Tony Khoriaty

About

What the attacker
already knows.

Breaches don't start with sophistication. They start with something nobody checked — a misconfigured service, an API returning more than it should, an access control nobody thought to question. The exposure exists before anyone exploits it. The question is always who finds it first.

Penetration testing, vulnerability assessments, and OSINT investigations across web applications, APIs, and networks. Not to generate compliance reports — but to show exactly how an attacker would move through your environment, in plain terms that lead to real decisions.

Every finding on this page was discovered on a live, production system — not a lab. Actively engaged in bug bounty programs on HackerOne and Bugcrowd.

The approach

Scoping

Define the target, boundaries, and rules of engagement. Nothing begins without written authorization.

Reconnaissance

Map the attack surface using passive and active techniques — OSINT, infrastructure analysis, source review.

Testing

Simulate what an attacker would actually do — not just scan for CVEs. Exploit chains, business logic, access controls.

Reporting

Every finding documented with real impact context, reproduction steps, and severity rating. No filler, no fluff.

Debrief

Walk through findings with your team. Technical depth matched to your audience.

Services

The work.

Every engagement starts with understanding what's actually there. From a focused vulnerability assessment to a full penetration test — the scope is defined by your environment and your risk, not by a preset package.

Penetration Testing

Web application & API testing
External network assessment
Business logic flaw analysis
Vulnerability validation & triage
Detailed report + debrief

OSINT & Reconnaissance

Digital footprint mapping
Exposed asset discovery
Infrastructure exposure analysis
Breach & leak investigation
Due diligence profiling

Security Consulting

Security posture review
Risk identification & prioritization
Remediation guidance
Incident awareness & response
Ongoing advisory retainer

Field Work

Real findings.
Real systems.

These findings were discovered on live, production systems through authorized testing and responsible disclosure. Not simulations. Not labs.

Insecure Direct Object Reference · IDOR

A different number in the request. A different company's data in the response.

Multi-tenant application. One parameter changed. No elevated access, no special tooling — just a value that wasn't yours. Every organization on the platform was reachable the same way.

High · Broken Access Control

Authentication Bypass

The lock was there. The door was open.

Authentication logic that permitted access under conditions the application never intended. The entry point looked protected. The enforcement behind it wasn't. Discovered and reported through responsible disclosure.

High · Authentication Bypass

Excessive Data Exposure

The interface showed one record. The API returned all of them.

Every authenticated session had access to the full dataset — names, IDs, personal records belonging to every employee in the system. The front end filtered the view. The back end didn't.

Medium · Excessive Data Exposure

Username Enumeration

The login page was answering a question nobody should be asking.

Distinct server responses before a single password was tried. Existing accounts confirmed, non-existing ones rejected — differently. A quiet detail that turns a blind attack into a targeted one.

Low · Information Disclosure

Exposed Attack Surface · Passive Reconnaissance

The exposure was already public. Nobody had looked.

Critical · Unpatched Infrastructure

Passive reconnaissance only. No credentials, no probing, no contact with any system. Publicly indexed devices running unpatched firmware with known critical vulnerabilities — visible to anyone with the right query. The question was never whether the exposure existed. It was whether anyone would find it.

What the attackeralready knows.