote
- Part of HackerOne's pentest team, performing security assessments for private programs across major global organisations.
- Conduct penetration testing on web applications, APIs, and infrastructure as part of structured engagements.
- Work conducted entirely off hours using personal tooling, with no overlap with full time employment.
private programswebapiinfra
2021.02 → 2024.12
red team member

Synack · Remote
- Conducted advanced vulnerability research and exploitation in a private, curated Red Team environment.
- Specialised in high impact bug bounty testing with a focus on quality triage, stealth exploitation, and actionable reporting.
- Delivered real world exploitation intelligence to top tier enterprise clients through Synack's secure platform.
srtvuln researchstealth

[04] arsenal

loadout — daily drivers.

Not an exhaustive list — just what's actually open on my second monitor most days.

offence

Burp Suite Proprimary web proxy + extender stack
Caidolighter-weight alt for fast recon tests
Metasploitpayload delivery + post-ex modules
Nmapscan scripting w/ custom NSE
Nucleicustom template library for known CVEs
SQLMapwhen it's easier than the hard way
Fridamobile runtime hooking
MobSFstatic mobile baselining
ImpacketAD abuse primitives

defence / review

SnykSCA + container scanning
Checkmarxenterprise SAST
Semgrepcustom rules on top of open rules
SonarQubecode quality + security gates
Qualys / NetsparkerDAST at scale

cloud & lang

AWSIAM, STS, EKS, Lambda
Azureentra id, defender, sentinel
GCPworkload identity fed.
Pythontooling & exploit chains
JavaScript / TSxss & prototype pollution
Bash / Zshglue everywhere
Gowhen speed matters
SQLbecause it always ends here

frameworks

OWASP Top 10 OWASP ASVS OWASP MASVS MITRE ATT&CK NIST 800-115 PCI DSS v4

[05] credentials

certified on paper too.

OSCP

OffSec Certified Professional

issued byOffSec issuedAug 2023 cred id79411982

verify ↗

CLOUD

Cloud Essentials

issued byOffSec issuedDec 2024 cred id127556767

verify ↗

eWPTXv2

Web App Pentester eXtreme

issued byINE Security issuedJun 2022 cred id4898668

[06] field work

bug bounty & research.

Side-quests and rabbit holes. None of this is client work — just what I do after hours on my own kit.

ptaas platforms 2021 → present

freelance pentester

Hundreds of hours of freelance pentests across cloud, API, mobile and internal networks. Kept to myself, published only as generalised lessons.

100+engagements

home lab ongoing

personal research

A rack of beat-up hardware, a pile of VMs and a Proxmox host that's always too hot. Where I test theories before I ever type them into a real client brief.

24/7uptime, mostly

ctf circuit weekends

ctf & community

HackTheBox, TryHackMe, the occasional con CTF with friends. I write the good ones up here — the bad ones I quietly forget about.

htbpro hacker

// publications

p.01

Full account takeover via AWS Cognito misconfiguration

Cobalt Blog · technical write-up

read →

p.02

ADCS-ESC1: Misconfigured Certificate Templates Leading to Full Domain Compromise

Cobalt Blog · technical write-up

read →

p.03

Prevention of cross-site scripting attacks in web applications

IEEE EECCMC — conference paper

ieee

[07] say hello

found something interesting?

Questions, corrections, recommended reading, good CTF invites — all welcome. I reply to almost everything, eventually.

jay@ghostshift : ~/inbox $

pgp fingerprint 9F2A 4C01 77BE D3A5 · 8821 64FF 90E2 7E3B · 5511 2A6C