kac0@kali: ~
┌──(kac0㉿kali)-[~]
└─$

Marco Alfan (kac0)

Offensive & Application Security | Threat Intelligence | Mentor & Trainer

TOP 1 HackTheBox 🇮🇩

Status : ● Available for engagements

Marco Alfan

// About

I'm an offensive security professional who'd rather find the gap before someone else does. My work splits across three areas:

  • Offensive security. Penetration testing and red teaming across web, mobile, and internal networks. I focus on the paths that are easy to overlook, then turn each finding into clear, actionable remediation.
  • Threat intelligence. Tracking how real adversaries operate, their TTPs and infrastructure, and shaping it into intel a team can act on. MITRE ATT&CK is my common ground between offense and analysis.
  • Mentoring & training. Working as a mentor, trainer, and certified competency assessor across cybersecurity, AI, and information technology (emerging technology), helping newer practitioners build real, measurable capability.
6+ Years Experience
50+ Trained & Assessed
TOP 1 HackTheBox 🇮🇩
kac0@kali:~$ cat proof-of-work/

Curious about the actual work? Walk through a few writeups, or catch one of my talks.

expertise/ └── SKILL.md

Web & Application Security

Finding authentication, access-control, and business-logic flaws across web apps and APIs, then turning each into clear remediation.

Network & Infrastructure

Internal and Active Directory assessments: lateral movement, privilege escalation, and full-domain compromise paths.

Mobile Security

Android and iOS application testing through static and dynamic analysis, runtime instrumentation, and API review.

Threat Intelligence

Tracking adversary TTPs and infrastructure, mapped to MITRE ATT&CK, and shaped into intel teams can act on.

Tooling & Automation

Building custom offensive tooling and automating recon-to-exploitation workflows to keep engagements fast and repeatable.

Training & Assessment

Mentoring, training, and certified competency assessment across cybersecurity, AI, and emerging technology.

// Projects

nemu

Precision-first identity discovery tool for username research across platforms, built for accuracy, fewer false positives, and actionable OSINT workflows.

OSINT Threat Intel Python Recon

malwatcher

Malware behavior monitoring and analysis framework for threat detection and classification.

Threat Intel Malware Python

GempurMCP

MCP (Model Context Protocol) integration for AI-assisted security operations and automation.

MCP AI Automation

ToolsFx

Collection of security and utility tools for offensive operations and workflow automation.

Tools Automation

Blind-XSS

Blind XSS payload delivery and out-of-band callback listener for web application penetration testing.

XSS Red Team Python Web Security

Most of what I work on is confidential. These are the few things that can safely exist in public.

// Certifications

// Hall of Fame

Recognized through responsible disclosure & bug bounty programs

Bug Bounty
VDP

// Contact

Interested in red team engagements, threat intelligence consulting, or collaboration on security projects? Reach out anytime.

Available for engagements
LinkedIn /in/marcoalfans