Architecting Kernel-Level Defenses & Covert Offensive Infrastructure.

I'm a 22yo Algerian Computer Science & Web Development Master's Graduate. I build low-level eBPF kernel enforcement engines, Tor-anonymized C2 frameworks, and proactive CTI platforms from scratch.

Black Hat USA 2026 — Las Vegas Arsenal Presenter
PortSwigger — Selected Burp Suite Champion
Caddy Web Server — CVSS 9.1 Zero-Day Discoverer
Hack The Box — Pro Hacker (Global #731)
ahmed@kernel-sec:~ (eBPF/LSM active)
● LIVE SESSION
Interactive Kernel Console initialized.
Select a command chip below to execute interactive inspection...
// 01. ACADEMIC & EMPIRICAL RESEARCH

Peer-Reviewed & Academic Contributions

Rigorous empirical research addressing critical blind spots in software supply chain security, runtime machine learning pipelines, and eBPF kernel enforcement.

PUBLISHED ON ZENODO & RESEARCHGATE (DOI: 10.5281/zenodo.17957303)

CI Supply Chain Guard: Hybrid Static-Dynamic Defense Tool

Traffic Light Protocol, AST Reachability & Active Deception Docker Sandbox for NPM/PyPI Pipelines

89.6% / 82.2% NPM & PyPI Malicious Detection Rate
17,316 Datadog Dataset Evaluated Samples
2.04s Average Pipeline Scan Latency
12 Rules Static AST Heuristics (SA-001 to SA-012)

The Problem: Software supply chain attacks on NPM/PyPI package registries have surged by 742%, where attackers inject credential stealers, backdoors, or cryptominers into open-source dependencies before code review.

How It Works: A pre-merge CI/CD defense utilizing a "Traffic Light" protocol (SAFE ≤3, SANDBOX 4-9, BLOCK ≥10). A static AST reachability layer scans 12 attack vectors (SA-001 to SA-012) while filtering dead code. If flagged, suspicious packages are detonated inside an Active Deception Docker container populated with honeytokens (fake AWS & SSH keys) monitored in real time via kernel strace.

Proven Results: Evaluated on 17,316 real-world samples from the Datadog dataset, achieving 89.6% (NPM) and 82.2% (PyPI) malicious detection rates with 0% false positives on benign packages at ~2.04 seconds per package.

AST Reachability Analysis Docker Active Deception Honeytoken Deployment Traffic Light Scoring Datadog Dataset Validation
UNDER MAINTENANCE & ARCHITECTURAL UPGRADE

KEIP: Kernel-Enforced Install-Time Policies

Novel eBPF & Linux Security Module (LSM) Supply Chain Defense Framework

GitHub Repo
100% Block Rate (QUT-DV25 Dataset)
Deep Lineage Process Tree Evasion Defense
~100ns LSM Hook Latency Overhead
Under Maintenance Active Architectural Upgrade

The Problem: Solves the critical "Temporal Window of Installation" vulnerability where malicious open-source packages execute arbitrary install scripts with full user privileges before standard runtime monitors or static scanners engage.

How It Works: A custom eBPF engine attached directly to Linux kernel LSM hooks (socket_connect, bprm_check_security). It implements Deep Process Tree Tracking to monitor installer lineage and block evasion attempts (e.g., pip spawning bash or curl), armed with an autonomous Active Kill Switch terminating malicious process groups (PGID) in microseconds.

Proven Results: Achieved 100% block rate across diverse attack classes on the QUT-DV25 dataset with 0% false positives and negligible ~100ns latency overhead. Upgraded with sudo-free unprivileged eBPF execution and .pth File Planting persistence detection.

Linux eBPF LSM Hooks Deep Process Tree Tracking libbpf CO-RE Active Kill Switch .pth Planting Detection
UNDER REVIEW: JOURNAL OF SCIENCE OF COMPUTER PROGRAMMING

Kage: Uncovering & Auditing Shadow Dependencies in Machine Learning Pipelines

First Formal Taxonomy, SDAS Risk Scoring & Dynamic Kernel strace Interception for ML Software

71% Invisible Runtime Dependencies (bert-base)
3,450 vs ~10 Kage Dynamic SBOM Entries vs pip freeze
4/4 SCA Tools pip-audit, Snyk, Trivy reported 0 findings
SDAS Score Calibrated against CVSS v3.1 Framework

The Problem: When running pip install transformers, standard scanners inspect ~70 declared packages. However, at runtime, ML pipelines silently load hundreds of unmanifested native `.so` binaries, model weights, and arbitrary scripts (trust_remote_code=True) completely invisible to standard SCA tools (Snyk, Trivy, pip-audit).

How It Works: Establishes the industry's first formal 4-category taxonomy (SD-1 to SD-4) and quantitative SDAS risk score. Operates as a 5-phase CI/CD auditor combining Hugging Face Hub metadata verification with kernel-level strace interception across multithreaded BLAS/MKL process trees to generate Dynamic CycloneDX v1.5 SBOMs.

Proven Results: Discovered that on standard bert-base-uncased, 71% of runtime dependencies (242/341 native libraries) are invisible to standard scanners. Intercepted reverse shells embedded in C extensions and exposed hidden OpenSSL CVEs below the Python layer.

