Offensive Security Researcher

Ayush Singh

hac · Cloud Red Team · Penetration Testing · Security Research

Security researcher and penetration tester specialising in cloud infrastructure attack and defence. Lab architect at Pwned Labs, published researcher, and CTF team lead with a Global Top 10 ranking.

Get in Touch GitHub

HTB CPTS

HTB CBBH

CompTIA Pentest+

eJPT

Pwned Labs · 2023–Present

About

Offensive security,
cloud-first mindset.

I'm Ayush Singh — known across the security community as hac or Hac10101. My work sits at the intersection of cloud infrastructure and offensive security, with a focus on identifying attack paths that defenders often overlook.

Since 2023 I've been a core researcher at Pwned Labs, where I architect realistic cyber ranges deployed to security professionals worldwide. I built PhantomWave — a fully red-team-level GCP lab — collaborated on Electra (AWS red team), and co-developed the GCRTP bootcamp curriculum.

Beyond lab work I conduct penetration tests for large enterprises, publish original cloud security research, and share hands-on technical content on YouTube for practitioners who want depth, not surface-level overviews.

Years at Pwned Labs

150+

HTB Machines Owned

200+

TryHackMe Rooms

Top 10

Global CTF 2024

Experience

Professional history.

2023 — Present

Pwned Labs

Security Researcher & Lab Architect

Core researcher responsible for designing and building enterprise-grade cyber ranges used by security professionals globally. Authored PhantomWave, a full red-team-level GCP lab covering IAM escalation, metadata abuse, and persistence. Collaborated on Electra, a comprehensive AWS red team range, and developed multiple standalone GCP and Kubernetes lab scenarios. Co-authored and delivered the GCRTP (Google Cloud Red Team Professional) bootcamp curriculum. Conducted advanced penetration tests for large enterprise clients across web, cloud, and infrastructure environments.

GCP Red TeamAWS Red TeamKubernetesLab ArchitectureGCRTP BootcampEnterprise Penetration TestingCloud Research

Contract

Antigua Recon

Penetration Tester

Conducted comprehensive penetration testing engagements identifying and documenting critical vulnerabilities across web applications, infrastructure, and cloud environments. Delivered detailed technical reports with remediation guidance and assisted clients through post-engagement hardening.

Web Application TestingReconnaissanceVulnerability AssessmentTechnical Reporting

Ongoing

Independent Research

Cloud Security Researcher

Publish original cloud security research and open-source offensive tooling via GitHub and the Pwned Labs blog. Created gcp-iam-brute (51 GitHub stars) for GCP IAM enumeration, an IAM policy visualiser, and open-source tools for the Pwned Labs organisation. Technical content published on YouTube under @Hac1337, covering cloud attack paths, penetration testing methodology, and HTB machine write-ups.

Cloud Security ResearchOpen Source ToolsPythonGCP IAMContent Creation

Platforms & CTF

Competitive record.

💀

ShadowBrokers

CTF Team Leader

Lead an elite CTF team that achieved a Global Top 10 ranking in 2024, competing against the world's best across web exploitation, cloud, cryptography, binary exploitation, and OSINT categories.

Top 10

Global Ranking · 2024

⬡

Hack The Box

@hac · User #485893

Rooted machines across all difficulty tiers — Easy through Insane — with a focus on Active Directory, cloud-native boxes, and enterprise-grade attack scenarios that mirror real environments.

Completed an extensive range of rooms spanning red team operations, cloud security, web exploitation, Active Directory attacks, and OSINT — from foundational concepts through advanced red team paths.

200+

Rooms Completed

View Profile

Content

YouTube Channel.

On @Hac1337 I publish technical cybersecurity content aimed at practitioners — security professionals who want depth, not introductory overviews.

Videos cover cloud red team techniques, GCP and AWS attack path walkthroughs, Hack The Box machine write-ups, penetration testing methodology, and deep-dives into offensive tooling. Every video is grounded in real-world scenarios and hands-on demonstrations.

