I'm Gabriel — penetration tester & secure developer, focused on modern web applications: GraphQL/Hasura, Firebase, REST APIs with JWT, multi-tenant SaaS, Supabase. I find vulnerabilities and help fix them with code that makes sense.
🌐 Portfolio — gabrielsec.com 💼 LinkedIn — linkedin.com/in/gabrielsec
I also run AtendIA Tec, where I build custom systems that show the defensive side of what I learned attacking — voice AI platforms, CRM automation, multi-tenant SaaS. Engagement model is 100% custom-fit: from startups with tight budgets to companies needing monthly audits, every project is shaped around your real budget and risk profile.
| Service | What it includes |
|---|---|
| 🎯 Penetration Testing | Web/API/GraphQL/Firebase audits · OWASP TG v4.2 + PTES · dual reporting (executive + technical with reproducible PoC, CVSS, CWE/OWASP/LGPD mapping) · timeline-based remediation plan · post-fix retest included |
| 🐛 Private Bug Bounty | Pay-per-vulnerability mode · severity floor + payout defined in contract · ideal for companies preferring predictable cost-per-confirmed-finding |
| 🛡️ Secure Development | TypeScript (Fastify, Next.js) · row-level tenant isolation · JWT done right · proper secrets handling · security headers · rate limiting · every line goes through the lens of someone who finds vulnerabilities every day |
| 📋 Compliance Audits | LGPD (Art. 46/48), GDPR (Art. 32/33), PCI-DSS · findings mapped to legal articles · documentation reviewable by legal teams |
| 🤖 Custom AI Systems | Voice AI (WhatsApp + phone via Jambonz/Pipecat) · CRM automations · multi-tenant platforms · GoHighLevel/Clinicorp integrations |
Sanitized real-world findings — methodology, payloads, CVSS, remediation. All vulns remediated by clients before publication.
🔗 github.com/atendiatec/pentest-samples
| Case | Pattern | Severity |
|---|---|---|
| Hasura GraphQL Multi-Tenant | Cross-tenant IDOR via auto-CRUD + reflective CORS | 6 critical · 8 high |
| Firebase Authentication Bypass | Custom claims without server-side validation | 2 critical · 2 high |
| WhatsApp BaaS Platform | Supabase RPC without auth.uid() (zero-auth → admin) |
7 critical · 7 high |
| REST API Auth Flaws | JWT HS256 weak secret + mass assignment + SQLi | 3 critical · 3 high |
| SaaS B2B Delivery | Account takeover + 4-digit recovery brute force | 3 critical · 6 high |
| Anti-Bot Bypass Research | Public bug bounty (YesWeHack) — 8-approach benchmark | Research |
Pentest & Automation
Backend & Frontend
| Phase | Deliverable |
|---|---|
| 01 — Scope | Free first call (~30min). Map technical priority vs. real budget. Scope written + signed authorization before any test. |
| 02 — Recon | Subdomain enum, JS bundle parsing, endpoint discovery, stack fingerprinting, auth-flow mapping |
| 03 — Exploit & verify | Reproducible PoC for every finding. No "automated scanner output" disguised as pentest. Chain testing where applicable. |
| 04 — Report & retest | Executive (business language) + technical (PoC, CVSS, CWE/OWASP/LGPD). Timeline-based remediation. Post-fix retest included. |
Production-ready building blocks I extracted from client work.
| Repository | What it does |
|---|---|
| fastify-multi-tenant-starter | Multi-tenant backend — Fastify 5 + Drizzle ORM + JWT + row-level isolation |
| whatsapp-meta-webhook-template | Meta WhatsApp Cloud API webhook — Fastify + TypeScript + HMAC-SHA256 validation |
| bullmq-job-patterns | BullMQ production patterns — retry/backoff, scheduled sweeps, webhook delivery, rate limiting |
| docker-traefik-ssl-template | Docker Compose + Traefik v3 + Let's Encrypt — security headers + rate limiting |
Custom-fit by design. No fixed packages.
- Fixed-scope — defined deliverables, set price, set timeline
- Pay-per-vulnerability — predictable cost-per-confirmed-finding (severity floor + payout in contract)
- Hourly — flexible scope, R$ 250-350/h
- Monthly retainer — continuous coverage for SaaS in fast iteration
- Hybrid — combine the above as the engagement evolves
Every first conversation is free. Without commitment, without a canned proposal — just to figure out if it makes sense for both sides.
📫 Email — gabriel@atendiatec.com.br
🌐 Portfolio — gabrielsec.com
💼 LinkedIn — linkedin.com/in/gabrielsec
💬 WhatsApp — +1 (774) 225-1592
🔐 PGP — 8FF4 1FA4 4AAD A849 F152 F96B 90E1 D4E1 3C08 EFE0 (verify)
"Build it right. Then try to break it. Ship only what survives."