Safwat Zaman
Senior Security Engineer & Red Teamer at Securicon, LLC- Claim this Profile
Click to upgrade to our gold package
for the full feature experience.
-
Bengali Limited working proficiency
Topline Score
Bio
Craig Nagy
Saf is an extremely talented penetration tester who helped tackle some of the largest and most challenging projects I have ever seen with grace and apparent ease. His soft skills are also top notch and any organization would be lucky to have him on their team.
Craig Nagy
Saf is an extremely talented penetration tester who helped tackle some of the largest and most challenging projects I have ever seen with grace and apparent ease. His soft skills are also top notch and any organization would be lucky to have him on their team.
Craig Nagy
Saf is an extremely talented penetration tester who helped tackle some of the largest and most challenging projects I have ever seen with grace and apparent ease. His soft skills are also top notch and any organization would be lucky to have him on their team.
Craig Nagy
Saf is an extremely talented penetration tester who helped tackle some of the largest and most challenging projects I have ever seen with grace and apparent ease. His soft skills are also top notch and any organization would be lucky to have him on their team.
Credentials
-
CompTIA PenTest+
CompTIAOct, 2021- Nov, 2024 -
Offensive Security Certified Expert (OSCE)
Offensive SecurityMar, 2021- Nov, 2024 -
Amazon Web Services Solutions Architect Associate
AmazonJun, 2019- Nov, 2024 -
Offensive Security Certified Professional (OSCP)
Offensive SecurityJan, 2018- Nov, 2024 -
Certified Ethical Hacker (CEH)
EC-CouncilJan, 2017- Nov, 2024 -
Certified Information Systems Security Professional (CISSP)
(ISC)²Jan, 2017- Nov, 2024
Experience
-
Securicon, LLC
-
United States
-
Computer and Network Security
-
1 - 100 Employee
-
Senior Security Engineer & Red Teamer
-
May 2021 - Present
- Translate technical penetration testing findings into corporate security standards; prioritize cost reduction. - Manage high‑performance teams of red team operators, security engineers, and specialists; coordinate tailored internal, external,physical, application, and social engineering campaigns. - Mentor and train a team of security engineers with diverse skill levels through platforms like Hack the Box Academy and LinkedIn Learning; ensure team members meet internal KPIs. - Manage end‑to‑end corporate cybersecurity initiatives: initiate, plan, execute, monitor, control, and close. - Strengthen corporate security standards; generate and capture malicious traffic for adversarial simulation; create training and playbooks based on MITRE ATT&CK framework; deploy changes with senior leadership approval. - Automate secure infrastructure deployment using Infrastructure as Code (IaC) templates via Vagrant, Azure, and AWS. - Assess cloud security on AWS, Azure, and OCI; identify and exploit misconfigurations. - Exploit vulnerabilities within critical Information Technology (IT) and Operational Technology (OT) devices, including autonomous robots, circuit breakers, and smart city power grids. Show less
-
-
-
Schellman
-
United States
-
Professional Services
-
300 - 400 Employee
-
Senior Penetration Tester
-
Jun 2018 - May 2021
- Managed end‑to‑end delivery of 40+ security engagements. - Performed manual penetration tests for Fortune 500 companies, covering web applications, APIs, mobile platforms, and infrastructure, following OWASP, FedRAMP, and PCI DSS guidelines. - Developed and deployed encrypted, obfuscated payloads using AWS CodePipeline, CloudFront, EC2, Cloudflare proxies, redirectors, certificates, and malleable C2 profiles. - Compromised internal networks, established persistence, and deployed obfuscated payloads for Windows, Linux, and macOS using tools like Cobalt Strike and Covenant. - Bypassed AV solutions, established persistence, and pivoted within internal networks using process injection and DLL loading techniques. - Obtained unauthorized Domain Administrator access on large corporate networks, leveraging Bloodhound and credential relay attacks. - Conducted segmentation testing for Cardholder Data Environments to ensure PCI DSS compliance. - Attained unauthorized access to client wireless networks via rogue access points. - Assessed job applicants, administered Capture the Flag tests, and made hiring decisions. Show less
-
-
-
TALATEK
-
United States
-
IT Services and IT Consulting
-
1 - 100 Employee
-
Penetration Tester & Technical Manager
-
Jun 2016 - Jun 2018
-Managed penetration tests, vulnerability assessments, remediations, incident management, cyber hunting, security policy & procedures analysis, CISO/ISSO services, and Splunk auditing for internal projects and external clients -Performed manual and automated penetration tests on open source, commercial, and custom software applications and hosts using Kali Linux, Metasploit, Burp Suite Professional, AppdetectivePro, Qualys, Nessus, and Acunetix -Conducted social engineering campaigns involving baiting, phishing, and pharming tactics using the Lucy Framework -Created vulnerability and penetration testing Security Assessment Plans (SAP) and Rules of Engagements (ROE) based on the FedRAMP Penetration Testing Framework -Created agency sponsored FedRAMP SA&A packages for commercial and federal Cloud Service Providers (CSPs) -Wrote and edited strategic technical proposals targeting a variety of Fortune 500 clients Show less
-
-
-
AXXUM TECHNOLOGIES LLC
-
United States
-
IT Services and IT Consulting
-
1 - 100 Employee
-
Web Application Penetration Tester
-
Nov 2015 - Jun 2016