Watch on YouTube

Cloud Attacks

GCP Red Team
AWS Exploitation
IAM Privilege Escalation

Infrastructure

Active Directory
Kubernetes Attacks
Network Pivoting

Web & Mobile

Web App Pentesting
HTB Write-ups
Vulnerability Analysis

Research & Tooling

Open Source Tools
Recon Automation
Research Breakdowns

Expertise

Technical specialisations.

Cloud Security

GCP Red Teaming
AWS Exploitation
IAM Privilege Escalation
Kubernetes Attack Paths
Cloud Misconfiguration Analysis
Lateral Movement & Persistence

Web Application Security

OWASP Top 10
Authentication & Authorisation Bypass
SQL Injection & XSS
SSRF & XXE
API Security Testing
Web Shell Deployment

Active Directory

Kerberoasting & AS-REP Roasting
Pass-the-Hash / Pass-the-Ticket
BloodHound Attack Path Analysis
GPO & ACL Abuse
Domain Privilege Escalation
AD Persistence Techniques

Mobile Application Security

Android Penetration Testing
APK Reverse Engineering
Frida Dynamic Instrumentation
Root Detection Bypass
MitM on Mobile Traffic
OWASP Mobile Top 10

Projects & Research

Selected work.

↗

Research · 001

GCP Cloud Build — Full Project Takeover

Original research demonstrating how to achieve complete GCP project ownership through Cloud Build privilege escalation. Documents a full end-to-end attack path from misconfiguration discovery to project-level access. Published on the Pwned Labs blog.

Security ResearchGCPCloud BuildPrivilege Escalation

↗

Tool · 002

gcp-iam-brute

GCP IAM permission enumeration tool that systematically identifies what permissions a given identity actually holds across GCP resources — a critical first step in any cloud assessment.

PythonGCPIAM Enumeration

↗

Tool · 003

Automated Cloud Misconfiguration Testing

An automated assessment tool built for Pwned Labs that identifies common cloud misconfigurations across environments, significantly reducing manual effort during the initial phase of a cloud penetration test.

PythonAWSGCPAutomation

↗

Tool · 004

Google Workspace Enumerator

Automated Google Workspace enumeration tool developed for Pwned Labs. Maps users, groups, permissions, and exposed resources across a GWS tenant — streamlining reconnaissance during cloud-native red team engagements.

PythonGoogle WorkspaceEnumeration

Lab · 005

PhantomWave

A full red-team-level GCP cyber range built for Pwned Labs, simulating realistic attack paths across IAM privilege escalation, metadata server abuse, service account compromise, and persistent access techniques.

GCPRed Team LabTerraformPwned Labs

Lab · 006

Electra

AWS red team cyber range developed in collaboration with the Pwned Labs team. Covers cross-account attacks, S3 exploitation, IAM escalation, and credential abuse in a fully realistic AWS environment.

AWSRed Team LabIAMCollaboration

↗

Tool · 007

IAM Policy Visualiser

Generates flowchart-style visuals of GCP and AWS IAM policies, making complex permission structures immediately legible during assessments and red team planning sessions.

PythonIAMVisualisation

↗

Tool · 008

Astra-Bot

A Discord bot enabling recon tools — including Nmap and Amass — to be run directly from a Discord server. Useful for coordinating distributed team reconnaissance during CTFs and assessments. 27 GitHub stars.

PythonDiscordNmapAmass

Labs · 009

GCP & Kubernetes Labs

A collection of standalone offensive labs for Pwned Labs covering Kubernetes cluster exploitation, container escapes, metadata server abuse, GCP service misconfigurations, and cloud-native lateral movement techniques.

GCPKubernetesContainer SecurityPwned Labs

Contact

Let's connect.

Available for penetration testing engagements, cloud security assessments, research collaborations, and speaking opportunities. Reach out on LinkedIn or any of the platforms listed.

profile.json

// whois ayush singh
❯ cat profile.json

{
  "name": "Ayush Singh",
  "alias": "hac / Hac10101",
  "role": "Offensive Security Researcher",
  "employer": "Pwned Labs · 2023–Present",
  "team": "ShadowBrokers · Global Top 10 (2024)",
  "certifications": ["CPTS", "CBBH", "Pentest+", "eJPT"],
  "htb_machines": 150,
  "thm_rooms": 200,
  "availability": "Engagements & Collaborations"
}

❯