Hello, I’m Zenal Arifin
Offensive Security Engineer
Welcome to my portfolio. I am an Offensive Security Engineer with a strong passion for identifying and exploiting system vulnerabilities to strengthen organizational security.
About Me
I am an Offensive Security Engineer with over six years of experience in penetration testing, bug bounty hunting, and vulnerability assessment.
I am also the founder of Security Crash (Secrash), a cybersecurity learning community.
Main areas of focus:
- Penetration Testing (Web, Mobile, Desktop, ATM, Infrastructure)
- Bug Bounty Hunting and Vulnerability Research
- Security Training and Education
- CVE Discovery and Responsible Disclosure
Skills & Technologies
Penetration Testing Tools
Burp Suite, OWASP ZAP, Nessus, Metasploit, Cobalt Strike, Empire,
Nmap, Masscan, Zmap, Wireshark, tcpdump, netcat and etc
Programming & Scripting
Python (custom penetration testing scripts), Bash, Ruby, JavaScript, PHP, SQL
Operating Systems & Platforms
Kali Linux, Parrot Security OS, Windows, Linux, macOS,
Active Directory, Exchange, Cloud Platforms (AWS, Azure, GCP)
Specialized Areas
- Mobile Application Penetration Testing (Android/iOS - Static & Dynamic Analysis)
- Web Application Security (OWASP Top 10)
- Desktop and ATM Penetration Testing
- Infrastructure Security Assessment
- Vulnerability Assessment (Nessus, Acunetix, Archerysec)
Featured Projects
1. Security Crash (Secrash) - Founder & Writer
Platform: Educational Security Community (October 2021 - Present)
A cybersecurity education platform for the public:
- Creates cybersecurity learning content and tutorials
- Provides an open discussion space for security topics
- Delivers educational materials, tips, and technical insights
- Manages and engages with the security community
| Website | GitHub |
2. Bug Bounty Achievements
Platforms: HackerOne, Redstorm, and private programs
Identified multiple vulnerabilities on well-known platforms, including:
- Bank Neo – Parameter Tampering in Loan Module
- Amazon – Broken Access Control
- Julo – No Rate Limit Attack
- Moladin – Broken Access Control
- Bibit & Stockbit – No Rate Limit Bypass (DotTrick)
- end
3. CVE Discoveries
Organizations: Mozilla, JD.id, Google, Pitch, PhpIPAM
Responsible vulnerability discoveries resulting in official CVE assignments:
- CVE-2023-0676
- CVE-2023-0677
- Followed responsible disclosure practices
- Contributed impact assessments and remediation reports
Professional Experience
IT Security Consultant | PT. [REDACTED] (2022 - 2025)
- Conducted comprehensive penetration testing for enterprise clients
- Developed and implemented tailored security consulting solutions
- Performed vulnerability assessments and risk analysis
- Delivered cybersecurity training and awareness programs
IT Security | PT. [REDACTED] (2020 - 2022)
- Built the foundation of a professional career in cybersecurity
- Implemented corporate security controls and policies
- Conducted monitoring and incident response activities
- Led internal security awareness programs
Freelance Bug Hunter (2018 - Present)
- Participated in public and private bug bounty programs
- Discovered vulnerabilities in major online platforms
- Followed responsible disclosure procedures leading to CVE assignments
- Conducted independent security research and vulnerability analysis
Education & Certifications
Education
- Bachelor of Informatics Engineering – [REDACTED] (2022 - Present)
- Social Sciences – [REDACTED] (2017 - 2020)
- [REDACTED] (2015 - 2017)
Cybersecurity Certifications
- OSCP (Offensive Security Certified Professional) – Offensive Security (Sep 2024)
- eCPPT (Certified Professional Penetration Tester) – IneSecurity (Aug 2024)
- eWPTX (Web Application Penetration Tester eXtreme) – IneSecurity (Jan 2025)
- eMAPT (Mobile Application Penetration Tester) – IneSecurity (Mar 2023)
- CAP (Certified AppSec Practitioner) – SecOps (May 2024)
- CNSP (Certified Network Security Practitioner) – SecOps (May 2024)
- C3SA (Certified Cyber Security Analysis) – Cyberwarfare (Jan 2025)
- MCRTA (Multi-Cloud Red Team Analyst) – Cyberwarfare (Feb 2025)
- CPSA (CREST Practitioner Security Analysis) – CREST (May 2025)
- CSFPC (Cyber Security Foundation Professional Certificate) – CertiProf (Apr 2021)
Achievements & Recognition
- CVE Discoveries: CVE-2023-0676, CVE-2023-0677
- Security Trainer and Educator
- Proven track record in bug bounty programs
- Responsible vulnerability disclosures to Mozilla, JD.id, Google, Pitch, PhpIPAM
Contact
I am open to discussions regarding security projects, research collaborations, or general conversations about cybersecurity.
- GitHub: github.com/z3n70
- Website: Security Crash (Secrash)
Blog & Publications
I actively write articles on cybersecurity and offensive security topics through Security Crash (Secrash):
- “Mobile Application Penetration Testing Guide”
- “Web Application Security: OWASP Top 10 Deep Dive”
- “Bug Bounty Hunting: Tips and Tricks for Beginners”
- “ATM Penetration Testing: Security Assessment”
- “Infrastructure Security: Network Penetration Testing”
Thank you for visiting my portfolio. Feel free to reach out if you would like to collaborate or discuss cybersecurity.