I specialize in manual penetration testing for web applications, backend APIs, and integrated Large Language Model (LLM) interfaces. Instead of relying on noisy, automated vulnerability scanners, I dissect application logic from an adversarial perspective to find hidden entry points.
I build custom Go and Python tools to handle high-speed asset discovery and parameter fuzzing, allowing me to focus my manual analysis entirely on breaking complex business logic and authorization boundaries.
- Core Focus: Manual Web Application & API Penetration Testing.
- Standards Alignment: OWASP Top 10:2021 Framework & OWASP LLM Top 10.
- Operational Control: Production-safe execution with granular Requests Per Second (RPS) throttling.
- Testing Baseline: 100% hands-on lab and real-world infrastructure validation.
[Target: Web Application & Backend API Boundaries]
│
├── Phase 1: Passive Intelligence & Infrastructure Mapping
│ ├── Harvesting OSINT footprints, domain infrastructures, and host IPs
│ ├── Mining Certificate Transparency (CT) logs for shadow subdomains
│ └── Parsing web server metafiles to isolate exposed structural data
│
├── Phase 2: Structural Analysis & Endpoint Enumeration
│ ├── Fingerprinting technology stacks, application frameworks, and API specs
│ ├── Executing brute-force probes for hidden file and directory discovery
│ └── Auditing HTTP method implementations and request behaviors
│
├── Phase 3: Authentication & Configuration Auditing
│ ├── Stress-testing login portals and administrative panels against default credentials
│ ├── Probing session lifecycles for privilege escalation and authorization bypasses
│ └── Identifying system verbosity, configuration defects, and verbose leaks
│
└── Phase 4: Core Input Exploitation & Execution
├── Weaponizing manual input payloads to verify custom SQLi, Reflected XSS, and Stored XSS
├── Breaking file system boundaries via Directory Traversal, LFI, and RFI flaws
└── Testing file upload controls and exploiting command injection for execution boundaries
[Target: Integrated LLM Applications & RAG Data Pipelines]
│
├── Phase 1: Component Threat Modelling
│ ├── Conducting architectural threat modelling across LLM data pipelines and integrated application frameworks
│ ├── Mapping internal data flows across LLM applications, RAG pipelines, and agent frameworks
│ └── Scoring likelihood and impact to prioritize architectural risks using OWASP LLM Top 10
│
├── Phase 2: Context Manipulation & Prompt Injection
│ ├── Executing direct prompt injections to extract hidden system instruction blocks
│ └── Weaponizing indirect prompt injections by embedding malicious instructions in trusted content
│
├── Phase 3: Supply Chain & Model Artifact Triage
│ ├── Reconnaissance and risk-ranking pre-trained model artifacts by provenance signals
│ ├── Running static analysis on pickle files, configurations, and internal dependencies
│ └── Conducting behavioral testing within sandboxed environments to isolate malicious triggers
│
└── Phase 4: Data Integrity & Poisoning Assessment
├── Auditing active ingestion pipelines to detect and mitigate data poisoning attacks
├── Assessing the downstream impact of corrupted documents within RAG corpora
└── Documenting technical mitigation strategies and production-safe remediation plans
- Website: https://jakelo.ai/
- Email: hello@jakelo.ai