About Projects Skills Journey Blog Contact
// Offensive Security in Progress

Leo
Mugambi aka r3tro_n3o

Cybersecurity practitioner building from Africa. Penetration testing, DFIR, malware analysis, recon automation — hands-on, not just theory.

$ identify --role
Cybersecurity Practitioner Penetration Tester Threat Hunter Security Researcher Malware Analyst DFIR Specialist Red Team Enthusiast Security Consultant CTF Player Ethical Hacker
View Projects Get In Touch
r3tro_n3o — zsh
┌──(r3tro_n3o㉿kali)-[~]
└─$
// Live Ops Status

Current Loadout

SYSTEM STATUS — ONLINE
[STUDYING]CPTS — HackTheBox Certified Penetration Testing SpecialistActive
[TOOLS]Nmap · Metasploit · Burp Suite · Wireshark · Msfvenom · Velociraptor · Sysmon
[LAB]Velociraptor + Sysmon DFIR Lab — Kali server / Windows 10 clientRunning
[FOCUS]Offensive Security · Threat Hunting · Red Team Ops · Malware Analysis
[CERTS]Google Cybersecurity · AfricaHackon · ALX Africa Professional Foundations
[ROADMAP]Security+ → eJPT → CPTS → OSCPIn Progress
[LOCATION]Building from Africa. Eyes on the global stage.
// whoami

The Story So Far

Systems fail in interesting ways. Every system is built on assumptions. Security begins where those assumptions stop being true. I study how systems behave when pushed beyond what they were designed for. Most of my best learning moments start with one question: what happens if this is used in a way it was never meant to be?

I'm Leo, (r3tro_n3o). I got into this because people around me were getting scammed, SIM-swapped, defrauded, and I wanted to understand the mechanics behind the attacks, not just be another victim. Watching a friend get SIM-swapped and not being able to do anything about it hit different. Curiosity turned into obsession pretty fast after that.

I started self-directed: Cybrary, OverTheWire, TryHackMe, HackTheBox; no roadmap, just stubbornness. Then I went through AfricaHackon's full curriculum: Linux fundamentals, recon and OSINT, networking, Windows and Active Directory, wireless pentesting, Python and Bash scripting, web and API security (OWASP Top 10), mobile security, cloud security (AWS, IAM, VPC), malware creation and analysis, polymorphic crypters, process hollowing, C2 via steganography, EDR evasion, anti-analysis techniques, kernel rootkits, GRC, incident response, threat hunting, and blue team essentials. The whole stack, hands-on.

I'm especially drawn to offensive security because it forces a different kind of thinking. You have to get inside the attacker's logic, understand their assumptions, then exploit them. That mindset is what I'm building. I also have a genuine passion for cloud security and automations; connecting tools, building pipelines, making security work smarter.

Long term, I'm building towards NOX; a company built around reducing cybercrime from the ground up. But first, I want to be sharp enough that when I say I do security, it actually means something. Currently in sprint mode. One project a day. Eyes on CPTS.

// Tools & Technologies
Languages & Scripting
Python Bash PowerShell HTML / CSS JavaScript
Offensive Tools
Nmap Metasploit Burp Suite Wireshark Msfvenom Gobuster Nikto John the Ripper Scapy
Defensive & Analysis
Velociraptor Sysmon Volatility CyberChef DFIR EDR Evasion
Cloud & Automation
AWS Azure GCP IAM VPC n8n Active Directory Linux
0
Certifications
0
Projects
0
Deep Study
Curiosity
$ cat /etc/r3tro/mission.txt
——————————————————————
objective: build NOX. reduce cybercrime.
method: learn their moves first
origin: Africa
next_role: cloud security engineer
status: operational
Offensive Tools

Attack. Probe. Break.

Recon automation, network analysis, wireless auditing, exploitation tooling. Built to think like an attacker.

