Hi, I'm Nino Najafli.
A
OSCP and OSWE certified cybersecurity professional with experience across application security, penetration testing, security engineering, and SOC operations.
About
I am an OSCP & OSWE certified cybersecurity professional with hands-on experience across offensive security, defense operations, and security engineering. I enjoy working on real-world risks in web, mobile, network, and cloud environments and collaborating with teams to improve security posture.
- Offensive: Web/Mobile/Network Penetration Testing, Secure Code Review, Threat Modeling
- Defensive: SIEM/SOAR workflows, detection engineering, incident response automation
- Engineering: DevSecOps automation, SAST/SCA/DAST tuning, secure release pipelines
I recently completed my M.S. in Information Security at Carnegie Mellon University (May 2026). With OSCP & OSWE certifications and 2+ years of professional experience in application security and penetration testing, I am open to full-time cybersecurity opportunities and eligible to work in the U.S. on STEM OPT.
Experience
PASHA Bank OJSC
- Conducted penetration testing on over 15 web applications and 4 mobile applications of the bank.
- Configured SAST tool in the CI/CD pipeline automating static security scans for ~50k lines of code.
- Evaluated results from SCA, SAST, and DAST tool scans of over 700 repositories to identify and address vulnerabilities.
- Tuned and optimized SAST tool rules to reduce false positive rate to less than 5%, improving development team accuracy.
- Facilitated threat modeling sessions for 10+ applications using the STRIDE methodology to identify design-level risks.
PROSOL CJSC
- Performed administration, testing, and integration tasks related to SIEM platforms for five customers.
- Created correlation and detection rules to reduce false positives by 30%.
- Automated incident response procedures through SOAR to improve response time by 20%.
- Developed automated tool to analyze IOCs across multiple Threat Intelligence Platforms and send reports to analysts.
Data Processing Center of Ministry of Digital Development
- Built a web-based honeypot to improve network security, capturing 100+ attacks against infrastructure.
- Deployed and configured SIEM to collect and correlate logs from 100+ endpoints.
Research
Research Contributor - PVC: Private Verifiable Credentials with Minimal Adoption Barriers
Carnegie Mellon University — Collaboration with Prof. Scheffler
- Built a Circom-based zero knowledge circuit for private proof of age, signature verification, and challenge freshness.
- Gained practical experience in applied cryptography, zk-SNARK design, and privacy-preserving authentication.
Undergraduate Thesis Research - Active Directory Security and Hardening
Baku Higher Oil School
- Conducted a full security assessment of an enterprise-grade Active Directory environment.
- Built a controlled AD lab on Hyper-V using AutomatedLab with realistic misconfigurations.
- Produced a structured hardening framework spanning backups, PAWs, auditing, and protocol hardening.
Independent Research - Building an Effective SOC with Open-Source Tools
Baku Higher Oil School
- Designed and implemented a full SOC using open-source technologies.
- Performed simulated attacks to improve analyst workflow, detection coverage, and tuning.
Projects
- Built controlled PoCs to reproduce vulnerabilities, analyze impact, and test mitigations.
- Assessed major anti-tracking tools using CoverYourTracks and high-entropy fingerprints.
- Ran structured experiments in a controlled Ubuntu VM to compare privacy tools.
- Built a CORE-based DNS testbed with resolver, root server, attackers, and DoT support.
- Developed attack scripts to test confidentiality, integrity, and availability of DNS and DoT.
- Assessed Equifax using STRIDE, FAIR, ISO/IEC 27001, NIST CSF, and OCTAVE.
- Compared frameworks and recommended the most applicable model.
- Built a classifier using transfer learning (VGG16/AlexNet) with custom data splits.
- Implemented a modular PyTorch pipeline with tunable hyperparameters and checkpointing.
- Designed and developed an interactive CTF platform for beginners in Azerbaijani.
- Built challenges covering networking, web security, and cryptography concepts.
Certifications
Skills
Cybersecurity
- Web/Mobile/Network Penetration Testing, Security Engineering
- Secure Code Review, Threat Modeling
Penetration Testing
- Burp Suite Professional, Qualys, Invicti, Tenable, Frida, MobSF
- PowerShell, Active Directory, Metasploit
- Reverse Engineering (binary analysis, x86/x64 disassembly, Windows internals)
Security Operations (SOC)
- Cortex XDR, TheHive, Shuffle, Splunk, Security Onion
- Wazuh, ELK Stack, DLP, SIEM
Cloud & Virtualization
- GCP, AWS, Microsoft Azure, Docker, Kubernetes, Terraform, VMware ESXi
CI/CD & DevSecOps
- Snyk, Semgrep, Coverity, Prisma Cloud, DefectDojo
- OWASP ZAP, GitHub Actions, IriusRisk
Programming & Scripting
- Python, Go, JavaScript, SQL, Bash, C, PowerShell
Activities
Carnegie Mellon University - INI
Pittsburgh, PA, United States
Teaching Assistant, Introduction to Information Security & Browser Security
- Supported Prof. Hanan Hibshi with classroom instruction, exams, assignments, and mentoring students.
DEF CON 33 / Adversary Village
Las Vegas, NV, United States
Volunteer
- Assisted with workshops, coordinated attendees, and supported hands-on security sessions.
Awards
Distinguished Participation at the Digital Transformation - 2023 Conference
Baku, Azerbaijan — Baku Higher Oil School
Presidential Scholarship Recipient
Government of Azerbaijan
- Awarded full scholarship for scoring 680.3/700 on the national university entrance exam.
Education
Pittsburgh, PA, United States
Degree: Master of Science in Information Security
GPA: 3.91/4.0
- Relevant Courseworks: Applied Information Assurance, Introduction to Computer Systems, Hacking and Offensive Security, Security in Networked Systems, Browser Security, Software Reverse Engineering, Machine Learning with Adversaries in Mind, Distributed Systems, Cloud Infrastructure and Services, Advanced Real-World Data Networks, DevSecOps, Cyber Risk Modeling
Baku, Azerbaijan
Degree: Bachelor's Degree in Information Security
GPA: 96.06/100
- Relevant Courseworks: Web Programming and Security, Mobile Programming and Security, Ethical Hacking and Defense, Quality Assurance Management, Network Security, Information Security Strategy and Policy, Artificial Intelligence and Machine Learning Fundamentals, Attacks on Cryptosystems, Database Administration and Security, Forensic Science
- Taught Red Team classes for younger students in the university's Cyber Club.