Offensive Security Researcher

Ayush Singh

hac  ·  Cloud Red Team  ·  Penetration Testing  ·  Security Research

Security researcher and penetration tester specialising in cloud infrastructure attack and defence. Lab architect at Pwned Labs, published researcher, and CTF team lead with a Global Top 10 ranking.

HTB CPTS
HTB CBBH
CompTIA Pentest+
eJPT
Pwned Labs · 2023–Present
About

Offensive security,
cloud-first mindset.

I'm Ayush Singh — known across the security community as hac or Hac10101. My work sits at the intersection of cloud infrastructure and offensive security, with a focus on identifying attack paths that defenders often overlook.

Since 2023 I've been a core researcher at Pwned Labs, where I architect realistic cyber ranges deployed to security professionals worldwide. I built PhantomWave — a fully red-team-level GCP lab — collaborated on Electra (AWS red team), and co-developed the GCRTP bootcamp curriculum.

Beyond lab work I conduct penetration tests for large enterprises, publish original cloud security research, and share hands-on technical content on YouTube for practitioners who want depth, not surface-level overviews.

2+
Years at Pwned Labs
150+
HTB Machines Owned
200+
TryHackMe Rooms
Top 10
Global CTF 2024
Experience

Professional history.

2023 — Present
Pwned Labs
Security Researcher & Lab Architect

Core researcher responsible for designing and building enterprise-grade cyber ranges used by security professionals globally. Authored PhantomWave, a full red-team-level GCP lab covering IAM escalation, metadata abuse, and persistence. Collaborated on Electra, a comprehensive AWS red team range, and developed multiple standalone GCP and Kubernetes lab scenarios. Co-authored and delivered the GCRTP (Google Cloud Red Team Professional) bootcamp curriculum. Conducted advanced penetration tests for large enterprise clients across web, cloud, and infrastructure environments.

GCP Red TeamAWS Red TeamKubernetesLab ArchitectureGCRTP BootcampEnterprise Penetration TestingCloud Research
Contract
Antigua Recon
Penetration Tester

Conducted comprehensive penetration testing engagements identifying and documenting critical vulnerabilities across web applications, infrastructure, and cloud environments. Delivered detailed technical reports with remediation guidance and assisted clients through post-engagement hardening.

Web Application TestingReconnaissanceVulnerability AssessmentTechnical Reporting
Ongoing
Independent Research
Cloud Security Researcher

Publish original cloud security research and open-source offensive tooling via GitHub and the Pwned Labs blog. Created gcp-iam-brute (51 GitHub stars) for GCP IAM enumeration, an IAM policy visualiser, and open-source tools for the Pwned Labs organisation. Technical content published on YouTube under @Hac1337, covering cloud attack paths, penetration testing methodology, and HTB machine write-ups.

Cloud Security ResearchOpen Source ToolsPythonGCP IAMContent Creation
Platforms & CTF

Competitive record.

💀
ShadowBrokers
CTF Team Leader

Lead an elite CTF team that achieved a Global Top 10 ranking in 2024, competing against the world's best across web exploitation, cloud, cryptography, binary exploitation, and OSINT categories.

Top 10
Global Ranking · 2024
Hack The Box
@hac · User #485893

Rooted machines across all difficulty tiers — Easy through Insane — with a focus on Active Directory, cloud-native boxes, and enterprise-grade attack scenarios that mirror real environments.

150+
Machines Owned
🚩
TryHackMe
@Ayushsingh

Completed an extensive range of rooms spanning red team operations, cloud security, web exploitation, Active Directory attacks, and OSINT — from foundational concepts through advanced red team paths.

200+
Rooms Completed
Content

YouTube Channel.

On @Hac1337 I publish technical cybersecurity content aimed at practitioners — security professionals who want depth, not introductory overviews.

Videos cover cloud red team techniques, GCP and AWS attack path walkthroughs, Hack The Box machine write-ups, penetration testing methodology, and deep-dives into offensive tooling. Every video is grounded in real-world scenarios and hands-on demonstrations.

