Douglas Lopes

Experience

• 

  Intrusion Cyber

  Jan 2010 - now

  Pentest Líder

  Teste de Invasão (Penetration Testing)Avaliação de Riscos (Risk Assessment)Teste de Phishing (Phishing Testing)Simulações de Ataque (Attack Simulations)Análise de Vulnerabilidades (Vulnerability Analysis)Avaliação de Políticas de Segurança (Security Policy Assessment)Engenharia Social (Social Engineering)Teste de Controle de Acesso (Access Control Testing)Teste de Resposta a Incidentes (Incident Response Testing)Teste de Infraestrutura de Rede (Network Infrastructure Testing)Teste de Aplicativos Web (Web Application Testing)Teste de Redes Sem Fio (Wireless Network Testing)Teste de IoT (Internet das Coisas) (IoT Testing)Relatórios e Recomendações (Reporting and Recommendations)Treinamento e Conscientização (Training and Awareness)Apoio à Mitigação (Mitigation Support)Revisão de Políticas e Procedimentos (Policy and Procedure Review)Feedback Constante (Ongoing Feedback) Show less

• 

  GP Brasil de F1

  Jan 2015 - Mar 2022

  Pentester

  Pentest Blackbox externo

• 

  Câmara de Comércio Árabe-Brasileira

  Feb 2015 - Mar 2022

  Pentester
• 

  CBV - Hospital de Olhos

  Mar 2015 - May 2015

  Pentester

  Identificar Vulnerabilidades na Rede Corporativa

• 

  BRCondomínio

  Sept 2015 - Dec 2020

  Pentester

  Identificar vulnerabilidades na aplicação web, e-mails e rede interna.

• 

  Olímpiadas Rio 2016

  Jan 2016 - Jul 2016

  Pentester

  Pentest Blackbox Páginas Oficiais

• 

  Diario do Poder

  Oct 2016 - Dec 2020

  Pentester

  Identificar vulnerabilidades na aplicação web, e-mails e rede interna.

• 

  Honda Brasil

  Nov 2016 - Jul 2017

  Pentester

  Pentest Blackbox Interno e externo

• 

  Teste de Invasão

  May 2017 - Jan 2023

  Pentester
• 

  FENACOR

  May 2017 - Mar 2022

  Pentester
• 

  AM4

  Jun 2017 - Mar 2022

  Pentester

  Pentester

• 

  Secretaria da Fazenda de Minas Gerais

  Dec 2017 - Mar 2018

  Pentester

  Pentest Blackbox - Interno e externo

• 

  COOPERFORTE

  Jul 2018 - Nov 2018

  Pentester

  Pentest Blackbox Interno e externo

• 

  Paraná Banco S/A

  Aug 2018 - Aug 2018

  Pentester

  Identificar vulnerabilidades na aplicação web

• 

  Grupo JMalucelli

  Aug 2018 - Aug 2018

  Pentester

  Identificar vulnerabilidades na aplicação web

• 

  XP Investimentos

  Nov 2018 - Dec 2018

  Pentester

  Identificar vulnerabilidades na aplicação web

• 

  CONSELHO FEDERAL DE ENFERMAGEM

  Jan 2019 - Jan 2021

  Pentester

  Pentest Blackbox Interno e externo

• 

  CBF - Confederação Brasileira de Futebol

  Mar 2019 - Mar 2022

  Pentester
• 

  3MCYBER

  Jan 2020 - now

  Penetration Tester
• 

  Hospital Lifecenter

  Aug 2020 - Oct 2020

  Pentester

  Pentest Blackbox Interno e externo

• 

  Pearson Brasil

  Oct 2020 - Nov 2020

  Pentester

  Identificar vulnerabilidades na aplicação web

• 

  Tambasa Atacadistas

  Nov 2020 - Dec 2020

  Pentester

  Pentest Blackbox Interno e externo

• 

  Captalys

  Jan 2021 - Jan 2021

  Pentester

  Identificar vulnerabilidades na aplicação web

• 

  Polícia Federal

  Oct 2021 - Nov 2021

  Pentester
• 

  Kufa Advocacia

  Jan 2022 - Jan 2023

  Consultor em Segurança Cibernética
• 

  Banco Bmg

  Jan 2022 - Jan 2023

  Consultor em Segurança Cibernética
• 

  Sinqia

  Jan 2022 - Jan 2023

  Pentester
• 

  CASSI

  Mar 2022 - Aug 2022

  Pentester

  As a Security Pentester at Cassi, I conducted offensive security assessments on web applications and APIs, focusing on OWASP Top 10 vulnerabilities, including SQL Injection, XSS, IDOR, SSRF, and CSRF. I performed security tests on Swagger, admin panels, and critical endpoints, identifying and mitigating security risks. Additionally, I executed social engineering attacks, leveraging psychological manipulation techniques to assess human-related security weaknesses.

