emmanuel@security:~$
Open to Security Engineer / Pentest / AppSec / SOC analyst related roles

Emmanuel Tega
Agbragu

Penetration Tester · Cybersecurity Engineer · Security Researcher

I work both sides of security. I break web apps, APIs, and AI-backed services as a penetration tester, and I build the defensive infrastructure (SIEM, Wazuh, IDS/IPS, EDR, DLP) that keeps regulated environments defensible. Either way, I turn findings into clear, actionable risk-based remediation that engineers and executives can both act on.

Resume (PDF) GitHub LinkedIn Email
Emmanuel Tega Agbragu
4+ yrs
Offensive & defensive security
Red + Blue
Pentest · SOC · infra
CEH Master
+ eJPT, AWS CCP
OSCP
In progress
MSc
CMU–Africa, Cybersecurity
whoami

Security with a paper trail

I’m a cybersecurity engineer with 4+ years across offensive and defensive security. On the offensive side I focus on web and API penetration testing, AI/LLM-backed services as well as Infrastructure security. On the defensive side I’ve deployed and tuned the infrastructure that protects regulated environments: IDS/IPS, EDR, firewalls, privileged access management, and data loss prevention, alongside SOC and detection tools.

My most recent role was security researcher at the Upanzi Network (CMU–Africa), where I conducted penetration test on digital public infrastructure: APIs, chatbots, e-commerce platforms, and data portals. I worked the full loop, from recon and enumeration through exploitation, proof of concept, and remediation, and I wrote findings so that an engineer can fix them and an executive can understand the risk. Before that, I built security infrastructure for banking clients in Lagos.

I run against OWASP Top 10, the OWASP API and LLM Top 10s, and NIST risk methodology, and I lean heavily on Python and Bash to automate at scale.

Offense
Web & API security
LLM/AI security
Access control & authz
Defense
IDS/IPS, EDR, firewalls
PAM & DLP
SOC & detection tooling
Scripting
Python, Bash, C/C++, SQL
Based in
Kigali, Rwanda · open to relocation
./projects i’ve worked on

Selected Projects

A sample of web and API penetration tests I worked on with the Upanzi Network security team at CMU–Africa. Targets, hostnames, and exploit specifics are intentionally withheld; these summaries describe vulnerability classes, impact, and remediation only.

Critical High Medium Low Informational

Securing the Digital State

2025
Upanzi Network continental study · published report · named contributor

Named contributor to the Upanzi Network’s published Africa report on the security of public e-government infrastructure, a large-scale automated assessment of 21,782 discoverable subdomains across all 54 African states for misconfigurations, outdated components, cryptographic weaknesses, and data exposure. I led the HTTP-methods enumeration work, flagging dangerous exposed methods, and built the custom Python automation that powered mass asset discovery and scanning.

Published on ResearchGate 54 Countries / 21,782 Subdomains Led HTTP-Methods Enumeration Python Automation
Role  Contributor, Upanzi Network security team · CMU–Africa

Open Data Portal

Sep 2025
Next.js / nginx data platform · API + LLM feature

Enumerated APIs and client-side JavaScript, mapped hidden endpoints, and tested an AI description-generation feature. Found an Indirect Prompt Injection (LLM01) flaw where instructions embedded in uploaded PDFs hijacked the model, plus unauthenticated PII exposure and a missing-input-validation DoS in the datasets API.

LLM01 Prompt Injection PII Exposure DoS / Input Validation User Enumeration
Tooling  Nmap · custom API scripts · manual API testing

MojaShop

Feb 2026
E-commerce web app + backend API

Authentication, authorization, and business-logic testing of a shopping platform. Found a Mass Assignment flaw in registration that let any user self-provision an admin account, then chained it to Broken Object Level Authorization (BOLA/IDOR) giving full create/update/delete control over products and exposure of customer and transaction PII.

Mass Assignment → Priv-Esc BOLA / IDOR · CVSS 9.1 PII / Transaction Exposure
Tooling  Burp Suite · manual authz testing · JWT analysis

Policy Analyser

Aug 2025
Next.js front end + FastAPI/Uvicorn backend

Discovered an unauthenticated backend API exposed on a non-standard port with public API docs. Demonstrated full database retrieval and successful delete operations against policy data, plus missing security headers enabling clickjacking and XSS. Findings were remediated: authentication and authorization were added to the API endpoints.

