About me

Hi everyone, I’m Mateo! 👋👋

I am an Independent Security Researcher specializing in high-impact vulnerability research across modern digital environments. My work focuses on securing systems by identifying and reporting critical vulnerabilities through deep manual analysis and industry-standard security assessments.

💻 In 2026, I’m currently spending my time working as a freelance Bug Bounty Hunter on Bugcrowd, HackerOne and Intigriti platforms.

❖ Bugcrowd Profile: https://bugcrowd.com/h/hackermater

❖ HackerOne Profile: https://hackerone.com/hackermater

❖ Intigriti Profile: https://app.intigriti.com/profile/xvim_hacker

🏆 List of Courses and Certifications

Mobile Application Penetration Tester (eMAPT)

INE Security industry-recognized certification designed for cybersecurity professionals to specialize in mobile application security and advance their skills. The eMAPT is a hands-on, professional certification that proves the ability to assess, exploit, and report vulnerabilities in real-world mobile applications across both Android and iOS platforms.

Domains and Objectives:

Reconnaissance and Static Analysis
Dynamic Testing and Runtime Manipulation
API and Backend Security Testing
Mobile Application Security Foundations
Threat Modeling and Attacker Mindset
Reverse Engineering & Code Deobfuscation
Mobile Malware Analysis
Reporting and Communication

❖ Credential URL

SOC Fundamentals

LetsDefend course where I learned the fundamentals of a SOC (Security Operations Center), the use of a SIEM dashboard, the methodology of threat hunting, email phishing analysis with PhishTool, malware analysis with VirusTotal, and much more. This course provided me with an excellent introduction to the SOC environment and prepared me to participate in Blue Team engagements.

❖ Credential URL

API Penetration Testing

APIsec University course which covered the most complete and advanced content and techniques to perform Pentesting in APIs, which includes: Reverse Engineering in API to then create a custom Swagger file, as well as API reconnaissance and the advanced use of Postman. In this course I also learned relevant attacks techniques such as BOLA (Broken Object Level Authorization) and BFLA (Broken Function Level Authorization), as well as JWT tokens attacks, Injections and SSRF in APIs, and the OWASP API Security Top 10.

❖ Credential URL

CompTIA PenTest+ (PT0-002) Cert Prep: 4 Reporting and Communication

LinkedIn Learning course which prepared me for the CompTIA PenTest+, specifically focusing on reporting and communication. This course covered the essential skills required for carrying out reporting and communication during the Pen-testing process. It included the most important aspects such as: keeping all data encrypted and safe, effectively communicating with the appropriate authority when action is needed for a critical situation, and also emphasizing the importance of writing a report depending on the audience (whether executive, technical, managers, etc…). Additionally this course covered how to write professionally and in detail, taking care of the client’s sensitive information, to finally present and explain the findings during the Pen-test and suggesting mitigations and the best practices.

❖ Credential URL

Mobile Application Penetration Testing

TCM Security course on Mobile Pentesting. In this course I learned how to perform penetration testing on mobile applications by performing both static and dynamic analysis. With tools such as jadx-gui, Apktool, Objection, Frida, Burp Suite and Android Studio, this course covered in a complete way the phases of mobile pentesting.

LinkedIn Learning course which covered in a complete and exhaustive way the essential aspects, both theoretical and with real examples, the art of how the Social Engineers carry out their work in Cybersecurity and Red Teaming, with the objective of persuading a subject and obtaining confidential information, or that this one carries out an action desired by the Social Engineer.

❖ Credential URL

Hacking WEP/WPA/WPA2 Wi-Fi Networks Using Kali Linux 2.0

EC-Council course where I learned how to perform attacks on wireless networks: WEP, WPA and WPA2. Through the use of the Aircrack-ng suite, Airgeddon, Wifite, Reaver, Crunch, Hashcat, John The Ripper and other tools I managed to understand the methodology of brute force attacks (Rainbow Tables) or through Social Engineering (Evil-Twin Attack). In addition to Pin WPS attacks with tools such as Reaver.

❖ Credential URL

Advanced Open Source Intelligence and Privacy

EC-Council course in which I learned OSINT techniques, the use of tools such as Recon-ng, Sherlock, Spiderfoot, theHarvester, Sublist3r and dnstwist. I was also trained to conduct target investigations both through Google using Google Dorks, and on the Dark Web through the Tor network. In addition to that I learned how to use advanced search engines to gather information from a domain name or a simple IP address, as could be the example of “Censys.io” or the services of “Shodan.io”.

❖ Credential URL

Practical Ethical Hacking - The Complete Course

Course taught by the current CEO of TCM Security, Heath Adams, which covered a complete introduction from the basics of Ethical Hacking, as well as Information Gathering using OSINT (Open Source Intelligence), to Active Directory Pentesting, Web Pentesting and also Wireless Network Pentesting. In the course I also learned how to perform a Buffer Overflow and how to take notes during, before and after an audit and then generate a professional report for the client.

Practical API Hacking

Course of TCM Security, taught by Professor Alex Olsen, in which I deepened my knowledge in Web Pentesting by hacking APIs. Through the manipulation of the APIs used by Web Applications, I learned techniques such as Fuzzing and techniques of changes in the various methods of Requests (such as GET, POST, HEAD, OPTIONS, PUT, PATCH, DELETE, etc …) by which as Pentester, in a web audit, it is possible to breach and access privileged functions (Broken Function Level Authorization) or sensitive information (Sensitive Data Exposure). I also learned how to perform token attacks, such as JWTs attacks (JSON Web Tokens).

Practical Web Application Security and Testing

Course of TCM Security, taught by Professor Michael Taggart, lasted 9 hours in total. In the course I learned in depth how to audit web applications, including the use of OWASP ZAP and report writing. I also learned how web applications work on both the client and server side and how they communicate through the HTTP protocol.

Ethical Hacking Essentials (EHE)

Course of EC-Council “Ethical Hacking Essentials”. In this course I covered the main and essential topics of Ethical Hacking and how hackers (ethical and unethical) manage to penetrate systems, using different techniques and methods such as social engineering or attacks on wireless networks; also attacks on cloud services and the creation and use of malware such as botnets, spyware, trojans, rootkits, or worms. I also learned which are the countermeasures to mitigate these attacks in order to protect the company and the services it provides.

❖ Credential URL