• 

  Lojas Le biscuit S/A

  Apr 2022 - Oct 2022

  Red Team

  At Le Biscuit, I performed offensive security testing on web applications and APIs, identifying and mitigating OWASP Top 10 vulnerabilities, such as SQL Injection, XSS, IDOR, SSRF, and CSRF. I conducted security assessments on Swagger, admin panels, and exposed endpoints, ensuring system resilience. Additionally, I carried out social engineering tests, evaluating human-based security risks and strengthening the organization’s security posture.

• 

  BMP

  Apr 2022 - Jun 2022

  Pentester
• 

  IPOG - Instituto de Pós-Graduação e Graduação

  May 2022 - Jul 2022

  Pentester
• 

  NTSec | Network Security

  May 2022 - Jul 2022

  Pentester
• 

  Caixa Econômica Federal

  Jun 2022 - Jan 2024

  Pentester
• 

  Place Tecnologia e Inovação S.A.

  Jun 2022 - Jan 2023

  Pentester
• 

  Zoop

  Jun 2022 - now

  Red Team

  I work on intrusion testing and attack simulations for Zoop, identifying vulnerabilities and assessing the security of systems with offensive approaches. As part of the IntrusionCyber.com Red Team, I perform realistic assessments to strengthen the company's security posture, anticipating threats and ensuring resilience against cyberattacks.

• 

  Torrent Pharmaceuticals Ltd

  Jan 2023 - Sept 2024

  Pentester Líder

  At Torrent Pharma, I carried out comprehensive penetration testing across a wide range of systems and applications, focusing on identifying vulnerabilities and strengthening security posture. My responsibilities included simulating sophisticated cyberattacks, such as lateral movement, ransomware attacks, and privilege escalation, to assess the effectiveness of the organization's security controls. I conducted IAM (Identity and Access Management) testing to ensure proper user roles and permissions were enforced.I performed advanced web application security assessments, including SQL Injection, XSS, and Remote Code Execution (RCE), across both web applications and API endpoints. Additionally, I evaluated security in critical infrastructure, including SCADA systems, ensuring they were resilient against targeted attacks.Using a Graybox testing approach, I collaborated closely with the internal team to conduct extensive tests, including session hijacking attempts on admin accounts, ensuring robust defense against unauthorized access. These assessments helped enhance security layers and improve risk mitigation strategies across the organization. Show less

• 

  FastHelp Segurança da Informação

  Jun 2023 - Jul 2024

  Penetration Tester

  Pentest, Cybersecurity , Red Team

• 

  Voke

  Aug 2023 - Sept 2024

  Pentester

  Conducted advanced security assessments for Voke Tecnologia, combining penetration testing with large-scale phishing campaigns to evaluate both technical and human vulnerabilities. Executed targeted attack simulations using techniques such as SQL Injection, XSS, RCE, and privilege escalation to identify and mitigate critical security gaps. As part of the Red Team at 3mcyber, I focus on strengthening cybersecurity resilience by proactively uncovering weaknesses and enhancing defense strategies against real-world threats. Show less

• 

  Engemon IT

  Nov 2023 - Feb 2024

  Pentester Líder

  At Engemon, I was responsible for performing penetration testing on a variety of applications, networks, and systems to identify security vulnerabilities and improve the overall defense strategy. I conducted thorough assessments on web applications and APIs, testing for critical vulnerabilities such as SQL Injection, XSS, and Remote Code Execution (RCE), ensuring that key systems were secured against common attack vectors.In addition to standard testing, I executed social engineering attacks to evaluate the organization's response to human-based threats and improve user awareness. I also performed security testing on internal tools and admin panels, focusing on session hijacking and privilege escalation to assess the integrity of access control mechanisms.Collaborating closely with the IT team, I used tools such as Burp Suite, Nessus, and Maltego for vulnerability scanning, reconnaissance, and threat intelligence gathering. The goal was to proactively identify risks and provide actionable recommendations to strengthen the company’s security defenses across various platforms. Show less

• 

  OSTEC Business Security

  Jan 2024 - Mar 2025

  Pentester

  At OSTEC, I coordinated and led penetration testing projects for companies across Latin America, delivering targeted security assessments that identified and addressed a wide array of vulnerabilities. My role involved designing and executing offensive security campaigns tailored to the specific needs of each client, ranging from small enterprises to large organizations.I led assessments focusing on critical threats, including SQL Injection, Cross-Site Scripting (XSS), and Remote Code Execution (RCE), but also identified deeper, more complex issues such as Server-Side Request Forgery (SSRF), XML External Entity (XXE) attacks, and Broken Access Control. These vulnerabilities often exposed hidden risks in API endpoints, admin panels, and internal applications, which I worked to exploit and ultimately mitigate.A key part of my role was utilizing advanced security tools such as Burp Suite, OWASP ZAP Proxy, Nuclei, and Rengine for both automated and manual testing. I orchestrated complex social engineering operations, including phishing campaigns and spear-phishing simulations, to assess how well employees responded to human-driven threats.Additionally, I performed in-depth log analysis to trace suspicious behaviors, including session hijacking attempts and unauthorized privilege escalations, which could go unnoticed without proactive monitoring. I also tested lateral movement across network infrastructures, simulating real-world attack scenarios that could compromise multiple systems.Beyond technical assessments, I worked closely with client teams to refine their IAM frameworks, improve multi-factor authentication (MFA) implementation, and strengthen overall access control policies, ensuring robust defenses against the latest cybersecurity challenges. Show less

