
2nd Runner-up
Thailand Banking AI Red Team Challenge 2026
Thailand Banking Sector CERT (TB-CERT)

Offensive Security Engineer · AI Security Researcher · Security Builder
Red Teaming • AI Security • Identity & AppSec
I am an Offensive Security Engineer, AI Security Researcher, and Security Builder with 2+ years of hands-on experience across enterprise penetration testing, red team operations, applied security research, and AI-assisted security automation.
My professional work includes end-to-end security assessments across web applications, APIs, mobile applications, and infrastructure, alongside red team operations focused on real-world attack scenarios, identity abuse, and security posture improvement. I also build security automation and AI-assisted offensive tooling for vulnerability analysis, alert triage, and black-box penetration testing.
As an independent researcher-builder, I investigate security issues, develop proof-of-concept tools, create reproducible labs, and publish technical research. My work includes identity and access security research involving Microsoft 365 Conditional Access, as well as Oblivion Token, an offensive research tool presented at Black Hat Asia 2026 Arsenal and DEF CON Singapore 2026 Demo Labs.
Selected outputs include 28 CVEs and 3 IEEE publications across Android OAuth 2.0 security testing and applied AI/ML systems. I am open to global opportunities in Offensive Security Research, Vulnerability Research, AI Security, Red Team Engineering, Application Security, and graduate research pathways.


Key Responsibilities & Achievements


Key Responsibilities & Achievements


Key Responsibilities & Achievements
Waris Damkham and Nuttakorn Tungpoonsup present a systematic methodology for mapping Microsoft 365 Conditional Access enforcement across users, resources, client applications, authentication flows, and Microsoft first-party app behavior.
Presented for DEF CON Singapore 2026 Demo Labs. Oblivion Token is an offensive research utility for practical, repeatable testing of Microsoft 365 Conditional Access (CA) edge cases. It systematizes token-centric workflows to help identify where device, network, or app-context assumptions can fail in real-world environments.
Presented at Black Hat Asia 2026 Arsenal. Oblivion Token is an offensive research utility for practical, repeatable testing of Microsoft 365 Conditional Access (CA) edge cases. It systematizes token-centric workflows to help identify where device, network, or app-context assumptions can fail in real-world environments.
TENCON 2024
2024IEEE Region 10 Conference 2024
QRS 2023
202323rd IEEE International Conference on Software Quality, Reliability, and Security
InCIT 2022
20226th International Conference on Information Technology

2nd Runner-up
Thailand Banking Sector CERT (TB-CERT)

Rising Award
KASIKORN Business-Technology Group (KBTG)
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery SHORTCODE post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery SHORTCODE values. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.



Hack The Box
View CredentialRed Team Leaders
View Credential8kSec
View CredentialHands-on assessment, adversary simulation, exploitation, and vulnerability validation.
Penetration Testing · Red Teaming · Web Exploitation · Network Exploitation · Privilege Escalation · Burp Suite · Kali Linux
Security review and testing across web, API, mobile, OAuth, and Android attack surfaces.
Application Security · API Security · Mobile Security · Android Security · OAuth 2.0 · OIDC · OWASP Top 10
Identity-centered cloud security research, policy testing, and Microsoft 365 attack paths.
Microsoft Entra ID · Microsoft 365 · Conditional Access · Microsoft Graph API · Azure · AWS · Cloud Security
AI security readiness, LLM threat modeling, and applied machine-learning research experience.
AI Security · LLM Security · AI Red Teaming · Prompt Injection · MCP Security · OWASP LLM Top 10 · TensorFlow
Automation and engineering used to scale testing, reporting, triage, and repeatable workflows.
Python · JavaScript · Bash · Power Automate · Power Apps · GitHub Actions · Selenium
Turning technical findings into clear executive, engineering, academic, and public-facing output.
Executive Reporting · Technical Reporting · Vulnerability Triage · CVE Research · Risk Communication · Security Briefing · Public Speaking

Senior project / thesis focused on classifying chicken diseases from fecal images through a LINE Official Account.
Joined the exhibition showcasing B.Sc. ICT International Program student internships. Proudly shared my experience from Ritsumeikan University among esteemed peers. An enriching platform for insights and networking.

University application portfolio and supporting academic showcase.
waris_m@portfolio:~$ ls -lh latest-resume.pdf
Waris_Resume_2026.pdf
Preview the document here or download the original PDF.
waris_m@portfolio:~$ whoami
Waris Damkham
Offensive Security Engineer · AI Security Researcher
# CONTACT
# PROFILES
waris_m@portfolio:~$