0xW43L

Wael Ghnimi 0xW43L

Senior Cyber Threat Intelligence Analyst · X-Red-Teamer · X-Blue-Teamer

Offensive & defensive security research. Creator of the TACTFlow purple-teaming framework.

With a strong foundation in both offensive security (Red Team) and defensive operations (Blue Team / SOC), I bring a dual perspective to Cyber Threat Intelligence (CTI). My career is driven by a passion for uncovering and mitigating threats, blending deep technical expertise with strategic intelligence analysis to safeguard organizations against advanced cyber adversaries.

I thrive on complex challenges: tracking sophisticated threat actors, developing custom security tools, and conducting deep-dive investigations into evolving attack vectors. I believe in continuous learning, research, and collaboration to stay ahead in a rapidly changing threat landscape.

Certifications

OSEP
OSEPPEN-300
eWAPTx
eWAPTxWeb Pentest eXtreme
CRTO
CRTOCertified Red Team Operator
CTI 101
arcX CTI 101Threat Intel Analyst
eJPT
eJPTJunior Pentester
Dante
HTB DantePro Lab
ICTTF
ICTTFRansomware Uncovered

Also university-track certs: Fortinet NSE 1/2, Microsoft MTA Security / Networking / HTML-CSS.

Research, Projects & Tools

Purple Teaming

TACTFlow

A public framework bridging CTI, Red Teaming, and SOC Engineering by mapping adversary TTPs from MITRE ATT&CK to operational purple-team playbooks. Ongoing blog series covering each tactic from three angles: how CTI tracks it, how Red Teams simulate it, and how SOCs detect it.

Red Teaming

LDAPHunter

A Python tool automating LDAP enumeration for pentesters: users, groups, OUs, password policies, privileged memberships, and unconstrained delegation from Active Directory. Supports anonymous and authenticated access over LDAP (389) and LDAPS/TLS (636).

CTI

IOCs Finder

Automated pipelines for collection, normalization, and correlation of Indicators of Compromise across open and closed sources. Integrated with IBM QRadar for real-time SIEM enrichment and the CrowdStrike API to push curated indicators into the endpoint detection stack.

Reverse Engineering

Qakbot Auto-Decryptor (IDA Pro)

A Python plugin for IDA Pro that automates Qakbot configuration decryption and IOC / malware-config extraction, removing manual unpacking and string-decryption overhead. Integrated into the QRadar and CrowdStrike incident-response workflow.

Malware Analysis

CryptBot Series

Three-part technical deep-dive into the CryptBot infostealer family: v1 architecture and static analysis, v2 RC4 exfiltration and NetSupport RAT delivery, and v3 compiler-switch analysis and obfuscation shifts.

AI & ML

DPTML

Academic research combining reinforcement learning with the penetration-testing lifecycle to automate offensive decision-making: input discovery, vulnerability-indicator detection, and public-exploit matching, with a self-directed troubleshooting loop that adapts and retries on failure.

Technical Expertise & Training

A living catalog of the books, courses, tools, and platforms I use to sharpen my skills. Click a topic to expand.

Reverse Engineering & Malware Analysis
Cyber Threat Intelligence

CoursesarcX CTI 101, arcX CTI Practitioner, arcX Advanced CTI Analyst

Tools & platformsMISP, OpenCTI, TheHive, Cortex, Sigma, YARA, Maltego, SpiderFoot, Shodan, Censys, IBM QRadar, Splunk, Elastic Security

FrameworksMITRE ATT&CK, Diamond Model, Cyber Kill Chain

Feeds & servicesAlienVault OTX, AbuseIPDB, URLhaus, ThreatFox, Google Threat Intelligence, SOCRadar, CrowdStrike Intelligence

Selected readingPsychology of Intelligence Analysis (Heuer), Structured Analytic Techniques (Heuer), Intelligence-Driven Incident Response (Roberts), Active Measures (Rid), The Art of Cyberwarfare (DiMaggio), Visual Threat Intelligence (Roccia)

Penetration Testing & Red Teaming

BooksPenetration Testing: A Hands-On Introduction to Hacking (Georgia Weidman), Red Team Development and Operations (Joe Vest)

ToolsCobalt Strike, Burp Suite Pro, NetExec, Impacket, BloodHound, Responder, Metasploit, Nmap, SQLMap, OWASP ZAP

Malware & Exploit Development
Programming, Cloud & Infrastructure

Programming — C (K&R, boot.dev memory management), Python, PowerShell, Bash

EDR / DetectionCrowdStrike, SentinelOne

CloudAWS, Azure, GCP

Virtualization & VCSDocker, Kubernetes, Proxmox VE, VMware, Git / GitHub / GitLab