I’m inneromost — an independent offensive security consultant and penetration tester. This is where I publish technical write-ups, exploit walk-throughs, red-team tradecraft, and security research from the field and the lab.

What I do

I run authorized security assessments for organisations that want to know how a real attacker would get in — and how to stop them.

• Web & API penetration testing — OWASP-aligned, manual-first, business-logic focused
• External & internal network testing — perimeter, pivoting, lateral movement
• Active Directory & assumed-breach / red team — Kerberos abuse, ADCS, privilege escalation
• Cloud & infrastructure reviews — misconfigurations, identity, hardening
• Tooling & detection research — building, obfuscating, and measuring detection of offensive tooling

Every engagement comes with a clear, prioritised, remediation-focused report — not just a vulnerability dump.

This blog

Notes-to-self made public: methodology, CTF and lab write-ups, exploit development, and the occasional deep dive into how detections actually work. Everything here is from authorized testing, my own lab, or public research.

Work with me

• 📧 contact@inneromost.com
• 🌐 inneromost.com
• 💻 github.com/inneromost

All testing described on this site was performed with explicit authorization or in isolated lab environments. Nothing here is intended to facilitate unauthorized access.