EDGAR
HUÉMAC

Penetration Tester & Cybersecurity Engineer

View Work ↓ Get in touch
6+Years in
cybersecurity
120+Engagements
conducted
80+Credentials
earned

Hello!

I'm a Computational Systems Engineer with deep expertise in cybersecurity, specially offensive security. I conduct full-scope pentests, red team engagements and vulnerability research across web, network, Active Directory, and cloud environments.

I follow industry methodologies including PTES, OSSTMM, OWASP, ISSAF, and NIST 800-115, and I have a strong background in security governance, compliance, and AppSec auditing (SAST, DAST, SCA). I try to stay up to date doing CTFs and trainings.

Beyond computers, I like reading, cycling, and tea culture. I play the piano sometimes. Started hiking in 2026. I'm fluent in english (TOEFL C1 ↗) and french (DELF B2 ↗), and beginner in japanese.

Say hello →

[ Work history ]

Experience

Offensive security engagements and cybersecurity engineering across multiple organizations.

APR 2023 - PRESENT
Softtek, México (for a Fortune 500 Airline)
Sr. Penetration Tester
End-to-end pentests (PTES/NIST) and SAST, DAST & SCA assessments for PCI, SOC2, HIPAA and GDPR compliance across infra, web, APIs, cloud, and desktop; manual exploitation and custom vuln discovery on critical business logic, with risk rating (CVSS) and technical remediation. Deliver secure design reviews & stakeholder training aligned to OWASP/SANS. Assess and implement security controls for AI-integrated systems.
Red TeamActive DirectoryCloudMalware Dev
MAR 2025 – OCT 2025
NTT Data, Spain
Cybersecurity External Consultor
Conducting full cybersecurity audits and penetration testing for web, API, and mobile applications, and elaborating technical reports on the identified vulnerabilities, and their mitigation techniques.
Red TeamActive DirectoryCloudMalware Dev
APR 2022 – APR 2023
Ministry of State Finance, Michoacán
Red Team Lead & Security Analyst
Led offensive security ops (pentest, vuln assessments, red teaming), coordinating a team and executing web/app/network engagements; performed recon, exploitation, and post-exploitation, producing technical reports and remediation guidance. Defined testing methodologies/playbooks, collaborated with IT/SecOps for target prioritization, and trained team on tools/TTPs.
Red TeamActive DirectoryCloudMalware Dev
JUL 2022 – MAR 2023
Estudio GEMA, Argentina
Full Stack Developer
Maintained and refactored production web apps (FE/BE), implemented features/bug fixes, and integrated services/APIs; collaborated via Agile workflows, handling incident triage, deployments, and stakeholder-driven requirements.
Red TeamActive DirectoryCloudMalware Dev
SEP 2021 - JAN 2022
ICORP, México
Systems Architect & Software Developer
Built modular frontend apps in React (SCRUM), defined requirements, and designed microservices-based deployments (Elixir/React) on Azure; implemented CI/CD and unit testing.
Red TeamActive DirectoryCloudMalware Dev
JUNE 2021 — MAY 2022
Superior Audit State Office, Michoacán
Systems Architect / DevOps Engineer
Managed Linux/Windows (AD), designed network & system architectures, and implemented CI/CD for web apps & infrastructure; drove monitoring, performance, and security improvements.
AppSecDAST/SASTThreat Modeling
AUG 2016 — DEC 2020
ITM Morelia - Education
CS Engineering Student
Student of Engineering in Computer Systems and specialty in Information Security at the Technological Institute of Mexico, Morelia campus.
VA/PTComplianceSocial Engineering

[ Expertise ]

Skills & Tools

Offensive security methodologies, tooling, and engineering built across real-world engagements.

Offensive Security
Penetration Testing
PTESOSSTMMOWASP TGISSAFNIST 800-115Linux · AD · Web · Network · Cloud
Red Teaming
MITRE ATT&CKCyber Kill ChainTTP EmulationEDR/AV EvasionC2 Ops
AppSec & Code Review
SASTDASTIASTDevSecOpsSDLCOWASP Top 10Web/API/Mobile
Malware & Custom Tooling
C / C#PythonNIMShellcodePayload ObfuscationImplant Dev
Tooling
Recon, Scanning and OSINT
NmapMasscanRustScanNessusZAPNiktoWPScanMaltegoShodanAmassTheHarvesterspiderfootffufFeroxbuster
Exploitation and Post-Exploitation
MetasploitBurpSuiteSQLmapDalfoxXSStrikeCommixpwncatPwntoolsPEASS-ngSearchSploitCore Impact
Red Team · C2 · AD
Cobalt StrikeHavocSliverMythicMimikatzBloodHoundCrackMapExecImpacketevil-winrmCertipyKerbrute
Credentials · Network
HashcatJtRHydraCeWLWiresharktcpdumpAircrack-ngWifiteKismetScapy
Forensics · Social Eng.
AutopsyVolatilityBinwalkForemostGoPhishEvilginxHiddenEyeSocialFish
OS & Platforms
Kali LinuxParrotOSBlackArchDockerProxmoxVMwareActive Directory
Development & Scripting
Languages
Python ★★★JS ★★★NIM ★★★Bash ★★PowerShell ★★C/C++ ★★C# ★★PHP ★★Java ★★Lua ★
Web & Frameworks
Node.jsFastAPIDjangoFlaskReactVueLaravelBootstrapJQuery
Infrastructure & DB
DockerTerraformGitHub ActionsPostgreSQLMySQLSQLiteGitLab CI

[ My Work ]

Projects

Security tooling and personal projects I'm (maybe) proud of.
Note: I'm constantly updating this website & my Github projects. Sorry for any sync fault.

Glyph
A terminal encoding & decoding swiss knife, intended for developers, security researchers, and CTF players.
View on GitHub →
NimRecon
Nim-specific binary analyzer & artifact extractor. Its purpose is to help triage and detect Nim-based malware.
View on GitHub →
PCI Leak Scanner
Tool to detect PCI DSS data leakage in log files, source code, and plain text. Identifies card numbers, credentials, and more using a hot-pluggable JSON rule engine.
C#NIMEDR EvasionRed Team
View on GitHub →
CVSS Stats Tool
Tool for analyzing CVSS (Common Vulnerability Scoring System) vectors. Its porpuse is to quickly generate statistics and insights from a list of CVSS 3.1 vectors.
PythonBloodHoundImpacket
View on GitHub →
NetWatch-
A lightweight, non-invasive network presence monitoring tool. Built with curiosity, Flask, and way too many Nmap scans.
AWSAzureGCP
View on GitHub →
cookiefy
A small bash cookie extractor and manipulator for web pentesting.
AWSAzureGCP
View on GitHub →
Kairos Entanglement Cipher
An experimental chaotic cipher that uses the precise moment of encryption to dynamically evolve S-boxes, diffusion, and rounds.
AWSAzureGCP
View on GitHub → View blog →
cvs_to_markmap
Simple tool script that converts a CSV file into Markmap markdown syntax. Inspired by markmap.js.
View on GitHub →

[ Writing ]

Blog

Thoughts on malware development, offensive security, and the industry, published on Medium.

See all posts on Medium →

[ Accomplishments ]

Credentials

Trainings, certifications and courses completed across offensive security, cloud, governance, and engineering. Playing Pokemon as a kid got me an addiction to collecting digital badges; you can see mine on Credly ↗.


[ Let's connect ]

Get in touch

Whether you want to collaborate,
or just want to say hi, my inbox is open.

huemac.contact@gmail.com