About

About

Hi, I’m Muhammad Zubair

I’m an Offensive Security Professional focused on identifying the vulnerabilities that actually matter.

My work focuses on simulating real-world attacks across web applications, APIs, Active Directory, cloud environments, and internal systems. I focus on identifying weaknesses and translating them into realistic attack paths, ultimately presenting clear, actionable risks to engineering teams and leadership.

I’m OSCP-certified, have hands-on experience delivering penetration tests for high-impact and regulated environments, and design enterprise-grade offensive security labs and training programs to help teams build practical defensive capability.

My Journey

My path into IT and cybersecurity didn’t start in a classroom. It started with games. I was that kid who couldn’t just play. I needed to know how everything worked behind the scenes. That curiosity pushed me into game development, and that’s where I wrote my first lines of code.

A friend eventually introduced me to cybersecurity, and honestly, it was love at first sight. The challenge, the problem-solving, the adrenaline, it all clicked. From that moment, I dove in headfirst.

I enrolled in a Cybersecurity degree at university, but financial hurdles and the weak cybersecurity curriculum in Pakistan held me back. Still, I wasn’t stopping. I stumbled onto TryHackMe, then HackTheBox, and that opened an entire universe for me. I pushed through CPTS, then OSCP, countless restless days and nights, but all fueled by passion, not pressure.

And it paid off. I landed my first cybersecurity role as an Information Security Engineer, and I’m still learning, still growing, and still doing it for the love of the game.

My Resume

I’ve created two industry-standard training courses featuring 20+ custom hands-on labs built on AWS and Proxmox, and I’ve delivered these trainings internationally. In my current role, I actively work on penetration testing projects, staying sharp through real-world assessments as well as platforms like HackTheBox and various CTF challenges.

I also write regularly on Medium and my personal site, where I break down security concepts and share practical guidance to help others level up in cybersecurity.

A copy of my resume can be found here: view resume

Certifications

Offsec Certified Professional (OSCP) OffSec Oct 2024
Certified Penetration Testing Specialist HackTheBox Feb 2024

Medium LinkedIn X (Twitter) Email GitHub

Projects

Operational Security (OpSec) Disclaimer In adherence to Non-Disclosure Agreements (NDAs) and professional ethics, all work presented here has been strictly de-identified. These summaries represent real-world methodologies and architectural achievements without compromising the security posture or identity of past clients and employers. No confidential data or proprietary assets are contained within these descriptions.

Offensive Security Curriculum Architecture

Developed two industry-standard offensive security courses comparable to PNPT, encompassing Web, Active Directory, and AI exploitation vectors. I architected the final practical examinations, managed global certification issuance, and personally trained over 50 students and corporate professionals on real-world adversary TTPs.

Enterprise Compliance Architecture: ACSC Essential Eight

Built and handled most of the development and security architecture of a large-scale backend application with admin and user dashboards to automate Essential Eight (ACSC) compliance for enterprise clients.

Real-Time AI Vishing & Voice Synthesis Engine

Co-developed a vishing (voice-phishing) platform using ElevenLabs, Twilio, and AI models to simulate realistic social engineering attacks and execute automated campaigns that enhanced client security awareness.

Active Directory Training Labs

I engineered vulnerable Active Directory environments designed to mirror the architectural flaws found in modern enterprise networks. Beyond infrastructure setup, I authored comprehensive exploitation guides on Medium, detailing the bridge between theoretical vulnerabilities and real-world adversary tradecraft.

  • Key Focus Areas: Kerberoasting, ACL abuse, constrained delegation, and complex cross-forest escalation paths.
  • Impact: Bridging the gap for aspiring security professionals by providing high-fidelity, hands-on training scenarios.

View the Blogs on Medium.