junior pentester

Baha — Junior Penetration Tester (Web, Network & AI/ML Security)

Junior penetration tester — web · network · AI/ML.

İstanbul, Türkiye
下へscroll
I
whoami

About

Final-year software-engineering student turned junior penetration tester.

I’m Baha — a final-year software-engineering student in İstanbul who wandered into offensive security and never looked back. What started as curiosity about how systems break turned into the work I want to do for a living: finding the flaw before someone with worse intentions does.

Day to day I break web, network and AI/ML targets on TryHackMe and Hack The Box. I build my own tooling instead of leaning on someone else’s black box, and I document every step — recon, foothold, privilege escalation — so a finding can be reproduced, not just claimed.

Right now I’m grinding toward the OSCP and looking for a junior penetration tester role — based in Türkiye or fully remote. I’m early in the journey and honest about it, but I learn fast, write things down, and show up hungry.

rei@stormbreaker: ~ — zsh80×24
┌──(rei@stormbreaker)-[~]
└─$
II
skillset

Skills

The arsenal — where the voltage goes.

burp · owaspWeb

Web Application Security

voltage85%
SQL InjectionXSS / CSRFAuthentication & access controlSSRF & deserializationBurp Suite ProOWASP Top 10
nmap · adNetwork

Network & Infrastructure

voltage72%
Enumeration & reconService exploitationPrivilege escalationActive Directory attacksPivoting & tunnelingNmap · Metasploit · netexec
llm · adversarialAI/ML

AI / ML Security

voltage64%
Prompt injectionLLM jailbreaksModel evasion attacksData poisoning conceptsInsecure ML pipelines
code · automationTooling

Tooling & Languages

voltage78%
PythonBashJavaScript / TypeScriptLinux internalsGit & CIDocker
III
build log

Projects

Tools, labs and writeups — things I’ve built and broken.

Toolinglive

ReconForge

Modular recon automation that chains subdomain discovery, port scanning and screenshotting into a single report, built to speed up the early phase of an engagement.

Pythonasyncionmaphttpx
View on GitHub
Webin progress

Burp Authz Mapper

Burp Suite extension that replays each request across user roles to surface broken access control and IDOR automatically.

JavaBurp APIMontoya
View on GitHub
AI/MLin progress

LLM Red-Team Kit

A small harness for testing prompt-injection and jailbreak payloads against LLM-powered apps, scoring responses and logging bypasses.

PythonFastAPILangChain
View on GitHub
Networklive

Active Directory Lab

Infrastructure-as-code that spins up an intentionally vulnerable AD environment for practising enumeration, Kerberos attacks and lateral movement.

TerraformPowerShellVagrant
View on GitHub
CTFlive

CTF Writeups

A growing collection of TryHackMe & Hack The Box writeups — each one walks enumeration → exploitation → privilege escalation step by step.

MarkdownTryHackMeHTB
View on GitHub
Weblive

This Portfolio

The site you're on — Next.js, Tailwind and a hardened CSP, with an AI-generated looping hero. Because a pentester's own site should score an A on the headers test.

Next.jsTypeScriptTailwind
View on GitHub
IV
credentials

Certifications

Proof of work — earned and in the forge.

Network

eJPT

eLearnSecurity Junior Penetration Tester

INE Security · Sep 2025

Web

eWPT

Web Application Penetration Tester

INE Security · Jan 2026

General

Security+

CompTIA Security+

CompTIA · Jun 2025

Network

CNPen

Certified Network Penetration Tester

The SecOps Group · Mar 2026

AI/ML

C-AI/MLPen

AI/ML Penetration Tester

The SecOps Group · Apr 2026

in the forge // in progress
  • OSCPOffensive Security Certified Professional

    OffSec · target 2026

    in progress