Available for opportunities

Shikhali Jamalzade

root@alisalive:~$
Baku, Azerbaijan Independent Security Researcher camalzadss@gmail.com
0
Certifications
0
Tools Built
0
Years Old
0
Pentests
[01] Profile

Who's behind the prompt.

shikhali@baku: ~/whoami
root@alisalive:~$ cat profile.txt
root@alisalive:~$
[02] Credentials

Certifications & roadmap.

Seven earned across INE, CyberWarFare Labs, and The SecOps Group, with a clear path toward CWES, CPTS, OSCP, and CRTO.

Roadmap In progress

CWES Next
HTB Certified Web Exploitation Specialist
Hack The Box
CPTS Planned
Certified Penetration Tester
Hack The Box Academy
OSCP Planned
Offensive Security Certified Professional
Offensive Security
CRTO Planned
Certified Red Team Operator
Zero-Point Security
[03] Open Source

Tools built from real gaps.

Every tool here was born from a problem encountered during real security work.

[ 01 ]
RedSEC

Open-source log correlation engine for security professionals. Parses output from 9 industry-standard tools, maps events to the MITRE ATT&CK framework, assigns detection risk scores (0.0–1.0), and exports structured rule sets. 96 automated tests. CI/CD pipeline via GitHub Actions.

PythonMITRE ATT&CKPydanticYAMLCI/CD
View on GitHub
[ 02 ]
GOD'S EYE

AI-powered security reconnaissance tool. Performs web fingerprinting, WAF detection, subdomain enumeration, CVE correlation against detected technologies, CDN bypass, email harvesting, and generates structured HTML reports. Integrates with the Claude AI API. 189+ tests passing.

PythonClaude APIReconOSINTCVE Lookup
View on GitHub
[ 03 ]
XSSSlayer

Real-browser XSS vulnerability scanner built on Playwright. Detects reflected, stored, and DOM-based injection. Uses AI-assisted payload generation for filter bypass. Headless Chrome execution catches issues that proxy-based tools miss. Ships as a global CLI tool with CVSS scoring.

PythonPlaywrightXSS DetectionCVSS
View on GitHub
[ 04 ]
CJ-Scanner

Multi-threaded clickjacking vulnerability scanner. Analyzes security headers (X-Frame-Options, Content Security Policy), supports bulk target input, and generates professional HTML reports ready for client delivery.

PythonMulti-threadingHeader AnalysisCLI Tool
View on GitHub
[ 05 ]
ReadPEAS

Offline LinPEAS/WinPEAS output parser that generates copy-paste privilege escalation commands for CTF and pentest work. Rule-based, no dependencies. GTFOBins coverage across 426 binaries. 219+ automated tests across 15 Linux modules.

PythonGTFOBinsPrivEscCTF
View on GitHub
[04] Capabilities

The toolkit.

// Security Research

// Tools & Platforms

// Development

[05] Track record

Experience.

2026 — Present
WordPress Plugin CVE Research
Independent
  • Independent vulnerability research targeting WordPress plugins. Multiple independently discovered n-day findings across production plugins. Active responsible disclosure pipeline — vendor contact, Docker-based PoC verification, coordinated reporting via WPScan.
2025
Authorized Penetration Tests
Independent · Multiple Clients
  • AI-powered SOC Platform (Next.js/Supabase): Privilege escalation via signup metadata manipulation to admin role, tenant isolation bypass allowing cross-tenant data access, session hijacking via JWT misconfiguration. Complete attack chain documented.
  • Real Estate CRM (Supabase backend): IDOR vulnerabilities across tenant boundaries exposing sensitive client data, broken object-level authorization in property listing endpoints.
2025 — Present
Bug Bounty & Vulnerability Research
Intigriti · HackerOne
  • Firebase API key exploitation — confirmed and acknowledged on Intigriti.
  • Ongoing web application and API security research across multiple bug bounty programs.
2025 — Present
CTF Competitions & Security Research
HackTheBox · TryHackMe · VulnHub
  • HackTheBox: Archetype (SMB enumeration → MSSQL xp_cmdshell → credential reuse), Silentium (Flowise SSRF → internal API → RCE), and multiple active machines.
  • TryHackMe: Attacktive Directory (AS-REP Roasting → Kerberoasting → DCSync → full domain compromise), Olympus (Victor CMS SQLi + unrestricted file upload → RCE), Year of the Rabbit, Startup, Lookup, Wonderland, Overpass, Corridor (IDOR), Bounty Hacker, Biohazard, Break Out The Cage, Checkmate — all with published writeups.
  • VulnHub: sunset:twilight, sunset:dawn, Shenron:1, Warzone:3 Exogen, chatME — full methodology walkthroughs published on Medium.
2025 — Present
Open Source Security Tools & Technical Writing
GitHub (alisalive) · Medium (alisalive.medium.com)
  • Built and published five open-source offensive security tools: RedSEC (log correlation engine), GOD'S EYE (AI recon orchestrator), XSSSlayer (real-browser XSS scanner), CJ-Scanner (clickjacking scanner), ReadPEAS (LinPEAS/WinPEAS output parser).
  • RedSEC recognized by Risto Vaarandi (TalTech professor, creator of the SEC framework) and Clayton Dukes (CEO, LogZilla) — led to a direct Zoom call about potential integration.
  • Technical author on Medium under Infosec Write-ups publication — certification reviews (eJPTv2, CRTA, Web-RTA), machine writeups, and real attack methodology breakdowns.
  • GitHub security audit of all public repositories — confirmed zero exposed credentials or API keys across GOD-S-EYE, XSSSlayer, CJ-Scanner, RedSEC.
[06] Contact

Open to collaborations, opportunities, and interesting problems.

Whether you want to collaborate on a research project, discuss security topics, or explore opportunities — reach out. Response within 24 hours.