Available for Projects

Hi, I'm Assaf |

Cybersecurity researcher & full-stack developer with a passion for breaking things to make them stronger. Based in Riyadh, contributing to digital security.

Get in Touch My Projects
50+Security Audits
6+Projects
15+CVEs Found
assaf@kali:~
$ nmap -sV --script vuln target.com
Starting Nmap 7.98 scan...
PORT STATE SERVICE VERSION
443/tcp open https nginx 1.25
| vuln-scan: VULNERABLE
| CVE-2026-XXXX: RCE via header injection
| Risk: CRITICAL (CVSS 9.8)
$ β–ˆ
<about>

Who I Am

A security researcher by day, a developer by passion

I'm a cybersecurity engineer based in Riyadh with 10+ years in offensive security. I break things for a living, and I've found 15+ zero-days in platforms like Coolify, GLPI, Portainer, and n8n.

I also build AI agents for security testing. My latest project is a multi-agent system that handles recon, vulnerability hunting, and reporting on its own. Think of it as giving AI a pentester's brain.

OSCP, BSCP, HTB CWEE certified. MSc in Cybersecurity from Liverpool. My dissertation, TrustChain, uses machine learning to catch malware through certificate reputation analysis.

πŸ”’
15+ CVEs Disclosed

Critical vulns in Coolify, GLPI, Portainer, n8n

🎯
AI + Security

Built AI agents that find real vulnerabilities

🌍
OSCP + BSCP + CWEE

Elite offensive security certifications

πŸ“‹Quick Facts
NameAssaf Alassaf
LocationRiyadh, SA πŸ‡ΈπŸ‡¦
FocusOffensive Security & AI
StackPython, AI Agents, Laravel
LanguagesArabic, English
Contact Me
<projects>

Featured Projects

Security research, web development, and open-source contributions

Featured

AI Security Auditor

Security scanning platform I built. 10+ scanners for SQLi, XSS, SSRF, XXE, and more. AI layer filters out false positives. Generates clean PDF reports.

  • Python
  • FastAPI
  • Docker
  • Redis
Featured

BoudlQR - Hotel Voucher System

Full-stack meal voucher management system for Boudl Hotels chain. QR-based validation with real-time tracking and multi-property support. Live at qr.boudl.com

  • Laravel
  • PHP
  • MySQL
  • QR
Visit Live Site β†’
Featured

CVE Research Program (15+ Zero-Days)

Discovered and responsibly disclosed 15+ critical vulnerabilities across Coolify, GLPI, Portainer, n8n, SuiteCRM, Piwigo, and others. Including RCE (CVSS 9.1), SSRF, SQLi, and auth bypass chains.

  • Python
  • Burp Suite
  • Nuclei
  • Source Review
View GitHub β†’
Featured

Autonomous PT Agent System

A system of 6 AI agents that work together to find security vulnerabilities. Handles recon, hunting, exploit writing, and reporting. Found real critical bugs with it.

  • Python
  • LLM
  • Multi-Agent
  • OpenClaw
View GitHub β†’
<skills>

Tech Arsenal

Tools & technologies I work with daily

πŸ”΄ Offensive Security

Burp SuiteNmapMetasploitSQLMapNucleiOWASP ZAPKali LinuxFFufDalfox

🟒 Development

JavaScriptTypeScriptReactNext.jsNode.jsPHPLaravelPython

πŸ€– Agentic AI

LLM OrchestrationMulti-Agent SystemsAI Code ReviewSecurity AutomationML SecurityOpenClaw

πŸ”΅ Infrastructure

DockerLinuxNginxAWSGitCI/CDMySQLPostgreSQL
<blog>

Latest Insights

Thoughts on security, development, and the digital landscape

Mar 3, 2026 Command Injection

Coolify: Host-Level RCE via Unescaped Database Credentials in Backup Jobs

How an incomplete security fix in Coolify left 5 credential fields injectable in database backup commands, allowing root-level RCE on all managed servers.

Read More β†’
Feb 19, 2026 Account Takeover

FreeScout: From APP_KEY Leak to Full Server Compromise

Static MD5 auth tokens, unrestricted .htaccess uploads, and four unsafe unserialize() calls chain together for full server compromise.

Read More β†’
View All Posts
<contact>

Let's Talk

Have a project in mind? Let's discuss how I can help.

Location

Riyadh, Saudi Arabia