About Projects Skills Journey Blog Contact
// Offensive Security in Progress

Leo
Mugambi aka r3tro_n3o

Cybersecurity practitioner building from Africa. Penetration testing, DFIR, malware analysis, recon automation — hands-on, not just theory.

$ identify --role
Cybersecurity Practitioner Penetration Tester Threat Hunter Security Researcher Malware Analyst DFIR Specialist Red Team Enthusiast Security Consultant CTF Player Ethical Hacker
View Projects Get In Touch
r3tro_n3o — zsh
┌──(r3tro_n3o㉿kali)-[~]
└─$
// Live Ops Status

Current Loadout

SYSTEM STATUS — ONLINE
[STUDYING]CPTS — HackTheBox Certified Penetration Testing SpecialistActive
[TOOLS]Nmap · Metasploit · Burp Suite · Wireshark · Msfvenom · Velociraptor · Sysmon
[LAB]Velociraptor + Sysmon DFIR Lab — Kali server / Windows 10 clientRunning
[FOCUS]Offensive Security · Threat Hunting · Red Team Ops · Malware Analysis
[CERTS]Google Cybersecurity · AfricaHackon · ALX Africa Professional Foundations
[ROADMAP]Security+ → eJPT → CPTS → OSCPIn Progress
[LOCATION]Building from Africa. Eyes on the global stage.
// whoami

The Story So Far

Systems fail in interesting ways. Every system is built on assumptions. Security begins where those assumptions stop being true. I study how systems behave when pushed beyond what they were designed for. Most of my best learning moments start with one question: what happens if this is used in a way it was never meant to be?

I'm Leo, (r3tro_n3o). I got into this because people around me were getting scammed, SIM-swapped, defrauded, and I wanted to understand the mechanics behind the attacks, not just be another victim. Watching a friend get SIM-swapped and not being able to do anything about it hit different. Curiosity turned into obsession pretty fast after that.

I started self-directed: Cybrary, OverTheWire, TryHackMe, HackTheBox; no roadmap, just stubbornness. Then I went through AfricaHackon's full curriculum: Linux fundamentals, recon and OSINT, networking, Windows and Active Directory, wireless pentesting, Python and Bash scripting, web and API security (OWASP Top 10), mobile security, cloud security (AWS, IAM, VPC), malware creation and analysis, polymorphic crypters, process hollowing, C2 via steganography, EDR evasion, anti-analysis techniques, kernel rootkits, GRC, incident response, threat hunting, and blue team essentials. The whole stack, hands-on.

I'm especially drawn to offensive security because it forces a different kind of thinking. You have to get inside the attacker's logic, understand their assumptions, then exploit them. That mindset is what I'm building. I also have a genuine passion for cloud security and automations; connecting tools, building pipelines, making security work smarter.

Long term, I'm building towards Secure Core; a company built around reducing cybercrime from the ground up. But first, I want to be sharp enough that when I say I do security, it actually means something. Currently in sprint mode. One project a day. Eyes on CPTS.

// Tools & Technologies
Languages & Scripting
🐍 Python 🐚 Bash ⚡ PowerShell 🌐 HTML / CSS 🟨 JavaScript
Offensive Tools
⚡ Nmap 🎯 Metasploit 🔥 Burp Suite 🦈 Wireshark 💣 Msfvenom 🔍 Gobuster 🕷 Nikto 🗝 John the Ripper 📡 Scapy
Defensive & Analysis
🛡 Velociraptor 👁 Sysmon 🔬 Volatility 🧪 CyberChef 🔎 DFIR 🚨 EDR Evasion
Cloud & Automation
☁ AWS 🔷 Azure 🌐 GCP 🔐 IAM 🌐 VPC ⚙ n8n 🖥 Active Directory 🐧 Linux
0
Certifications
0
Projects
0
Deep Study
Curiosity
$ cat /etc/r3tro/mission.txt
——————————————————————
objective: build Secure Core. reduce cybercrime.
method: learn their moves first
origin: Africa
next_role: cloud security engineer
status: operational
Phase 01 — Recon & Intelligence

Mapping the Attack Surface

Passive enumeration, active probing, traffic analysis. Understanding the target before anything else.