CompletePython · CLI
r3con — OSINT Recon Tool
Multi-phase recon pipeline: passive subdomain enumeration, HTTP probing, rule-based tech fingerprinting, banner grabbing, Shodan enrichment, dual JSON+TXT reports with risk flags.
PythonShodan APIdnspythonRichWHOIS
GitHub
Problem
Manual recon across multiple tools is slow and inconsistent. Fragmented results across 5 terminal windows with no unified report or risk scoring.
Attack Scenario
An attacker finds forgotten subdomains via crt.sh, probes alive hosts, fingerprints Apache + WordPress versions, grabs an SSH banner revealing an outdated OpenSSH build, then checks Shodan for known CVEs — all in minutes.
Real Output
└─$ python r3con.py -d scanme.nmap.org
[+] Found 1 subdomain | IP: 45.33.32.156
[+] ALIVE scanme.nmap.org [200] (0.93s)
[+] Tech: Apache/2.4.7 (Ubuntu)
[+] Port 22 open [SSH] SSH-2.0-OpenSSH_6.6.1p1
[!] No HTTPS detected — traffic in plaintext
Impact
⚡ Reduces recon time 80%⚡ Surfaces hidden subdomains⚡ CVE correlation
CompletePython · Scapy
NetWatch — Network IDS
Real-time network intrusion detection built on Scapy. Detects ARP spoofing, port scans, SYN floods, and DNS anomalies. Flags MITM attempts and reconstructs TCP streams.
PythonScapyTCP/IPIDS
GitHub
Problem
ARP poisoning and port scans often go undetected because most defenders don't have scripted detection running on their local networks.
Detection Output
[*] Capturing on eth0...
[!] ARP SPOOF DETECTED
  MAC 08:00:27:aa:bb:cc claims 192.168.1.1
  Previously: 08:00:27:11:22:33
[!] MITM RISK — two MACs for same IP
Impact
⚡ Real-time ARP detection⚡ SYN flood detection⚡ No GUI required
CompletePython · Flask
VulnLab — Vulnerable Web App
Custom DVWA-style target with documented SQLi, XSS, IDOR, SSRF, and command injection — each with a full attack walkthrough and the actual fix applied.
PythonFlaskOWASP Top 10SQLite
GitHub
Attack + Fix
# VULNERABLE
query = f"SELECT * FROM users WHERE user='{username}'"
# Input: admin' -- → auth bypass

# FIXED
query = "SELECT * FROM users WHERE user=?"
cursor.execute(query, (username,))
Impact
⚡ 10+ vulnerability classes⚡ Attack + fix per vuln
CompletePython · Scapy
Wireless Auditor
WiFi security auditing tool. Scans for open networks, detects WEP/WPA misconfigurations, captures handshakes, and identifies rogue APs on the local radio environment.
PythonScapy802.11WPARF
GitHub
Problem
Most wireless auditing requires expensive tools or complex setups. This runs on any Linux box with a wireless adapter in monitor mode.
Scan Output
[*] Scanning on wlan0mon...
[!] OPEN network: "CafeGuest" — no encryption
[!] WEP network: "OldRouter_5G" — crackable
[+] Rogue AP detected: BSSID spoofing "HomeNetwork"
[+] WPA2 handshake captured — 3 targets
Impact
⚡ Detects rogue APs⚡ Flags weak encryption⚡ Zero external deps
Defensive & Forensics

Detect. Hunt. Respond.

Log analysis, endpoint detection, incident response tooling, and forensics. What attackers leave behind — and how to find it.

