About

About

Who am I?

Hi everyone! I’m Onurcan, an offensive security researcher, CVE hunter, and AI red teaming specialist based in Ankara, Turkey.

I break things professionally so others can build them stronger.

My work sits at the intersection of traditional penetration testing, emerging AI security, and technical AI safety. I’ve discovered and responsibly reported 7+ CVEs through MITRE CVE and coordinated disclosure processes. I also recently selected BlueDot Impact’s Technical AI Safety course, which deepened my interest in how AI systems fail under adversarial pressure, optimization pressure, and imperfect safety objectives.

My true motivation is to understand how AI systems break and why they break and how we can make them more robust against strong attacks.

Background

I’m a Information Systems and Technologies graduate from Bilkent University with software development & engineering knowledge. Plus, hands-on penetration testing experience across web, mobile, wireless, and network environments.

Professional Experience

Deloitte CyberOps
Cybersecurity Intern. Technical review and QA of penetration testing reports, vulnerability validation, and report quality checks aligned with MITRE ATT&CK and CVSS frameworks.

Bilishim Cyber Security & AI
Penetration Tester. Worked on web and mobile application penetration testing, AI/ML red team engagements, wireless and LAN testing, threat intelligence, and mentoring junior interns.

VulnerDay
CTF machine testing and writeup validation.

I also took first place in the Deloitte CyberOps Bootcamp CTF competition

Certifications

  • eWPTXv3 — Web Application Penetration Tester eXtreme, INE
  • eWPTv2 — Web Application Penetration Tester, INE
  • CompTIA Security+ SY0-701
  • C-AI/MLPen — Certified AI/ML Penetration Tester
  • CNSP — Certified Network Security Practitioner, SecOps Group
  • CAP — Certified AppSec Practitioner, SecOps Group
  • AWS Cloud Quest: Cloud Practitioner
  • CCNAv7: Switching, Routing, and Wireless Essentials, Cisco
  • CCNA: Introduction to Networks, Cisco
  • NSE 1 & NSE 2 — Fortinet Security Awareness

Published CVEs

  • CVE-2025-60511 — Insecure Direct Object Reference in Moodle OpenAI Chat Block plugin, MITRE
  • CVE-2025-60506 — Stored XSS in Moodle PDF Annotator plugin v1.5, MITRE
  • CVE-2025-60507 — Reflected & Stored XSS via PDF Upload in Moodle GeniAI plugin, MITRE
  • CVE-2025-57520 — Stored XSS in Decap CMS <= 3.8.3, MITRE
  • CVE-2026-34156 — NocoBase Sandbox Escape to RCE, GitHub
  • CVE-2026-9558 — Mautic Theme Engine SSTI to RCE, GitHub

What I Research

AI & LLM Security

Prompt injection attacks, multi-turn jailbreaks, safety alignment bypasses, system-prompt exposure, persona hijacking, and AI red teaming methodologies against production systems.

Vulnerability Research

Full-lifecycle responsible disclosure: from initial discovery and root cause analysis to CVE assignment, vendor coordination, patch verification, and public advisory.

Penetration Testing

Web applications, APIs, Active Directory, mobile applications, wireless networks, and infrastructure. The CTF writeups on this blog reflect the same methodology I apply to real-world engagements: enumeration, exploitation, validation, impact analysis, and clear reporting.

Technical AI Safety

I’m especially interested in the bridge between behavioral AI red teaming and mechanistic understanding. My current direction focuses on refusal-direction ablation experiments in open-weight models, trying to understand how safety-trained models encode, preserve, and lose refusal behavior at the representational level.

Open Source Projects

PromptShot

An automated AI red teaming framework for systematically testing LLM safety boundaries across multiple models and attack vectors.

LeakCTL

A threat intelligence platform for monitoring and analyzing data breaches at scale.

CryptoSignal / StoX Market

An Android cryptocurrency trading application with real-time market tracking, built with Kotlin and Material Design.

WhatsApp Chat Analyzer

A Flask-based web application that processes chat logs and generates psychological and behavioral insights using the GPT-4o API.

All projects are available on my GitHub.

Community

  • Bilkent Young Entrepreneurs Society IT Coordinator organized workshops on HTML, CSS, and networking
  • Exploit Studio Audit Board President
  • TryHackMe Top 2% CTF player, solving challenges for 4+ years
  • 90+ published articles on Medium covering offensive security, CTF writeups, vulnerability research, and AI security
  • Boğaziçi Cybersecurity Program alumnus
  • Türk Telekom Cybersecurity Camp alumnus

Connect

  • GitHub: github.com/onurcangnc
  • LinkedIn: linkedin.com/in/onurcangnc
  • X/Twitter: @CtfWithOG
  • Medium: medium.com/@onurcangencbilkent
  • Email: [email protected]