Summary
Overview
Work History
Education
Skills
Certifications
Websites
Accomplishments
Affiliations
Timeline
Generic

Orhan Yildirim

Ashburn,VA

Summary

  • With over 9 years of specialized focus on offensive security, I have acquired extensive expertise across diverse domains, including web application security, API security, mobile application security, cloud security (AWS, Azure), Active Directory security, Linux security, and IoT security research.
  • Throughout my career, I have successfully completed over 600 manual penetration testing projects across leading bug bounty and security testing platforms including HackerOne, Bugcrowd, Cobalt, and Synack, accumulating invaluable hands-on experience in real-world security assessment scenarios.
  • As an Offensive Security enthusiast, I consistently pursue professional development by obtaining new certifications annually, and maintaining active involvement in cutting-edge security projects. My commitment to excellence drives me to acquire every available Offensive Security certification and training program.
  • Actively conduct research and development in Agentic AI applications for cybersecurity, with particular focus on MCP research projects, LangChain integrations, and the development of sophisticated agent tools for automated security testing and analysis.

Overview

9
9
years of professional experience

Work History

VP, Cybersecurity Architect

MUFG Americas
Ashburn, Virginia
12.2025 - Current
  • Led global penetration testing program, reporting directly to head of global security.
  • Drove globalization of penetration testing operations for consistent security assessment across regions.
  • Aligned penetration testing engagements with GRC frameworks for compliance-driven risk assessments.
  • Designed and delivered training programs to upskill penetration testing team on new attack techniques.
  • Continuously improved penetration testing processes, tools, and reporting standards to enhance operational maturity.

Principal Associate Cyber Technical

Capital One
McLean, VA
09.2023 - 12.2025

Conducted penetration testing for web, mobile, and REST APIs within DAST team.

  • Executed manual pentests focused on compliance-driven assessments and business logic abuse.
  • Integrated AI-driven automation into application security workflows to enhance efficiency.
  • Ensured adherence to web and mobile security standards (OWASP WSTG, MASVS/MSTG).
  • Performed API security assessments using Swagger/OpenAPI and Postman, including auth abuse and fuzzing.
  • Managed compliance testing for ASV, FedRAMP, and SOX requirements.
  • Developed security documentation and methodologies for consistent implementation.

Offensive Security Engineer

Expedia Group
Seattle, WA
07.2022 - 09.2023

Conducted offensive security testing across APIs, mobile applications, and internal infrastructure.

Collaborated with cloud, product, and vulnerability management teams for exploit-focused assessments.

  • Developed repeatable testing methodologies for Kubernetes and container security reviews.
  • Managed bug bounty triage pipeline while coordinating vulnerability lifecycle with researchers.
  • Performed API security assessments for REST, GraphQL, and gRPC.
  • Executed network penetration testing for internal and external environments.
  • Led cloud security initiatives on AWS to enhance overall protection.
  • Oversaw mobile application security assessments for iOS and Android platforms.

Network Security Team Leader

BGA Security
Istanbul
09.2021 - 06.2022

Led team of consultants in penetration tests across network infrastructure, web applications, APIs, and cloud environments.

Oversaw security operations and client engagements to ensure timely, high-quality technical delivery.

  • Performed hands-on testing and strategic assessments, including phishing simulations and email security evaluations.
  • Executed internal and external network penetration tests to identify vulnerabilities.
  • Conducted cloud security assessments for AWS and Azure environments to strengthen defenses.
  • Implemented web and API security testing strategies to mitigate risks associated with RESTful APIs.
  • Contributed to methodology development and mentored junior team members to enhance expertise.
  • Facilitated client engagement and reporting to communicate findings effectively.

Sr. Cyber Security Specialist

Etiya
Istanbul, 34
02.2021 - 09.2021

Contributed to product security for international eSIM project, covering entire SDLC.

Conducted design reviews, threat modeling, and penetration testing for web and API services.

  • Integrated security checks into CI/CD pipelines to enhance development processes.
  • Advised development teams on secure coding practices during agile sprint cycles.
  • Strengthened cloud security posture to support secure product delivery.
  • Led product security initiatives for eSIM-based mobile network product.
  • Executed RESTful API and web application penetration testing to identify vulnerabilities.
  • Developed security documentation and provided advisory support for developers.

Penetration Test Specialist

BGA Security
, Istanbul
01.2018 - 02.2021
  • Conducted penetration tests in LAN/WAN, web apps, social engineering, DDoS, and email gateway security.
  • Managed and planned comprehensive penetration testing strategies to ensure thorough assessments.
  • Identified and communicated vulnerabilities to customers, advising on prevention measures.
  • Performed social engineering attacks to evaluate security awareness across organizations.

Penetration Tester

Freelance
, Istanbul
03.2017 - 01.2018
  • Web Application Penetration Testing
  • Local Network penetration tests

Education

Bachelor of Arts - Psychology

Maltepe University
Istanbul
09.2008

Skills

  • Agentic AI Security
  • Web & Mobile AppSec Testing
  • API Security Automation
  • DAST - SAST
  • Docker, Kubernetes, Microservices Security
  • Cloud Security
  • Source Code Review
  • Active Directory & Red Team
  • Attack Surface Managemet
  • Owasp Top 10 LLM Apps
  • Owasp Web & API Top 10

Certifications

  • Offensive Security Web Expert | OSWE (In-Progress)
  • Certified Red Team Operator | CRTO
  • Offensive Security Certified Expert | OSCE
  • Offensive Security Certified Professional | OSCP
  • Offensive Security Wireless Professional | OSWP
  • Attack And Defense Active Directory | CRTP
  • Certified Azure Red Team Professional | CARTP
  • Attacking Active Directory with Linux
  • AWS Certified Cloud Practitioner | AWS Cloud Practitioner
  • Microsoft 365 Certified: Security Administrator Associate
  • X86 Assembly Language and Shellcoding on Linux – SLAE

Accomplishments

  • Automated API Security Testing using Newman (Postman’s CLI) with integration of 130+ vulnerability checks, OAuth-based authentication handling, and comprehensive report generation.
  • Cross-Site Scripting (XSS) Detection Tool (MCP) leveraging Playwright (headless browser by Google) for dynamic crawling of web applications, enabling runtime XSS detection across all exposed features.

Affiliations

Book:

• Offensive Security with Agentic AI Workflows. Author. Packt Publishing, March 2026.


Articles

• Active Directory Penetration Tests: Information Gathering. BGA Security, May 19, 2020.

• Phishing Domain Detection from SSL Certificates. BGA Security, Apr 6, 2020.

• What is Mail Sniper?. BGA Security, Jan 8, 2020.

Timeline

VP, Cybersecurity Architect

MUFG Americas
12.2025 - Current

Principal Associate Cyber Technical

Capital One
09.2023 - 12.2025

Offensive Security Engineer

Expedia Group
07.2022 - 09.2023

Network Security Team Leader

BGA Security
09.2021 - 06.2022

Sr. Cyber Security Specialist

Etiya
02.2021 - 09.2021

Penetration Test Specialist

BGA Security
01.2018 - 02.2021

Penetration Tester

Freelance
03.2017 - 01.2018

Bachelor of Arts - Psychology

Maltepe University
Orhan Yildirim