Complete Python · CLI
r3con — OSINT Recon Tool
Multi-phase recon pipeline: passive subdomain enumeration, HTTP probing, rule-based tech fingerprinting, banner grabbing, Shodan enrichment, dual JSON+TXT reports with risk flags.
PythonShodan APIdnspythonRichWHOIS
GitHub
Problem
Manual recon across multiple tools is slow and inconsistent. Fragmented results across 5 terminal windows with no unified report or risk scoring.
Attack Scenario
An attacker finds forgotten subdomains via crt.sh, probes alive hosts, fingerprints Apache + WordPress versions, grabs an SSH banner revealing an outdated OpenSSH build, then checks Shodan for known CVEs — all in minutes.
Real Output
└─$ python r3con.py -d scanme.nmap.org
[+] Found 1 subdomain | IP: 45.33.32.156
[+] ALIVE scanme.nmap.org [200] (0.93s)
[+] Tech: Apache/2.4.7 (Ubuntu)
[+] Port 22 open [SSH] SSH-2.0-OpenSSH_6.6.1p1
[!] No HTTPS detected — traffic in plaintext
Impact
⚡ Reduces recon time 80% ⚡ Surfaces hidden subdomains ⚡ CVE correlation
Active Python · Scapy
Network Traffic Analyzer
Packet capture and analysis built on Scapy. Detects ARP spoofing, flags anomalies, reconstructs TCP streams, generates traffic reports.
PythonScapyTCP/IPWireshark
GitHub
Problem
ARP poisoning and port scans often go undetected because most defenders don't have scripted detection running on their local networks.
Detection Output
[*] Capturing on eth0...
[!] ARP SPOOF DETECTED
  MAC 08:00:27:aa:bb:cc claims 192.168.1.1
  Previously: 08:00:27:11:22:33
[!] MITM RISK — two MACs for same IP
Impact
⚡ Real-time ARP detection ⚡ No GUI required
Phase 02 — Exploitation & Detection

Breaking Things Ethically

Building vulnerable environments to understand attacks. Parsing logs to detect what attackers leave behind.

In Progress Python · Flask
Intentionally Vulnerable Web App
Custom DVWA-style target with documented SQLi, XSS, IDOR, SSRF, and command injection — each with a full attack walkthrough and the actual fix applied.
PythonFlaskOWASP Top 10SQLite
GitHub
Attack + Fix
# VULNERABLE
query = f"SELECT * FROM users WHERE user='{username}'"
# Input: admin' -- → auth bypass

# FIXED
query = "SELECT * FROM users WHERE user=?"
cursor.execute(query, (username,))
Impact
⚡ 10+ vulnerability classes ⚡ Attack + fix per vuln
In Progress Python · PowerShell
Windows Event Log Analyzer
Parses Windows Security, System, and PowerShell logs to flag lateral movement, privilege escalation, and persistence mechanisms.
PythonPowerShellDFIREVTX
GitHub
Detection Output
[*] Parsing Security.evtx... 48,291 events
[!] Event 4625 x47 in 2min — BRUTE FORCE
[!] Event 4688: cmd.exe → mimikatz.exe
[!] Event 4624 NTLM: WORKSTATION → DC01
[+] 3 high-severity alerts flagged
Impact
⚡ Surfaces brute force ⚡ Detects mimikatz ⚡ Maps lateral movement
Phase 03 — Cloud & Automation

Operating at Scale

Finding what attackers find in the cloud. Deploying traps. Automating intelligence pipelines.