CompletePython · PowerShell
Windows Event Log Analyzer
Parses Windows Security, System, and PowerShell logs to flag lateral movement, privilege escalation, and persistence mechanisms.
PythonPowerShellDFIREVTX
GitHub
Detection Output
[*] Parsing Security.evtx... 48,291 events
[!] Event 4625 x47 in 2min — BRUTE FORCE
[!] Event 4688: cmd.exe → mimikatz.exe
[!] Event 4624 NTLM: WORKSTATION → DC01
[+] 3 high-severity alerts flagged
Impact
⚡ Surfaces brute force⚡ Detects mimikatz⚡ Maps lateral movement
CompletePython · LDAP
AD Auditor
Active Directory security auditor. Enumerates users, groups, GPOs, and ACLs to surface privilege escalation paths, stale accounts, and misconfigured permissions.
PythonLDAPActive DirectoryRBAC
GitHub
Problem
AD misconfigurations are the #1 vector in enterprise breaches. Most orgs don't audit them until after the incident.
Audit Output
[*] Enumerating CORP.LOCAL...
[!] 3 users with AdminSDHolder — shadow admins
[!] 12 stale accounts (90+ days, still enabled)
[!] GPO "DefaultDomainPolicy" — weak password policy
[+] Kerberoastable accounts: 4 found
Impact
⚡ Finds shadow admins⚡ Kerberoast detection⚡ GPO auditing
CompletePython · DFIR
Forensics Toolkit
DFIR artifact collection and triage toolkit. Extracts prefetch files, registry hives, browser history, recently accessed files, and USB artifacts from Windows endpoints.
PythonVolatilityRegistryPrefetch
GitHub
Triage Output
[*] Collecting artifacts from C:\...
[+] Prefetch: 47 entries — mimikatz.exe found
[!] Registry: AutoRun key modified 2026-05-01
[!] USB: Unknown device mounted 3x this week
[+] Timeline exported — 112 IOCs flagged
Impact
⚡ Full artifact triage⚡ Timeline reconstruction⚡ USB forensics
CompletePython · IR
IR Framework
Structured incident response automation. Guides through identification, containment, eradication, and recovery phases with automated evidence collection and report generation.
PythonNIST IRAutomationReporting
GitHub
IR Workflow
[IDENTIFY] Incident type: ransomware
[CONTAIN] Network isolation script — executed
[ERADICATE] IOC sweep — 3 hosts flagged
[RECOVER] Backup integrity verified
[+] IR report generated — PDF + JSON
Impact
⚡ NIST IR aligned⚡ Automated evidence chain⚡ PDF reporting
Cloud & Infrastructure

Misconfigure. Detect. Harden.

Cloud misconfiguration scanning, honeypots, threat intel automation. Finding what attackers find before they do.

CompletePython · AWS
AWScan — AWS Misconfig Scanner
Automated detection of IAM privilege escalation paths, public S3 buckets, open security groups, missing CloudTrail logging, and VPC misconfigurations.
PythonBoto3AWSIAMCLI
GitHub
Scanner Output
[*] Scanning AWS account: 123456789012
[CRITICAL] S3 'company-backups-prod' is PUBLIC
  Objects: 847 | Size: 2.3GB
[HIGH] IAM Role 'dev-role' has iam:* permissions
[HIGH] SG sg-0abc123 port 22 open to 0.0.0.0/0
[INFO] 3 critical findings. Report saved.
Impact
⚡ Finds public S3 buckets⚡ Maps IAM escalation⚡ Flags exposed ports
CompletePython · n8n
Honeypot + Threat Intel Reporter
Deployable honeypot capturing attacker TTPs. Fake SSH and HTTP listeners log every interaction, enrich IPs via AbuseIPDB, and auto-generate reports via n8n.
PythonLinuxn8nAbuseIPDB
GitHub
Live Output
[*] Honeypot active on ports 22, 80, 443
[HIT] 185.220.101.45 SSH login attempt
[!] AbuseIPDB: 97% — Tor exit node
[n8n] Report → Slack notification sent
[+] 24h: 847 attempts, 23 unique IPs
Impact
⚡ Passive attacker intel⚡ TTP capture⚡ Automated reporting
CompletePython · n8n
Threat Intel Platform
Automated threat intelligence lifecycle. Ingests IOCs from multiple feeds, correlates against local logs, deduplicates, scores by severity, and pushes alerts via n8n workflows.
Pythonn8nSTIXAbuseIPDBIOC
GitHub
Pipeline Output
[*] Ingesting 3 feeds — 1,247 IOCs
[+] Deduped to 834 unique indicators
[!] 12 IOCs matched local firewall logs
[!] 185.220.101.45 — Tor exit, score: 97%
[n8n] Slack alert + report dispatched
Impact
⚡ Multi-feed ingestion⚡ Local log correlation⚡ Automated alerting
CompletePython · Docker
Container Scanner
Docker and Kubernetes security scanner. Audits container configs for privileged mode, exposed sockets, missing resource limits, and K8s RBAC misconfigurations.
PythonDockerKubernetesRBACYAML
GitHub
Scan Output
[*] Scanning 8 containers + 12 K8s manifests
[CRITICAL] nginx:latest — running as root
[HIGH] Docker socket mounted in app container
[HIGH] K8s ClusterRoleBinding to cluster-admin
[INFO] 5 critical findings. Report saved.
Impact
⚡ Docker + K8s coverage⚡ RBAC misconfiguration⚡ Container escape risks
// Capabilities

