I help teams find and fix exploitable weaknesses across web apps, APIs, cloud and networks. My work blends manual testing with OWASP, MITRE ATT&CK, CVSS reports and remediation validation.
Trusted by CodeZain Ltd and Ditech Limited for comprehensive penetration testing.
5 Years in Offensive Security
7 Years of Critical Issues Remediated
Validate attack paths, map findings to OWASP and MITRE, then turn evidence into fixes through Reconnaissance, Validation, Reporting and Retesting.
OSINT, asset discovery and service mapping to define your attack surface.
Safe manual validation to prove impact without damaging production systems.
CVSS reports, remediation guidance and retesting to confirm fixes.
Dive deep into specialized areas of cybersecurity. Access tools, read insights, and explore detailed methodologies.
Professional adversary-grade cybersecurity consulting and testing
Real-world security scenarios and resolutions
Strategic approaches to complex cyber threats
Comprehensive security documentation and research
Command-line tools and scripting resources
Open-source intelligence gathering techniques
Latest updates from the cybersecurity world
Insights, tutorials, and security thoughts
Offensive, defensive and cloud assessment tools
Short feedback from security, infrastructure and business teams I have supported. Scroll to explore.
Rokibul ran a full external pen test on our infrastructure and uncovered three critical vulnerabilities, including an exposed admin panel we didn't know existed. His report was detailed but easy to act on — our dev team appreciated that. We patched everything within a week.
James Okonkwo
IT Director, Meridian Finance Group
We had a suspicious login alert at 11pm on a Friday. Rokibul was on a call within the hour, helped us contain the situation, and walked us through the forensic investigation over the next two days. Turned out to be a compromised contractor account — caught before any data left the building.
Sung-min Lee
Co-Founder, Kairon Logistics
Before our Black Friday launch, we hired Rokibul to do a full VAPT on the checkout and payment flow. He flagged a stored XSS issue and a broken access control on our admin API — both could have been catastrophic during peak traffic. Fixed well before launch.
Amelia Tan
CTO, ShopEase
Rokibul ran a 6-week compliance gap analysis against ISO 27001, produced a remediation roadmap, and supported us through the certification audit. We passed with no major non-conformities. His understanding of both the technical and policy sides is genuinely rare.
David Park
Head of Compliance, PacificTrust Bank
We knew our AWS setup had grown organically and was probably not great from a security standpoint. Rokibul did a full CIS benchmark review, found 40+ misconfigurations, and helped us prioritize them by actual exploitability rather than just severity score. Night and day difference.
Priya Anand
Engineering Manager, Lenstek Pvt Ltd
We're a healthcare company with no existing security operations. Rokibul helped us define detection rules, configure Wazuh, and build runbooks for the most likely attack scenarios in our environment. Six months in, we're already catching things we would have missed completely.
Hassan Al-Rashid
CISO, MedCore Systems
We ran a phishing simulation before and after Rokibul's awareness workshop. He kept it practical and scenario-specific to retail — none of the generic 'don't click suspicious links' stuff that goes in one ear and out the other. The numbers speak for themselves.
Rachel Lim
Operations Director, Nexgen Retail
As a SaaS startup going into Series A, our lead investor requested a third-party security assessment. Rokibul's report was thorough enough to satisfy their technical due diligence with minimal back-and-forth. He also fixed two of the findings himself as part of the engagement.
Omar Fadel
Founder, DataStack
After a data incident, we brought Rokibul in for forensic investigation. He identified the initial access vector, mapped the lateral movement, and gave us a clear picture of what the attacker accessed and what they didn't. That clarity mattered enormously — both internally and with regulators.
Yvonne Cheong
VP Technology, AsiaLend Financial
We engaged Rokibul for a white-box pen test of our SaaS application from Sweden. Timezone difference was never an issue — he was responsive, delivered the report on schedule, and joined our engineering sync to walk through findings. Would hire again for the next release cycle.
Tom Eriksson
CTO, Nodus Software
Our previous vendor handed us a 200-page scan report with no context. Rokibul's assessment was the opposite — concise, ranked by actual exploitability in our environment, with clear remediation steps. Our small IT team could finally act on it without being overwhelmed.
Brittany G. Hereford
IT Manager, Transcend Corp.
We wanted something we could show leadership. Rokibul designed an exercise that mimicked a realistic threat actor — gained a foothold through a phishing email, moved laterally, and demonstrated what a real attacker could access. Executive attitudes towards the security budget shifted immediately.
Glafira Nazarova
Security Lead, Elevate Brands
A lot of consultants struggle with manufacturing environments where you have PLCs and legacy systems that cannot be patched. Rokibul understood the constraints and proposed a network segmentation approach that improved our security without touching production uptime. Rare expertise.