MLOps Security Kernel strace Interception CycloneDX v1.5 Dynamic SBOM Shadow Taxonomy (SD-1 to SD-4) Hugging Face API Audit
// 02. STARTUP & MASTER'S THESIS PROJECT

Vector: Proactive B2B Cyber Threat Intelligence Platform

Building Algeria's first contextualized cyber threat intelligence platform tailored for critical infrastructure operators.

MASTER'S THESIS PROJECT | B2B SAAS STARTUP

Eliminating Alert Fatigue via Infrastructure Digital Twins

Rather than overwhelming SOC teams with generic, global threat feeds containing thousands of irrelevant CVEs, **Vector** enables enterprises to build a precise **Digital Twin** of their exact technology stack, spanning hardware models, firmware versions, OS distributions, and enterprise software using NIST industry standards.

Vector's custom matching engine continuously cross-references real-time zero-day disclosures, NVD CVE feeds, and APT campaign IOCs directly against the organization's Digital Twin. When a newly discovered threat impacts an Algerian critical infrastructure operator (Energy, Water, Telecom, Government, or ICS/SCADA), alerts are dispatched instantly with tailored mitigation guidance.

NIST Standardized Stack Mapping Real-Time CVE & Zero-Day Matching ICS / SCADA Infrastructure Defense Automated Threat Triaging Future Pentesting & Background Audit Division
// VECTOR CTI MATCHING ENGINE ENGINE
[+] Ingesting Stack Profile: Sonatrach_SCADA_Node_04
[+] Firmware Asset: Siemens S7-1500 v2.8.1
[+] Scanning Zero-Day Feeds & NVD Stream...
[!] ALERT MATCH FOUND: CVE-2026-XXXX (CVSS 9.8)
[✓] Impact Verified against Digital Twin. Dispatching high-priority playbook to SOC L2.
// 03. OFFENSIVE ENGINEERING & C2 INFRASTRUCTURE

Open Source Security Tools & CVE Disclosures

High-stealth Red Team architectures, zero-trust network simulations, vulnerability crawlers, and credited zero-day disclosures.

RED TEAM C2 ARCHITECTURE

Anonymous C2 Infrastructure

Sophisticated Command & Control framework operating entirely over Tor Hidden Services (.onion). Bypasses strict inbound firewall rules, CGNAT, and Deep Packet Inspection (DPI) without port forwarding or public IP exposure.

  • AES-256 Cryptographic Stealth: End-to-end wrapped Tor cells rendering Wireshark sniffing opaque.
  • Automated builder.py: Dynamically compiles Python payloads into standalone portable Windows executables (.exe) via PyInstaller.
  • Asynchronous Beaconing & Interactive Shell: Randomized check-in intervals managing multi-victim queues.
SLIVER C2 EXTENSION

Sliver Tor Bridge

Extends the industry-standard Sliver C2 framework by deploying a Tor hidden service pointing to a local HTTP proxy that forwards everything directly to Sliver's HTTPS listener.

Implants connect covertly through the Tor network while operators maintain full management control inside standard Sliver interface sessions. Featured in comprehensive technical Medium deep dive.

ML VULNERABILITY SCANNER

MLSecScan

Intelligent web vulnerability crawler combining machine learning models with traditional security heuristics. Crawls dynamic web targets, detecting SQL injection (SQLi) and Cross-Site Scripting (XSS) in real time.

Streams detection alerts and severity scores to a sleek, modern web dashboard for real-time triage and remediation reporting.

CISCO PACKET TRACER LAB

Zero Trust Enterprise Network

Complete enterprise network architecture constructed across HQ, DMZ, and branch sites. Documented across 11 comprehensive milestones with schematics.

  • Segmentation & Defense: 6 VLANs (Admin, Dev, Guest, Security, Servers, DMZ), L3 SVIs, ACL firewall policies, GRE site-to-site VPN.
  • Monitoring & AAA: Centralized RADIUS authentication, Syslog/SNMP monitoring, SPAN port IDS capture.
  • Simulated & Stopped Attacks: Tested against VLAN Hopping, DoS, and branch lateral movement, all successfully intercepted.
CREDITED ZERO-DAY DISCLOSURES

Caddy Web Server CVSS 9.1 Discovery

Discovered and reported critical vulnerability in the widely-used **Caddy Web Server** (CVSS 9.1: "Unauthenticated Admin API Configuration Modification").

Officially credited as the original reporter on the GitHub Security Advisory. Maintainers praised the responsible disclosure, detailed instructional documentation, and video proof-of-concept.

Also authored full PoCs & case studies for CVE-2025-2620 & CVE-2025-29384.
OFFENSIVE EXCELLENCE

HTB Pro Rank #731 & Bug Bounty

Active competitive hacker ranked **Pro (#731 Global)** on Hack The Box. Authored open-source writeups repository detailing solutions for complex machines and challenges.

Active bug bounty hunter on YesWeHack with 3 reports currently under RTFS review. Solved advanced PortSwigger labs, crAPI (REST API vulnerabilities), and DVGA (GraphQL exploitation).

// 04. CONTINUOUS LEARNING & MASTERY

Professional Certifications

Achieved through resourcefulness, scholarship programs, and relentless self-study without external financial backing ("doing more than what I can with what I have").

OFFICIAL PROFILES & CHANNELS

Connect & Explore More Work.

Feel free to connect with me directly across my official developer profiles or inspect my active open-source security repositories and technical writeups.

GitHub Profile LinkedIn Profile