In Progress Python · AWS
AWS Misconfiguration Scanner
Automated detection of IAM privilege escalation paths, public S3 buckets, open security groups, and VPC misconfigurations.
PythonBoto3AWSIAMCLI
GitHub
Scanner Output
[*] Scanning AWS account: 123456789012
[CRITICAL] S3 'company-backups-prod' is PUBLIC
  Objects: 847 | Size: 2.3GB
[HIGH] IAM Role 'dev-role' has iam:* permissions
[HIGH] SG sg-0abc123 port 22 open to 0.0.0.0/0
[INFO] 3 critical findings. Report saved.
Impact
⚡ Finds public S3 buckets ⚡ Maps IAM escalation ⚡ Flags exposed ports
Planned Python · n8n
Honeypot + Threat Intel Reporter
Deployable honeypot capturing attacker TTPs, correlating IPs against threat intel feeds, auto-generating structured reports via n8n.
PythonLinuxn8nThreat Intel
GitHub
Expected Output
[*] Honeypot active on ports 22, 80, 443
[HIT] 185.220.101.45 SSH login attempt
[!] AbuseIPDB: 97% — Tor exit node
[n8n] Report → Slack notification sent
[+] 24h: 847 attempts, 23 unique IPs
Impact
⚡ Passive attacker intel ⚡ Automated reporting
// Capabilities

How I Operate

Click any module to expand. Not what I know — how I apply it.

Offensive Security
Strong
What I Can Do
  • Passive + active subdomain enumeration
  • HTTP probing, tech fingerprinting, banner grabbing
  • Web app testing — SQLi, XSS, IDOR, SSRF, command injection
  • Network pentesting and port scanning
  • Malware creation, analysis, and EDR evasion
  • OSINT profiling and social engineering recon
How I Think
Identify attack surface → enumerate subdomains and open ports → fingerprint services → probe for vulnerabilities → document with severity and remediation. Always ask: what would an attacker do with this?
Tools
NmapMetasploitBurp Suite MsfvenomGobusterNikto ShodantheHarvesterr3con
Sample Output
[+] Target: company.com | 8 subdomains
[+] dev.company.com → Apache 2.4.7 Ubuntu
[!] Port 22 open — OpenSSH_6.6.1p1 (outdated)
[!] No HTTPS on dev — credentials exposed
What I Look For
Forgotten dev subdomains → SSH versions revealing OS age → Headers leaking framework versions → Login forms without rate limiting → Default credentials on admin panels
🛡
Defensive Security
Active
What I Can Do
  • Windows event log parsing and threat hunting
  • Endpoint detection with Velociraptor + Sysmon
  • Malware analysis — static and dynamic
  • Incident response — identify, contain, eradicate, recover
  • GRC frameworks — risk identification and control mapping
  • Blue team operations and detection rule writing
How I Think
What did the attacker touch? Where did they move? What did they leave behind? I follow the artifacts — event IDs, registry keys, prefetch files, network connections — to reconstruct the timeline.
Tools
VelociraptorSysmonVolatility CyberChefWiresharkEVTX Parser
Detection Example
[!] Event 4625 x47 in 2min → Brute force
[!] Event 4688: cmd.exe → mimikatz.exe
[!] Event 4624 NTLM WORKSTATION → DC01
[+] Timeline reconstructed. IOCs extracted.
What I Look For
Suspicious outbound traffic → DNS tunneling · Multiple failed logins → brute force · Unusual parent-child process chains → credential dumping · NTLM auth workstation to DC → lateral movement
Programming & Automation
Active
What I Can Do
  • Build security tools from scratch in Python
  • Bash scripting for Linux automation and enumeration
  • PowerShell for Windows administration and log parsing
  • n8n workflow automation for security pipelines
  • Web development — HTML, CSS, JavaScript
  • API integration — Shodan, VirusTotal, AbuseIPDB
How I Think
If I'm doing a task manually more than twice, I script it. Security without automation doesn't scale. Every tool I build solves a real problem I faced during testing or analysis.
Languages & Tools
PythonBashPowerShell JavaScriptHTML/CSSn8n ScapyBoto3Rich
Code Sample
# Banner grabbing — r3con portscan module
def grab_banner(ip, port, timeout=2):
  s = socket.socket()
  s.settimeout(timeout)
  s.connect((ip, port))
  banner = s.recv(1024).decode("utf-8", errors="ignore")
  return banner.splitlines()[0][:200]
Systems & Infrastructure
Developing
What I Can Do
  • Linux administration — filesystem, permissions, processes, networking
  • Windows + Active Directory — enumeration, privilege escalation
  • AWS, Azure, GCP security — IAM, VPC, flaws.cloud labs
  • Lab deployment — Kali, Windows VMs, Velociraptor server/client
  • Network configuration — subnets, routing, firewall rules
How I Think
Every system has a trust model. My job is to find where that trust is assumed but not enforced — over-permissive IAM roles, default credentials, missing network segmentation, unpatched services.
Platforms & Tools
Kali LinuxWindows ServerAWS AzureGCPActive Directory VelociraptorSysmonVirtualBox
What I Look For
IAM wildcard permissions → public cloud storage → default VPC configs → security groups open to 0.0.0.0/0 → unencrypted data at rest → missing MFA on privileged accounts
// Journey