-Governance Risk and Compliance (GRC) team lead tasked to manage and lead the assessment team in performing full scale SA&A audits and penetration testing based on NIST 800-53 -Performed manual and automated penetration testing against large-scale web applications, hosts, and databases by leveraging Burp Suite Professional, Nessus, Acunetix, Web Vulnerability Scanner, Appdetective, Metasploit and various tools found within Kali Linux -Provided clients with a custom qualitative risk rating for all web application, host, and database findings based on OWASP Top 10, existing mitigating factors, exploitation vectors, policies and procedures, and overall maturity of security documentation -Combined SA&A findings with the manual and automated penetration testing results to create a Security Assessment Report (SAR) that provided the client with detailed insights into the security posture of their web applications, hosts, database, and infrastructure Recommendations and actions for mitigation were provided with every finding Show less
-
-
-
Coalfire
-
United States
-
Computer and Network Security
-
700 & Above Employee
-
Associate Technical Project Lead
-
Mar 2015 - Sep 2015
-Technical Project Lead tasked with managing a security team and providing 3PAO (Third Party Assessment Organization) FedRAMP consulting, guidance, support, and analysis for various federal and commercial Cloud Service Providers -Led detailed reviews of all system documentation, developed Security Assessment Plans (SAP) and Security Assessment Reports (SAR) for multiple federal and commercial clients -Created policies and procedures for FISMA RMF (Risk Management Framework) for DOL and performed a multi-faceted risk analysis on the current Trusted Internet Connection (TIC) and Managed Trusted Internet Protocol Services (MTIPS) -Supported onsite physical assessments, individual component testing, and overall assessments of general security controls with a focus on methodologies, and processes for identifying vulnerabilities, threats, and risks Show less
-
-
-
Accenture
-
Ireland
-
Business Consulting and Services
-
700 & Above Employee
-
Cybersecurity Consultant
-
Feb 2012 - Mar 2015
-Maintained and updated security documentation and SOPs, including but not limited to, Systems Security Plan (SSP), Security Test Plan, Security Patch Management Plan, Disaster Recovery Plan (DRP), System Access Plan, Information System and Contingency Plan (ISCP), Interconnections Security Agreement (ISA), Continuous Monitoring Plan, Privacy Impact Assessments (PIA), Security Configuration and Change Management Plan (SCCMP), Incident Monitoring and Handling Plan -Performed security gap analysis of information systems in order to identify weaknesses in controls, policies, and procedures -Identified vulnerabilities within the information systems using Nessus, HP Fortify, Retina, and IBM Security AppScan Source -Obtained hands on experience with SIEM solutions (RSA Envision/Flume), file integrity monitoring (Tripwire), XML web gateways (Layer 7 SecureSpan Gateway / McAfee Web Gateway, HIPS/HIDS, and DDoS prevention (Akamai) -Evaluated and designed custom security solutions based on the client’s requirements, budget constraints, and risk appetite -Solved multiple security issues ranging from low to critical severity in both production and non-production environments -Delivered a proposal to detect counterfeit microchips embedded within COTS networking products through Supply Chain Management -Performed risk analysis between Mobile Device Management (MDM) software and Bring Your Own Device (BYOD) solutions with an emphasis on privacy concerns, security compliance, and access restrictions -Created templates, methodologies, and processes for analyzing web services vulnerabilities and threats based on best practices guidelines. -Analyzed technical proposals and helped stakeholders generate requirements for SOAP based web services for a new web-enabled financial, asset and accounting management system by leveraging: WS-Security, XML Encryption, DISA Application Security Development Guidelines, and OASIS privacy considerations. Show less
-
-
-
Hewlett Packard Enterprise
-
United States
-
IT Services and IT Consulting
-
700 & Above Employee
-
Public Key Infrastructure Support Analyst
-
May 2010 - Jan 2012
-Collaborated with a large team to provide 24/7 availability of cryptographic functions for DOD branches and international deployments -Incorporated asymmetric keys, certificate authorities, digital certificates, and trust chains in live production environments to help secure and encrypt all client-server communications and prevent “man in the middle” attacks -Administered secure key issuance with nCipher and Safenet Hardware Security Modules (HSM) -Tasked with providing engineering solutions to enable quicker encode times for Common Access Card (CAC) issuance for the DOD -Utilized JAVA based tools to identify network and systems architecture issues which results in less downtime and improved IT performance, functionality, and reliability -Administered and performed critical upgrades to production Solaris servers and performed O&M activities on a daily basis -Designed and implemented QA and audit checklists for large-scale projects while providing technical direction to QA testers Show less
-
-
-
Cricket Media
-
United States
-
E-Learning Providers
-
1 - 100 Employee
-
Quality Assurance Intern
-
Jan 2007 - May 2010
-Directed in developing and implementing standards, processes, and procedures to fulfill ISO Certification 27001/27002 Security Audit Requirements resulting in the company passing third party audit of security. -Managed a large corporate website on a daily basis using a custom Content Management System (CMS). -Managed thousands of HTML based webpages for international markets. -Directed in developing and implementing standards, processes, and procedures to fulfill ISO Certification 27001/27002 Security Audit Requirements resulting in the company passing third party audit of security. -Managed a large corporate website on a daily basis using a custom Content Management System (CMS). -Managed thousands of HTML based webpages for international markets.
-
-
Education
-
2023 - 2026
Georgia Institute of Technology
Master of Science - MS, Cybersecurity -
2005 - 2010
George Mason University
Bachelor of Science - BS, Systems Engineering -
2000 - 2005
Hayfield Secondary
High School Diploma
Community