Watch on YouTube
Cloud Attacks
GCP Red Team
AWS Exploitation
IAM Privilege Escalation
Infrastructure
Active Directory
Kubernetes Attacks
Network Pivoting
Web & Mobile
Web App Pentesting
HTB Write-ups
Vulnerability Analysis
Research & Tooling
Open Source Tools
Recon Automation
Research Breakdowns
Expertise

Technical specialisations.

Cloud Security
  • GCP Red Teaming
  • AWS Exploitation
  • IAM Privilege Escalation
  • Kubernetes Attack Paths
  • Cloud Misconfiguration Analysis
  • Lateral Movement & Persistence
Web Application Security
  • OWASP Top 10
  • Authentication & Authorisation Bypass
  • SQL Injection & XSS
  • SSRF & XXE
  • API Security Testing
  • Web Shell Deployment
Active Directory
  • Kerberoasting & AS-REP Roasting
  • Pass-the-Hash / Pass-the-Ticket
  • BloodHound Attack Path Analysis
  • GPO & ACL Abuse
  • Domain Privilege Escalation
  • AD Persistence Techniques
Mobile Application Security
  • Android Penetration Testing
  • APK Reverse Engineering
  • Frida Dynamic Instrumentation
  • Root Detection Bypass
  • MitM on Mobile Traffic
  • OWASP Mobile Top 10
Projects & Research

Selected work.

Research · 001
GCP Cloud Build — Full Project Takeover

Original research demonstrating how to achieve complete GCP project ownership through Cloud Build privilege escalation. Documents a full end-to-end attack path from misconfiguration discovery to project-level access. Published on the Pwned Labs blog.

Security ResearchGCPCloud BuildPrivilege Escalation
Tool · 002
gcp-iam-brute

GCP IAM permission enumeration tool that systematically identifies what permissions a given identity actually holds across GCP resources — a critical first step in any cloud assessment.

PythonGCPIAM Enumeration
Tool · 003
Automated Cloud Misconfiguration Testing

An automated assessment tool built for Pwned Labs that identifies common cloud misconfigurations across environments, significantly reducing manual effort during the initial phase of a cloud penetration test.

PythonAWSGCPAutomation
Tool · 004
Google Workspace Enumerator

Automated Google Workspace enumeration tool developed for Pwned Labs. Maps users, groups, permissions, and exposed resources across a GWS tenant — streamlining reconnaissance during cloud-native red team engagements.

PythonGoogle WorkspaceEnumeration
Lab · 005
PhantomWave

A full red-team-level GCP cyber range built for Pwned Labs, simulating realistic attack paths across IAM privilege escalation, metadata server abuse, service account compromise, and persistent access techniques.

GCPRed Team LabTerraformPwned Labs
Lab · 006
Electra

AWS red team cyber range developed in collaboration with the Pwned Labs team. Covers cross-account attacks, S3 exploitation, IAM escalation, and credential abuse in a fully realistic AWS environment.

AWSRed Team LabIAMCollaboration
Tool · 007
IAM Policy Visualiser

Generates flowchart-style visuals of GCP and AWS IAM policies, making complex permission structures immediately legible during assessments and red team planning sessions.

PythonIAMVisualisation
Tool · 008
Astra-Bot

A Discord bot enabling recon tools — including Nmap and Amass — to be run directly from a Discord server. Useful for coordinating distributed team reconnaissance during CTFs and assessments. 27 GitHub stars.

PythonDiscordNmapAmass
Labs · 009
GCP & Kubernetes Labs

A collection of standalone offensive labs for Pwned Labs covering Kubernetes cluster exploitation, container escapes, metadata server abuse, GCP service misconfigurations, and cloud-native lateral movement techniques.

GCPKubernetesContainer SecurityPwned Labs
Contact

Let's connect.

Available for penetration testing engagements, cloud security assessments, research collaborations, and speaking opportunities. Reach out on LinkedIn or any of the platforms listed.

profile.json
// whois ayush singh
cat profile.json

{
  "name": "Ayush Singh",
  "alias": "hac / Hac10101",
  "role": "Offensive Security Researcher",
  "employer": "Pwned Labs · 2023–Present",
  "team": "ShadowBrokers · Global Top 10 (2024)",
  "certifications": ["CPTS", "CBBH", "Pentest+", "eJPT"],
  "htb_machines": 150,
  "thm_rooms": 200,
  "availability": "Engagements & Collaborations"
}