> SYS_INIT: AUTHORIZED
> USER: fabian@crespo
> ROLE: PRINCIPAL_PENETRATION_TESTER
> STATUS: ONLINEAVAILABLE_FOR_ENGAGEMENTS

Fabian
CRESPO_

Principal Penetration Tester — 4+ years of offensive security operations across network, application, AI/ML, and cloud assessments. Adversarial testing for healthcare, finance, and tech.

~270 Engagements
280+ Findings Produced
15 Certifications
// whoami

The operator.自己

Hello—welcome to the portfolio. I started my penetration testing journey in the fall of 2021 with no prior hacking experience, aiming to break into the field within a year. After grinding offensive security labs and stacking certifications, I landed a role shortly after earning the OSCP.

I am now an offensive security professional with 4+ years of experience spanning network, application, AI/ML, and cloud penetration testing.

I conduct adversarial assessments against generative and predictive AI systems — including prompt injection, indirect prompt injection through agentic pipelines and RAG architectures, and model inference attacks — alongside traditional application and infrastructure engagements.

Outside of work, I train regularly at the gym and compete in combat sports — I hold a blue belt in Brazilian Jiu-Jitsu. When I’m not on the mats, I unwind with anime and video games. My most recent obsession is the Resident Evil series.

// Core Disciplines
AI/ML Pentesting Prompt Injection RAG & Agentic Attacks Web Application Cloud (AWS · Azure · GCP) Active Directory Red Team Ops Malware Dev Essentials
// ls -la ~/projects

Selected projects.作品

// cat experience.json

Field operations.経験

Principal Penetration Tester
Clearwater Security
Oct 2022 — Present
  • Delivered ~270 penetration testing engagements across healthcare, finance, and technology sectors — spanning internal, external, assumed-breach, web application, AI/ML, and cloud assessments. Produced over 280 findings, accounting for 20% of all findings and 30% of all critical issues identified across the team’s portfolio.
  • Conducted AI/ML penetration tests against generative and predictive systems. Executed adversarial attacks encompassing jailbreaks, instruction hierarchy bypass, indirect prompt injection through agentic pipelines and RAG architectures, and model inference attacks against LLM-integrated production applications built on platforms such as Vertex AI.
  • Assessed multi-modal AI systems, applying image-based prompt injection and steganographic payload embedding to probe vision-language model attack surfaces. Identified and validated CVE exploitation within AI-integrated document processing pipelines, establishing end-to-end attack chains from crafted document ingestion through renderer exploitation to arbitrary JavaScript execution.
  • Developed a structured adversarial AI testing methodology mapped to HiddenLayer’s APE taxonomy, classifying attack chains by objective, tactic, and technique across task redirection and safety control bypass objectives. Applied direct prompt injection, system prompt extraction, refusal suppression, jailbreak chaining, and steganographic payload embedding against deployed AI systems.
  • Conducted web application security assessments targeting REST and GraphQL APIs, SPA frameworks, and legacy application servers. Exploited injection flaws, broken object-level and function-level access controls, SSRF, and session management weaknesses. Achieved first-place recognition in a competitive timed assessment identifying critical XSS, SQLi, IDOR, and authentication bypass vulnerabilities.
  • Conducted cloud penetration tests across AWS, Azure, and GCP, exploiting misconfigured IAM roles, over-privileged service accounts, publicly exposed storage, and insecure cross-account trust relationships. Escalated from initial access to full tenant or account compromise across multiple client engagements.
  • Executed internal network and Active Directory penetration tests across hundreds of enterprise Windows environments, delivering full kill-chain compromises including protocol poisoning, service enumeration and exploitation, and abuse of insecure object permissions.
// grep -r "certified" ~/achievements

Stacked credentials.認証

Practical AI Pentest Associate
PAPA · TCM Security
Verify
Certified AI Security Expert
MSec-CAIS · Modern Security
View Certificate
HTB Certified Offensive AI Expert
COAE · HackTheBox
View Certificate
AI/ML Pentester
C-AI/MLPen · SecOps Group
View Certificate
Experienced Penetration Tester
OSEP · Offensive Security
Verify
Certified Penetration Tester
OSCP · Offensive Security
Verify
Certified Red Team Operator
CRTO · Zero-Point Security
Verify
Red Team Operator: Windows Evasion
Sektor7 · Red Team Operator
View Certificate
Red Team Operator: Malware Dev Essentials
Sektor7 · Red Team Operator
View Certificate
Azure Red Team Professional
CARTP · Altered Security
View Certificate
AWS Red Team Expert
ARTE · HackTricks
Verify
Offensive AWS Security Professional
OAWSP · Pwned Labs
Verify
GCP Red Team Expert
GRTE · HackTricks
Verify
Certified Professional Penetration Tester
eCPPT · INE Security
Verify
Junior Penetration Tester
eJPT · INE Security
Verify
// ls -la ~/reports

Sample reports.報告

The following sanitized report demonstrates the depth and quality of findings produced during penetration testing engagements. Provided for recruiter and hiring manager review.

// AI Penetration Test
AI Application Penetration Test Report
Prometheon HTB AI Lab  ·  HackTheBox AI Security Assessment