About

Who am I?

Hi everyone ! I am Onurcan, an offensive security researcher, CVE hunter, and AI red teaming specialist based in Ankara, Turkey. I break things professionally so others can build them stronger.

My work sits at the intersection of traditional penetration testing and emerging AI security. I've discovered and reported 7+ CVEs through MITRE and USOM responsible disclosure processes, targeting everything from SQL injection and XSS vulnerabilities to session hijacking and AI plugin exploits.

Background

I'm a senior Computer Technology & Information Systems student at Bilkent University with 11 months of hands-on penetration testing experience across web, mobile, wireless, and network environments.

Professional Experience:

  • Deloitte CyberOps: Cybersecurity Intern. Technical review and QA of penetration testing reports, vulnerability validation aligned with MITRE ATT&CK and CVSS frameworks.
  • Bilişim Cyber Security & AI: Penetration Tester (10 months). Web/mobile app pentesting, AI/ML red team engagements, wireless and LAN testing, threat intelligence, and mentoring junior interns.
  • VulnerDay: CTF machine testing and writeup validation.

I also took first place in the Deloitte CyberOps Bootcamp CTF competition — which is how my Deloitte journey began.

Certifications

  • eWPTXv3 Web Application Penetration Tester eXtreme (INE)
  • eWPTv2 Web Application Penetration Tester (INE)
  • CompTIA Security+ (SY0-701)
  • C-AI/MLPen Certified AI/ML Penetration Tester
  • CNSP Certified Network Security Practitioner (SecOps Group)
  • CAP Certified AppSec Practitioner (SecOps Group)
  • AWS Cloud Quest Cloud Practitioner
  • CCNAv7 Switching, Routing, and Wireless Essentials (Cisco)
  • CCNA Introduction to Networks (Cisco)
  • NSE1 & NSE2 Fortinet Security Awareness

Published CVEs

  • CVE-2025-10878 SQL Authentication Bypass in AdminPando v1.0.1 (MITRE)
  • CVE-2025-60511 Insecure Direct Object Reference in Moodle OpenAI Chat Block plugin (MITRE)
  • CVE-2025-60506 Stored XSS in Moodle PDF Annotator plugin v1.5 (MITRE)
  • CVE-2025-60507 Reflected & Stored XSS via PDF Upload in Moodle GeniAI plugin (MITRE)
  • CVE-2025-10228 Session Hijacking in Agentis < 4.44, CVSS 8.8 (USOM)
  • CVE-2025-57520 Stored XSS in Decap CMS <= 3.8.3 (MITRE)

I've also submitted multiple case studies to the MITRE ATLAS knowledge base documenting real-world adversarial attacks against production AI systems, including multi-turn jailbreaks on Grok AI, Kumru AI, and ChatJimmy.

What I Research

AI & LLM Security Prompt injection attacks, multi-turn jailbreaks, safety alignment bypasses, and AI red teaming methodologies against production systems.

Vulnerability Research Full lifecycle responsible disclosure, from initial discovery through CVE assignment to vendor coordination with MITRE and USOM.

Penetration Testing Web applications, APIs, Active Directory, mobile apps, wireless networks, and infrastructure. The CTF writeups on this blog reflect the same methodology I apply to real engagements.

Open Source Projects

PromptShot An automated AI red teaming framework for systematically testing LLM safety boundaries across multiple models and attack vectors.

LeakCTL A threat intelligence platform for monitoring and analyzing data breaches at scale.

CryptoSignal (StoX Market) Android cryptocurrency trading application with real-time tracking, built with Kotlin and Material Design.

WhatsApp Chat Analyzer Flask-based web app that processes chat logs and generates psychological insights via GPT-4o API.

All projects are available on my GitHub.

Community

  • Bilkent Young Entrepreneurs Society IT Coordinator, organized workshops on HTML, CSS, and networking
  • Exploit Studio Audit Board President
  • TryHackMe Top 2% CTF player, solving challenges for 4+ years
  • Medium 90+ published articles on offensive security, CTF writeups, and AI research
  • Boğaziçi Cybersecurity Program and Türk Telekom Cybersecurity Camp alumnus

Why This Blog

I built this blog because Medium pays $10 for 90+ articles, and I wanted full control over my content, SEO, and monetization. Every writeup here represents real research, real vulnerabilities, and real techniques — no AI-generated filler, no recycled content.

Connect