ARIEL RIL

Application Security Engineer
[./about] [./tools] [./contact]
scroll
$ cat about.txt

I'm an Application Security Engineer with a Master's degree in Computer Science from PUC-RS. My work sits at the intersection of offensive security and engineering — building automation to reduce real-world risk by thinking the way an attacker does.

I work in the financial sector, where I develop open-source tooling for Kubernetes security assessments, run Purple Team exercises, and conduct penetration testing across web applications and compiled deliverables.

Outside of work, I train on Hack The Box and Wiz Cloud Security Challenges. Currently focused on exploit development, working toward OSED and OSEE.

My primary interests are application security, cloud-native attack surfaces, and the Kubernetes threat landscape — areas where I have contributed publicly available tooling adopted by security teams.

$ ./skills --list --verbose
offensive
web-pentesting k8s-pentesting red-teaming exploit-dev
cloud & infra
docker kubernetes aws azure
appsec
threat-modeling ssdlc api-security vuln-mgmt
programming
bash c/c++ rust terraform go nodejs/ts python c#
legend
expert active familiar learning
$ cat experience.log
May 2024 — Present
ING
ACTIVE
Security Engineer
  • Released KAET — Kubernetes Breach Assessment Tool (open source @ ING)
  • Released KAL — Kubernetes Authorization Listing tool (open source @ ING)
  • Execute Purple Team assessments across the organisation
  • Conduct penetration testing on web applications and compiled deliverables
  • Lead Threat Modelling assessments
  • Develop security automation tooling for operational workflows
kubernetes red-team web-pentesting threat-modeling go python
Jun 2023 — May 2024
PagoNxt
past
Application Security Engineer
  • Planned and executed Ethical Hacking assessments on internal and external-facing applications
  • Advised engineering teams on secure coding practices and remediation
  • Integrated threat modelling into the SSDLC process
  • Developed security automation tooling
appsec ethical-hacking ssdlc threat-modeling
Mar 2021 — Jun 2023
Agi
past
Cyber Security Analyst II
  • Penetration testing of web and mobile applications
  • Built automation pipelines for API, web, and cloud security assessments
  • Managed cloud security posture across AWS and Azure
  • Led Cyber Security Incident Response engagements
pentesting aws azure incident-response mobile-security
Nov 2020 — Mar 2021
Phi
past
Cyber Security Analyst
  • Designed and applied the NIST Cybersecurity Framework
  • Conducted mobile and web application penetration testing
  • Implemented SSDLC practices across development teams
  • Participated in Red/Blue team exercises
nist red-team blue-team ssdlc
Aug 2019 — Nov 2020
Phi
past
Tech Lead — Digital Payments
Led the Pagamentos Digitais team, delivering highly available payment gateway APIs built on NodeJS/TypeScript and deployed on AWS — processing over one million BRL monthly.
nodejs typescript aws kubernetes rabbitmq elk-stack
Jul 2017 — Aug 2019
4all Tecnologia
past
Backend Developer
Developed NodeJS/Typescript APIs with automated deployment pipelines written with TravisCI. Managed the production environment in AWS. All APIs were developed with a microservice mindset, which was managed via Gitlab and continuous source code review.
nodejs typescript aws gitlab source-code-review
$ ls tools/ --long
Go · Open Source

kaet flagship

Kubernetes Breach Assessment Tool — evaluates the blast radius of a compromised pod. Maps privilege escalation paths and lateral movement opportunities from an attacker's perspective.

⎈ kubernetes ⚔ offensive
github →
Go · Open Source

kal

Kubernetes Authorization Listing — enumerates all RBAC permissions within a cluster. Surfaces over-privileged service accounts and exploitable misconfigurations quickly and without noise.

⎈ kubernetes 🔑 rbac
github →
$ ls blog/ | head -5
00
TBD
coming soon
$ ls certs/ honors/
OffSec
OSCP
Offensive Security Certified Professional
Earned cert →
Wiz
UCSC
Ultimate Cloud Security Challenge
In Progress cert →
APIsec
API PT
API Penetration Testing — Certificate of Completion
Earned cert →
OffSec
OSED
Windows User Mode Exploit Development
In Progress
Wiz
K8s LP
Cloud Security Excellence — K8s LAN Party
Earned cert →
HTB
Dante
Pro Labs — Dante (Full Network Pwn)
Earned cert →
$ ping ariel --verbose

Open to collaboration, security research discussions, and responsible disclosure coordination.

Working on something in the Kubernetes, cloud-native security, or offensive tooling space? I'm interested.

// note: Open to speaking invitations, security challenges, and open-source collaborations.
in linkedin /in/ariel-ril github @arielril