Wael Ghnimi 0xW43L
Senior Cyber Threat Intelligence Analyst · X-Red-Teamer · X-Blue-Teamer
Offensive & defensive security research. Creator of the TACTFlow purple-teaming framework.
With a strong foundation in both offensive security (Red Team) and defensive operations (Blue Team / SOC), I bring a dual perspective to Cyber Threat Intelligence (CTI). My career is driven by a passion for uncovering and mitigating threats, blending deep technical expertise with strategic intelligence analysis to safeguard organizations against advanced cyber adversaries.
I thrive on complex challenges: tracking sophisticated threat actors, developing custom security tools, and conducting deep-dive investigations into evolving attack vectors. I believe in continuous learning, research, and collaboration to stay ahead in a rapidly changing threat landscape.
Certifications





Also university-track certs: Fortinet NSE 1/2, Microsoft MTA Security / Networking / HTML-CSS.
Research, Projects & Tools
TACTFlow
A public framework bridging CTI, Red Teaming, and SOC Engineering by mapping adversary TTPs from MITRE ATT&CK to operational purple-team playbooks. Ongoing blog series covering each tactic from three angles: how CTI tracks it, how Red Teams simulate it, and how SOCs detect it.
LDAPHunter
A Python tool automating LDAP enumeration for pentesters: users, groups, OUs, password policies, privileged memberships, and unconstrained delegation from Active Directory. Supports anonymous and authenticated access over LDAP (389) and LDAPS/TLS (636).
IOCs Finder
Automated pipelines for collection, normalization, and correlation of Indicators of Compromise across open and closed sources. Integrated with IBM QRadar for real-time SIEM enrichment and the CrowdStrike API to push curated indicators into the endpoint detection stack.
Qakbot Auto-Decryptor (IDA Pro)
A Python plugin for IDA Pro that automates Qakbot configuration decryption and IOC / malware-config extraction, removing manual unpacking and string-decryption overhead. Integrated into the QRadar and CrowdStrike incident-response workflow.
CryptBot Series
Three-part technical deep-dive into the CryptBot infostealer family: v1 architecture and static analysis, v2 RC4 exfiltration and NetSupport RAT delivery, and v3 compiler-switch analysis and obfuscation shifts.
DPTML
Academic research combining reinforcement learning with the penetration-testing lifecycle to automate offensive decision-making: input discovery, vulnerability-indicator detection, and public-exploit matching, with a self-directed troubleshooting loop that adapts and retries on failure.
Technical Expertise & Training
A living catalog of the books, courses, tools, and platforms I use to sharpen my skills. Click a topic to expand.
Reverse Engineering & Malware Analysis
Courses — OST2 Debugger 1001, OST2 Architecture 1001 (x86-64)
Tools — IDA Pro, Ghidra, Radare2, Binary Ninja, x64dbg, Detect It Easy, PE Studio, dnSpyEx, PE-bear, System Informer, HxD
Sandboxes & services — CAPEv2, UnpacMe, any.run, Triage, Hybrid Analysis, Malpedia, MalwareBazaar, VirusTotal, Joe Sandbox, vx-underground
Cyber Threat Intelligence
Courses — arcX CTI 101, arcX CTI Practitioner, arcX Advanced CTI Analyst
Tools & platforms — MISP, OpenCTI, TheHive, Cortex, Sigma, YARA, Maltego, SpiderFoot, Shodan, Censys, IBM QRadar, Splunk, Elastic Security
Frameworks — MITRE ATT&CK, Diamond Model, Cyber Kill Chain
Feeds & services — AlienVault OTX, AbuseIPDB, URLhaus, ThreatFox, Google Threat Intelligence, SOCRadar, CrowdStrike Intelligence
Selected reading — Psychology of Intelligence Analysis (Heuer), Structured Analytic Techniques (Heuer), Intelligence-Driven Incident Response (Roberts), Active Measures (Rid), The Art of Cyberwarfare (DiMaggio), Visual Threat Intelligence (Roccia)
Penetration Testing & Red Teaming
Books — Penetration Testing: A Hands-On Introduction to Hacking (Georgia Weidman), Red Team Development and Operations (Joe Vest)
Tools — Cobalt Strike, Burp Suite Pro, NetExec, Impacket, BloodHound, Responder, Metasploit, Nmap, SQLMap, OWASP ZAP
Malware & Exploit Development
Courses — Windows Internals (Pavel Yosifovich), Sektor7 RTO: Malware Development Essentials
Toolchain — Visual Studio, C / C++, Win32 API
Programming, Cloud & Infrastructure
Programming — C (K&R, boot.dev memory management), Python, PowerShell, Bash
EDR / Detection — CrowdStrike, SentinelOne
Virtualization & VCS — Docker, Kubernetes, Proxmox VE, VMware, Git / GitHub / GitLab