How I Operate

Click any module to expand. Not what I know — how I apply it.

Offensive Security
Strong
What I Can Do
  • Passive + active subdomain enumeration
  • HTTP probing, tech fingerprinting, banner grabbing
  • Web app testing — SQLi, XSS, IDOR, SSRF, command injection
  • Network pentesting and port scanning
  • Malware creation, analysis, and EDR evasion
  • OSINT profiling and social engineering recon
How I Think
Identify attack surface → enumerate subdomains and open ports → fingerprint services → probe for vulnerabilities → document with severity and remediation. Always ask: what would an attacker do with this?
Tools
NmapMetasploitBurp Suite MsfvenomGobusterNikto ShodantheHarvesterr3con
Sample Output
[+] Target: company.com | 8 subdomains
[+] dev.company.com → Apache 2.4.7 Ubuntu
[!] Port 22 open — OpenSSH_6.6.1p1 (outdated)
[!] No HTTPS on dev — credentials exposed
What I Look For
Forgotten dev subdomains → SSH versions revealing OS age → Headers leaking framework versions → Login forms without rate limiting → Default credentials on admin panels
🛡
Defensive Security
Active
What I Can Do
  • Windows event log parsing and threat hunting
  • Endpoint detection with Velociraptor + Sysmon
  • Malware analysis — static and dynamic
  • Incident response — identify, contain, eradicate, recover
  • GRC frameworks — risk identification and control mapping
  • Blue team operations and detection rule writing
How I Think
What did the attacker touch? Where did they move? What did they leave behind? I follow the artifacts — event IDs, registry keys, prefetch files, network connections — to reconstruct the timeline.
Tools
VelociraptorSysmonVolatility CyberChefWiresharkEVTX Parser
Detection Example
[!] Event 4625 x47 in 2min → Brute force
[!] Event 4688: cmd.exe → mimikatz.exe
[!] Event 4624 NTLM WORKSTATION → DC01
[+] Timeline reconstructed. IOCs extracted.
What I Look For
Suspicious outbound traffic → DNS tunneling · Multiple failed logins → brute force · Unusual parent-child process chains → credential dumping · NTLM auth workstation to DC → lateral movement
Programming & Automation
Active
What I Can Do
  • Build security tools from scratch in Python
  • Bash scripting for Linux automation and enumeration
  • PowerShell for Windows administration and log parsing
  • n8n workflow automation for security pipelines
  • Web development — HTML, CSS, JavaScript
  • API integration — Shodan, VirusTotal, AbuseIPDB
How I Think
If I'm doing a task manually more than twice, I script it. Security without automation doesn't scale. Every tool I build solves a real problem I faced during testing or analysis.
Languages & Tools
PythonBashPowerShell JavaScriptHTML/CSSn8n ScapyBoto3Rich
Code Sample
# Banner grabbing — r3con portscan module
def grab_banner(ip, port, timeout=2):
  s = socket.socket()
  s.settimeout(timeout)
  s.connect((ip, port))
  banner = s.recv(1024).decode("utf-8", errors="ignore")
  return banner.splitlines()[0][:200]
Systems & Infrastructure
Developing
What I Can Do
  • Linux administration — filesystem, permissions, processes, networking
  • Windows + Active Directory — enumeration, privilege escalation
  • AWS, Azure, GCP security — IAM, VPC, flaws.cloud labs
  • Lab deployment — Kali, Windows VMs, Velociraptor server/client
  • Network configuration — subnets, routing, firewall rules
How I Think
Every system has a trust model. My job is to find where that trust is assumed but not enforced — over-permissive IAM roles, default credentials, missing network segmentation, unpatched services.
Platforms & Tools
Kali LinuxWindows ServerAWS AzureGCPActive Directory VelociraptorSysmonVirtualBox
What I Look For
IAM wildcard permissions → public cloud storage → default VPC configs → security groups open to 0.0.0.0/0 → unencrypted data at rest → missing MFA on privileged accounts
// Journey