The Progression

2023
Started Self-Directed Learning
Cybrary, Cisco Networking Academy, OverTheWire (Bandit), TryHackMe, HackTheBox — no roadmap, just curiosity and stubbornness. First exposure to Linux, networking fundamentals, and basic exploitation.
2024
First Certifications
Completed Google Cybersecurity Professional Certificate · ALX Africa Professional Foundations · ALX Africa Cybersecurity. Foundation locked in.
🏆 Professional Foundations ALX Africa 🛡 Cybersecurity ALX Africa 🔐 Cybersecurity Certificate Google
2024
AfricaHackon Full Curriculum
Cybersec Primer · Linux · Recon/OSINT · Networking · Windows/AD · Wireless Pentesting · Python/Bash · Web & API Security (OWASP Top 10) · Mobile Security · Cloud Security (AWS, IAM, VPC, flaws.cloud) · Malware Creation & Analysis · Kernel Rootkits · GRC · IR & Threat Hunting · Blue Team Essentials.
AfricaHackon Certified AfricaHackon · 2025
2024
Built the DFIR Lab
Deployed Velociraptor + Sysmon on Kali Linux server with Windows 10 VM as client. Active endpoint detection and threat hunting environment — not a tutorial, a real lab.
2025
AfricaHackon Certified · Portfolio Sprint
Passed the AfricaHackon practical examination. Entered portfolio sprint phase — daily GitHub projects, CV build, personal branding. One project per day until the stack speaks for itself.
2025→
Security+ → eJPT → CPTS → OSCP
Cert roadmap locked and loading. CPTS (HackTheBox) is the current primary target. OSCP is the milestone. Building a company to fight cybercrime is the destination.
// Blog

Writing & Writeups

Breaking down concepts, documenting labs, and sharing what I learn. No fluff — just the process.

Coming Soon
How I Set Up a Velociraptor + Sysmon DFIR Lab from Scratch
A full walkthrough of deploying Velociraptor as a DFIR server on Kali Linux with a Windows 10 client — what worked, what didn't, and what I learned about endpoint visibility.
DFIR · Lab Setup Read on Medium ↗
Coming Soon
OWASP Top 10 — Breaking My Own Web App
I built an intentionally vulnerable Flask app and attacked every vulnerability myself. Here's what SQLi, XSS, and IDOR actually look like in a real codebase — and how to fix them.
Web Security · OWASP Read on Medium ↗
Coming Soon
AWS Misconfigurations That Get Companies Breached
IAM privilege escalation, public S3 buckets, open security groups — I built a scanner to find these. Here's what I found most commonly exposed and why attackers love cloud environments.
Cloud Security · AWS Read on Medium ↗
View All Posts on Medium ↗
// Contact

Let's Talk Security.

Open to internships, freelance security work, bug bounty teams, CTF collabs, and anyone building something interesting in the security space.