Marco Martel

APPSEC ENGINEER · SOFTWARE DEVELOPER

Full Stack Developer with an offensive security mindset, based in Argentina. 2+ years applying Application Security in real environments — identifying and exploiting web vulnerabilities (XSS, SQLi, SSRF, IDOR, among others) and performing OWASP risk analysis. I understand how code is built, which makes me better at auditing it.

2+
YEARS APPSEC
#1
HACKLAB 2024 NACIONAL
6
SECURITY PROJECTS
HTB
ACTIVE SINCE 2021

Capabilities

Web Pentesting

Vulnerability identification, exploit development and web application security testing.

AppSec

Risk analysis, security code reviews, vulnerability management and remediation.

Full Stack Dev

Web application development, code refactoring and quality assurance.

DevOps

Server provisioning, infrastructure automation and environment configuration.

Certifications

  • HackLab 2024 Nacional — 1st place · UTN
  • HackLab 2023 Regional — Winner · UTN
  • Introducción al Hacking · Hack4u (2024)
  • Ethical Hacking · EducacionIT
  • Google Hacking & Social Engineering · EducacionIT

Projects

Sentinel [ private ]

AI-assisted white-box pentesting skill. 6-phase automated pipeline covering 13 CWEs.

#appsec#claude-code#pentesting
Gotterblick [ github ]

Vulnerability management platform for small orgs. CVE tracking + OWASP risk scoring.

#django#python#vuln-mgmt
Educativa Red Prompt [ private ]

Fuzzing tool for AI chatbot security testing — prompt injection & adaptive fuzzing.

#ai-security#fuzzing#python
Ultra Pentest [ github ]

Simplified ZAP CLI wrapper for fast web vulnerability scanning via config files.

#zap#python#automation
Cleopatra Moodle Attack [ github ]

Brute-force and dictionary attack tool for Moodle login pages with multi-core processing and Tor support.

#python#bruteforce#moodle
Erica Password Cracking [ github ]

Tool for cracking multiple algorithm families with their respective versions.

#python#cracking#security

Writeups

RootMe: Nginx - Alias Misconfiguration 09 Apr 2026 · Root-Me

Web challenge abusing an nginx alias misconfiguration (missing trailing slash in location) to traverse outside the intended directory and read flag.txt.

#rootme#nginx#web#path-traversal
HackTheBox: Sau 24 Jul 2023 · HackTheBox

Linux machine exploiting SSRF in request-baskets to reach a Maltrail instance vulnerable to unauthenticated RCE, followed by sudo privilege escalation.

#htb#ssrf#linux#privesc

Find Me On

GitHub LinkedIn HackTheBox RootMe