The Progression

2023
Started Self-Directed Learning
Cybrary, Cisco Networking Academy, OverTheWire (Bandit), TryHackMe, HackTheBox — no roadmap, just curiosity and stubbornness. First exposure to Linux, networking fundamentals, and basic exploitation.
2024
First Certifications
Completed Google Cybersecurity Professional Certificate · ALX Africa Professional Foundations · ALX Africa Cybersecurity. Foundation locked in.
Professional Foundations ALX Africa Cybersecurity ALX Africa Cybersecurity Certificate Google
2024
AfricaHackon Full Curriculum
Cybersec Primer · Linux · Recon/OSINT · Networking · Windows/AD · Wireless Pentesting · Python/Bash · Web & API Security (OWASP Top 10) · Mobile Security · Cloud Security (AWS, IAM, VPC, flaws.cloud) · Malware Creation & Analysis · Kernel Rootkits · GRC · IR & Threat Hunting · Blue Team Essentials.
AfricaHackon Certified AfricaHackon · 2025
2024
Built the DFIR Lab
Deployed Velociraptor + Sysmon on Kali Linux server with Windows 10 VM as client. Active endpoint detection and threat hunting environment — not a tutorial, a real lab.
2025
AfricaHackon Certified · Portfolio Sprint
Passed the AfricaHackon practical examination. Entered portfolio sprint phase — daily GitHub projects, CV build, personal branding. One project per day until the stack speaks for itself.
2025→
Security+ → eJPT → CPTS → OSCP
Cert roadmap locked and loading. CPTS (HackTheBox) is the current primary target. OSCP is the milestone. Building a company to fight cybercrime is the destination.
// Blog

Writing & Writeups

Breaking down concepts, documenting labs, and sharing what I learn. No fluff — just the process.

Coming Soon
How I Set Up a Velociraptor + Sysmon DFIR Lab from Scratch
A full walkthrough of deploying Velociraptor as a DFIR server on Kali Linux with a Windows 10 client — what worked, what didn't, and what I learned about endpoint visibility.
DFIR · Lab Setup Read on Medium ↗
Coming Soon
OWASP Top 10 — Breaking My Own Web App
I built an intentionally vulnerable Flask app and attacked every vulnerability myself. Here's what SQLi, XSS, and IDOR actually look like in a real codebase — and how to fix them.
Web Security · OWASP Read on Medium ↗
Coming Soon
AWS Misconfigurations That Get Companies Breached
IAM privilege escalation, public S3 buckets, open security groups — I built a scanner to find these. Here's what I found most commonly exposed and why attackers love cloud environments.
Cloud Security · AWS Read on Medium ↗
View All Posts on Medium ↗
// Contact

Let's Talk Security.

Open to internships, freelance security work, bug bounty teams, CTF collabs, and anyone building something interesting in the security space.