Web Application Pentester · Application Security · Full-Stack & Cloud

I’m a Web Application Penetration Tester with a strong background in full-stack software development and cloud infrastructure.

I currently work in a US-based cybersecurity consulting environment, performing security assessments for enterprise and Fortune 500 applications.
Before focusing fully on security, I built and deployed cloud-native web applications end-to-end, which lets me approach pentesting from a developer’s perspective.

Outside of work, I’m into anime, games, and medieval fantasy — I like systems, worlds, and mechanics, whether they’re digital or fictional.

• 🔐 Web application & API penetration testing (black-box and grey-box)
• 🧩 Application Security (AppSec mindset)
• ☁️ Cloud-native architectures (AWS)
• 🖥️ Thick-client security testing (currently training)
• ✍️ Writing clear, developer-friendly security reports

• Web application penetration testing
• Authentication, authorization & business-logic testing
• Manual request manipulation & vulnerability chaining
• Burp Suite Professional

• Python · JavaScript · TypeScript · C · C#
• FastAPI · React · REST APIs

• AWS (ECS/Fargate, EC2, S3, DynamoDB, IAM, VPC, CloudWatch)
• Docker · CI/CD (GitHub Actions)

(Some repositories are still WIP or private — more coming soon)

• 🔒 Secure Web App Reference

  • Cloud-native web application built with security-by-design principles
  • Authentication, RBAC, logging, rate-limiting, and CI security checks

• ⚙️ AppSec CI/CD Pipeline

  • GitHub Actions pipeline with SAST, dependency scanning, and container security

• 🧠 Security Notes & Write-ups

  • Personal notes on web security testing, AppSec concepts, and real-world findings

• 💼 LinkedIn: https://www.linkedin.com/in/sebastian-salazar-osorio
• 📫 Email: sebasalazaro@gmail.com

“Security is about understanding systems — sometimes you need to explore the dungeon to find the flaw in the castle walls.”