Unauthenticated API Full DB Read + Delete Missing Security Headers Remediated
Tooling  Nmap · directory/endpoint fuzzing · manual API testing

NiD Chatbot Backend

Aug 2025
FastAPI / Flask / LangChain / OpenAI service

Tested an LLM chatbot backend and its Telegram bot codebase, combining live API testing with static code review. Found unauthenticated endpoints allowing cache abuse (DoS), weak cryptographic primitives (MD5/SHA1), an outdated Flask dependency with a known CVE, and schema disclosure via public API docs. Prompt-injection attempts were correctly rejected.

Unauthenticated API Weak Crypto (MD5/SHA1) Outdated Dependency Static Code Review
Tooling  Nmap · static analysis · dependency review

// Note on disclosure. All engagements above were authorized assessments. Live targets, internal IP addresses, credentials, and step-by-step exploitation details are deliberately omitted from this public page. Full sanitized reports and proof-of-concept material are available to prospective employers on request.

./experience

Experience

Four-plus years spanning offensive research, teaching, and the defensive security infrastructure that protects regulated banking environments.

Security ResearcherUpanzi Network, CMU–Africa
Jan 2025 – Apr 2026 · Offensive
Penetration tested web applications and APIs across e-government and research platforms, finding and exploiting critical access-control, business-logic, and injection flaws with proof-of-concept verification. Authored formal VAPT reports mapped to OWASP and NIST, and tracked remediation through to verified closure with development teams. Burp Suite · Nmap · Python automation · OWASP / NIST
Graduate Teaching AssistantCMU–Africa
Sep 2024 – Jan 2025 · Offensive + Defensive
Delivered lab sessions in Ethical Hacking and Cybersecurity Operations, coaching students through both offensive and defensive exercises. Ethical Hacking · SecOps · Hands-on labs
Cybersecurity EngineerLumenave International, Lagos
Apr 2021 – Jun 2023 · Defensive
Designed and deployed defensive security infrastructure (IDS/IPS, EDR, firewalls) for regulated banking clients, cutting malware infections by 40%. Built a full CyberArk PAM stack with role-based access and least-privilege controls for a commercial bank, and configured Symantec DLP to prevent exfiltration of sensitive financial data. Led a team of 5 engineers delivering on time and on budget. CyberArk PAM · Symantec DLP · IDS/IPS · EDR · Firewalls
./skills

What I work with

Offensive security & VAPT

Web app testingAPI securityBusiness-logic flawsAccess controlBurp SuiteOWASP ZAPSQLMap

LLM / AI security

Prompt injectionOWASP LLM Top 10Insecure output handlingModel + API surface

Vuln management & recon

NmapNessusOpenVASAsset discoveryCVE triageMetasploit

Defensive & blue team

IDS/IPSEDRFirewallsCyberArk PAMSymantec DLPWazuhElastic SecurityMISPSecurity OnionAlert triage

Scripting & automation

PythonBashC/C++JavaSQLPHPCustom scanners

Frameworks & standards

OWASP Top 10OWASP API / LLMMITRE ATT&CKNIST 800-30 / 115ISO 27001PCI-DSS
./certifications

Certifications & achievements

CEHCEH MasterEC-Council CEHCEH PracticalEC-Council eJPTeJPTINE Security AWSCloud PractitionerAmazon Web Services
OSCPOSCPOffSec · in progress

// Achievements. Top 10 finalist, Greenfist CTF 2023 · Mastercard Foundation Scholar 2023.

./education

Education & coursework

MScMSc Information TechnologyCarnegie Mellon University – Africa · Cybersecurity track · GPA 3.80
BScPure & Applied PhysicsUniversity of Benin · First Class Honours, top 1%
Plaid Shell (C)CMU coursework
Systems programming
A Unix-style command shell written from scratch in C: command parsing and tokenization, a linked-list command model, pipelines, and process and job control, with a Python test harness. The kind of low-level work that underpins binary analysis and exploit development. C · Python (tests) · Make · Linux · private repo, available on request
./contact

Let’s talk security

Open to Security Engineer, Penetration Testing, Red Team, AppSec, and SOC analyst related roles, including relocation. Reach out and I’ll share full sanitized reports and references.

emmanuelagbragu@gmail.com LinkedIn GitHub