About
Hamza Haroon
👋 I'm Hamza Haroon a.k.a TheGriffyn
An AI Security Engineer and Offensive Security Researcher specializing in building and breaking autonomous systems.
I work at the intersection of AI, cybersecurity, and offensive security, focusing on developing intelligent attack simulations, analyzing real-world threats, and engineering scalable security infrastructure.
I believe the future of offensive security lies in autonomous systems capable of thinking, adapting, and executing attacks at scale. My work focuses on bridging the gap between human-driven pentesting and AI-powered security automation.
With a strong background in OSINT, malware analysis, and digital forensics, I enjoy designing realistic security challenges and solving complex security problems.
🚀 Core Expertise
- Offensive Security & Red Teaming
- AI in Cybersecurity (Agentic Systems & Automation)
- Network Forensics & PCAP Analysis
- Web Application Security
- DevOps & Infrastructure Engineering
- CTF & Cyber Range Development
💼 Experience
Senior Security Researcher — Nua Security (Sep 2025 – Present)
- Leading a security research team and contributing to core engineering of Shax, an autonomous AI offensive security platform
- Driving research in offensive security, web application security, and AI-driven attack simulation
Agentic AI Engineer — Nua Security (Jan 2025 – Aug 2025)
- Engineered core AI systems for Shax, focused on autonomous offensive security workflows
- Designed and deployed agent-based AI systems for cybersecurity automation
Content / DevOps Engineer (Application Security) — Nua Security (Oct 2023 – Jan 2025)
- Led QA and publishing of cybersecurity challenges (Trustline Challenges)
- Designed and maintained scalable infrastructure pipelines (DevOps)
- Analyzed penetration testing reports, prioritized vulnerabilities, and supported remediation
VAPT Engineer — AirOverflow (Nov 2022 – Present)
- Conducting penetration testing for public and private sector organizations
- Security trainings for various organizations
- Developing CTF challenges across DFIR, AI, Crypto, Malware, and Reverse Engineering
Education
- Masters in Information Security from National University of Science & Technology (NUST) (2025 - ongoing)
- Bachelors in Cyber Security from Air University, Islamabad (2021 - 2025)
Certifications
- Offensive Security Certified Professional Plus (OSCP+)
- Offensive Security Certified Professional (OSCP)
- eLearnSecurity Certified Professional Penetration Tester (eCPPT)
- Cisco Certified Network Associate
- CS50P (Harvard University)
HacktheBox
🎯 Achievements
- 🥈 2nd Place — Pakistan Cybersecurity Challenge (NCCS) (2024)
- 🥈 2nd Place — Pakistan Cybersecurity Challenge (NCCS) (2023)
- 🥉 3rd Place — National Cyber Security Hackathon CTF (Ignite & MoITT) (2023)
- 🌍 World Top 35 — Black Hat MEA CTF World Finals (2023, 2024, 2025)
- 🥉 3rd Place — NUST Hackathon CTF (MCS) (2023)
🏆 Honors
- NUST High Achiever Gold Medal (2026)
- Wall of Fame at Air University (2023)
Recognized as a top performer in the Cyber Security Department
Projects
- Shax - Shax is an autonomous AI agent that performs end-to-end web application penetration testing at machine speed and scale. I worked on the core AI/agentic engineering, security research, and system architecture, building the offensive security intelligence that enables the agent to autonomously discover, exploit, and report vulnerabilities across enterprise applications. I also lead the Security Research team, driving the offensive security roadmap and aligning AI capabilities with real-world pentesting methodologies.
- National Cybersecurity Trainings 2023 - I was one of the three Technical Organizers for the online module of the Ignite's Nationwide Cyber Security Training Workshops 2023 across 9 cities in Pakistan where thousands of students attempted my challenges. I was responsible for all the technical infrastructure, challenges, training of instructors across Pakistan. The project was done under Ignite by Ministry of IT and Telecom.
- AIRange - AIRange is a student built and managed Cyber Range with Capture The Flag and Attack Defense platform solely for learning of Air University Students.
CVE Disclosures
I have reported 18 CVEs across open-source supply-chain tooling, focusing on code generators that process attacker-controlled schemas and emit executable source code. The findings span remote code execution, SSRF, arbitrary file read, and credential exfiltration across both npm and PyPI ecosystems.
swagger-typescript-api — 6 CVEs (npm, ~600K downloads/week)
| CVE | Description | Type | CVSS | Severity |
|---|---|---|---|---|
| CVE-2026-54662 | fetch baseUrl static initializer — module-load RCE | RCE | 8.3 | High |
| CVE-2026-54661 | axios baseUrl constructor — per-instance RCE | RCE | 8.3 | High |
| CVE-2026-54666 | OpenAPI path string template literal — per-call RCE | RCE | 8.3 | High |
| CVE-2026-54664 | Enum string value — module-load RCE via bare block injection | RCE | 8.3 | High |
| CVE-2026-54660 | Authorization-token exfiltration via $ref to attacker host | Token Leak | 7.4 | High |
| CVE-2026-54663 | SSRF via spec $ref with no private-IP blocklist | SSRF | 6.1 | Moderate |
datamodel-code-generator — 12 CVEs (PyPI, ~14.5M downloads/month)
| CVE | Description | Type | CVSS | Severity |
|---|---|---|---|---|
| CVE-2026-54653 | Code injection via attacker-controlled default_factory schema field | Code Injection | 8.8 | High |
| CVE-2026-54690 | SSRF via JSON-Schema $ref to any HTTP URL, fetched by default | SSRF | 8.2 | High |
| CVE-2026-54691 | SSRF via --url: no host or IP validation, follows redirects | SSRF | 8.2 | High |
| CVE-2026-54621 | Code injection via unescaped \r in GraphQL Union description | Code Injection | 7.8 | High |
| CVE-2026-54654 | Code injection via unescaped \r in --extra-template-data comment | Code Injection | 7.8 | High |
| CVE-2026-54655 | Code execution on import via x-python-type JSON-Schema extension | RCE | 7.8 | High |
| CVE-2026-54656 | Code execution on import via unescaped validators in template data | RCE | 7.8 | High |
| CVE-2026-55415 | Code injection via x-python-import / customTypePath in import statements | Code Injection | 7.5 | High |
| CVE-2026-55389 | Arbitrary file read via $ref (file:// and ../), bypassing --no-allow-remote-refs | File Read | 7.5 | High |
| CVE-2026-55390 | Arbitrary file read via XSD schemaLocation path traversal | File Read | 7.5 | High |
| CVE-2026-55391 | SSRF protection bypass via DNS rebinding (TOCTOU) | SSRF Bypass | 7.5 | High |
| CVE-2026-55403 | Authorization and request headers leaked to cross-origin redirect target | Token Leak | 3.7 | Low |
Additional Experiences
- Technical Secretary at Air University Cyber Security Society (2023 - Present) - I am leading Red, Blue, CTF and Coding Teams at AUCSS.
- Joint Secretary at Air University Cyber Security Society (2022-2023)
- Graphics Team Lead at Google Developer Student Club Air University (Aug 2022 - Nov 2023) - p.s fun fact: the logo used by GDSC-AU is designed by me :P
- Think Tank Lead at Microsoft Learn Student Ambassadors Air University (Mar 2022 - Jun 2022)
Reach out to me
- Discord:
TheGriffyn - Email:
hamzaharooon@protonmail.com - Twitter: @thegr1ffyn
- LinkedIn: Hamza Haroon
- GitHub: thegr1ffyn
- Website: thegriffyn.me