About

I'm Abdul Moiz, an offensive security engineer based in Pakistan. I work full time as an Application Security Engineer at a HIPAA / SOC 2 healthcare SaaS, where I run penetration tests against our own products, design and validate the federated identity layer, own the AWS WAF rule set, and ship multi-agent AI tooling for shift-left security review on every pull request.

Before that I was a junior penetration tester at a Pakistani security consultancy. Over eighteen months I led web application engagements, an internal Active Directory red team ending in Domain Admin and Golden Ticket persistence, and external network vulnerability assessments across roughly two thousand internal hosts.

Outside paid work I disclose vulnerabilities in open-source projects under responsible disclosure. I'm credited on the FileGator v7.14.2 changelog and the starlette draft advisory GHSA-cm5j-qvph-7x6w. I also conduct independent research engagements against external attack surfaces — those clients stay confidential; the techniques don't.

What I work on

Web and API penetration testing — OWASP, NIST 800-115, PTES, OSSTMM
Active Directory and Entra ID / Azure AD identity attacks
AWS WAF rule design and adversarial validation
SAML, OAuth 2.0, OIDC, JWT exploitation
Cloud misconfiguration — AWS, Azure, Firebase, Power Platform
LLM / agent security — prompt-injection defense, dual-LLM cascades, automated CVE triage

How to reach me

Email is the most reliable channel. For coordinated disclosure, please use my email and give me a reasonable window before public release.

Disclosure policy

I follow a 90-day coordinated disclosure window from the date a vendor acknowledges receipt. If a vendor is unresponsive after reasonable follow-up, or if active exploitation is observed, I may publish sooner. Findings from authorized commercial engagements are only published with the client's written consent or in a fully sanitized form that preserves the technical class without identifying the client.