Hideki Murakami
Head of IT, Tokai Manufacturing
Two days before our API went live to partners, Rokibul found an IDOR that would have allowed any authenticated user to access any other user's data. We delayed the launch by a week to fix it properly. Uncomfortable at the time, but absolutely the right call.
Buhjah Najeeba Issa
Tech Lead, Innova Labs
We needed to understand where we stood against NIST CSF before committing to a full security programme. Rokibul's gap analysis gave us a realistic maturity score and a 12-month roadmap we could budget around. It changed how our leadership thinks about security investment.
Yasmin Bergman
Project Manager, Synergy Systems
When we hit 50 staff, we knew we needed a proper security posture but had no in-house CISO. Rokibul served as a part-time security advisor for six months — policies, tooling, vendor reviews, staff training. We now have a solid foundation that actually scales.
Marcus Kwong
CEO, Cloudbridge Solutions
We've sat through a lot of annual compliance trainings nobody absorbs. Rokibul's session was different — real attack scenarios, live demos, and Q&A that felt genuinely useful. Attendance was voluntary and we had 90% turnout. That says everything.
Augustina Uros
Business Analyst, Apex Solutions
Our network holds unpublished research data we absolutely cannot afford to expose. Rokibul was thorough without being disruptive — the audit was conducted with minimal operational footprint and findings were communicated clearly to non-technical stakeholders too.
Rick S. Neiman
CTO, Quantum Research Institute
We invest in tech companies and needed to assess the security posture of a potential portfolio company. Rokibul conducted the review professionally, produced a board-ready summary, and was tactful in how he communicated risk to the target team. Will use him again.
Olivia Cunningham
Director, Visionary Ventures
As a fintech processing card payments, PCI compliance was non-negotiable. Rokibul knew the requirements well and helped us get SAQ-D ready in about 10 weeks. He was upfront about what we could self-attest and where we genuinely needed to invest. No padding, no upselling.
Hua Tang
Founder, GreenPay Technologies
Recent production case studies and high-stakes engagements. Access restricted.
[FILE: MOBILE-A]
A comprehensive grey-box mobile application penetration test of a digital-health flagship app (VitalisCare, iOS & Android) handling protected health information. The engagement combined static analysis, dynamic instrumentation, and network interception to prove insecure local storage of auth tokens, an SSL-pinning bypass enabling full MITM of PHI traffic, and a hardcoded API key recovered via decompilation — then delivered Keychain/Keystore migration, hardened certificate pinning, and secrets management to achieve HIPAA-aligned launch readiness.
[FILE: API-PENT]
A comprehensive grey-box API penetration test of a global logistics provider (TransGlobe Logistics) spanning 600+ REST and GraphQL endpoints behind a unified gateway. The engagement uncovered and remediated a mass BOLA/IDOR exposure leaking customer shipment manifests, a GraphQL introspection leak chained with query batching to bypass rate limiting, and a blind boolean/time-based SQL injection in an undocumented legacy tracking endpoint — establishing object-level authorization, schema governance, and cost-aware query limits across the estate.
[FILE: CLOUD-SE]
A comprehensive cloud security architecture review of a high-growth, AWS-native SaaS analytics platform (Stratuscale Analytics). The engagement uncovered and remediated a multi-account IAM privilege escalation path via overly permissive assumed roles, a public S3 bucket exposing Terraform state files containing hardcoded secrets, and internet-facing EC2 jump boxes — re-architecting the estate around least privilege, AWS Secrets Manager, strict Security Group rules, and continuous CIS AWS Foundations Benchmark alignment.
[FILE: NETWORK-]
A comprehensive internal and external network penetration test of a hybrid OT/IT manufacturing enterprise (NordForge Industries) following a merger. The engagement chained a forgotten external VPN endpoint with weak credentials into LLMNR/NBT-NS poisoning, NTLM relay, and an unpatched domain controller (ZeroLogon / Kerberoasting) to prove full Active Directory domain compromise — then delivered network segmentation, SMB signing enforcement, and legacy protocol teardown to prevent ransomware-scale impact.
Specialized methodologies to overcome complex security challenges.
Practical notes on pentesting, cloud security, SOC work and incident response.
SMS-based 2FA is outdated and dangerously vulnerable to phishing, SIM swaps, and interception. In 2026, developers must adopt robust, phishing-resistant methods like FIDO2 and passkeys to protect user accounts effectively.
Discover the top 10 cybersecurity threats in 2026 and learn practical tips on how to defend your systems against them. Stay ahead in the digital age!
A practical cloud security career roadmap covering the skills, tools, labs, certifications, portfolio projects, and interview strategy needed to grow from beginner to cloud security engineer.
Receive my case study and the latest articles on my WhatsApp Channel.
Would you like to get the latest cybersecurity alerts as native browser notifications?