• 

  Santa Casa da Misericórdia de Lisboa

  Jan 2024 - Jun 2024

  Red Team Pentest & Cyber Resilience for Santa Casa de Misericórdia de Portugal | 3mcyberExecuted advanced penetration testing and adversarial simulations for Santa Casa de Misericórdia de Portugal, proactively identifying vulnerabilities that could jeopardize healthcare, financial, and social welfare systems. Leveraging frameworks such as NIST, NIS2, and GDPR compliance standards, I conducted deep-dive security assessments against OWASP Top 10 threats, including SQL Injection, XSS, RCE, authentication bypass, and API exploitation.Simulated real-world attack scenarios to mimic tactics used by cybercriminals—ransomware infiltration, privilege escalation, supply chain attacks, and targeted phishing campaigns—ensuring both technical and human security resilience. As part of the Red Team at IntrusionCyber.com, I played a key role in fortifying critical digital infrastructures, safeguarding sensitive patient data, and ensuring uninterrupted service delivery against an evolving cyber threat landscape. Show less Red Team Pentest & Cyber Resilience for Santa Casa de Misericórdia de Portugal | 3mcyberExecuted advanced penetration testing and adversarial simulations for Santa Casa de Misericórdia de Portugal, proactively identifying vulnerabilities that could jeopardize healthcare, financial, and social welfare systems. Leveraging frameworks such as NIST, NIS2, and GDPR compliance standards, I conducted deep-dive security assessments against OWASP Top 10 threats, including SQL Injection, XSS, RCE, authentication bypass, and API exploitation.Simulated real-world attack scenarios to mimic tactics used by cybercriminals—ransomware infiltration, privilege escalation, supply chain attacks, and targeted phishing campaigns—ensuring both technical and human security resilience. As part of the Red Team at IntrusionCyber.com, I played a key role in fortifying critical digital infrastructures, safeguarding sensitive patient data, and ensuring uninterrupted service delivery against an evolving cyber threat landscape. Show less

  • Pentester Líder

    Jan 2024 - Jun 2024

  • Pentester Líder

    Jan 2024 - Jun 2024
• 

  Polícia Militar do Distrito Federal - PMDF

  Feb 2024 - Dec 2024

  Pentester Líder

  Red Team Pentest & Cyber Threat Simulation for Polícia Militar do Distrito Federal | IntrusionCyber.comPerformed advanced penetration testing and adversarial simulations for the Polícia Militar do Distrito Federal, identifying and mitigating vulnerabilities that could be exploited by cybercriminals and hostile entities. Assessed mission-critical systems against OWASP Top 10 threats—SQL Injection, XSS, RCE, authentication bypass—while executing phishing campaigns and social engineering attacks to test human resilience. Simulated real-world attack vectors, including unauthorized access to operational systems, radio communication interception, privilege escalation, and data exfiltration, mimicking tactics used by organized crime and cyber adversaries. As part of the Red Team at IntrusionCyber.com, I contributed to enhancing the cybersecurity posture of law enforcement, ensuring the protection of classified data and the integrity of digital infrastructure. Show less

• 

  CRA-MG - Conselho Regional de Administração de Minas Gerais

  Feb 2024 - Jan 2025

  Pentester Líder

  At CRA-MG, I was responsible for performing comprehensive penetration testing and vulnerability assessments across various IT systems, applications, and infrastructures. My work involved identifying and mitigating critical vulnerabilities such as SQL Injection, XSS, and Remote Code Execution (RCE) across web applications and API endpoints.I utilized a variety of industry-standard tools, including Burp Suite, OWASP ZAP Proxy, Nuclei, and Rengine, to conduct automated vulnerability scans, identify security weaknesses, and manually exploit vulnerabilities. These tools helped in detecting and mitigating common attack vectors, ensuring the integrity of systems.In addition, I performed social engineering tests, including phishing simulations, to assess employee awareness and evaluate the organization's resilience against human-based attacks. I also conducted log analysis to detect suspicious activities, potential intrusions, or unauthorized access, providing valuable insights for enhancing incident detection and response capabilities.Throughout my work, I collaborated with internal teams to review and strengthen access control mechanisms, focusing on privilege escalation and IAM (Identity and Access Management) controls to ensure secure authentication and authorization protocols were in place. Show less

• 

  Crea-RJ

  Mar 2024 - Sept 2024

  Pentester

  At CREA-RJ, I was responsible for conducting penetration testing and security assessments across a variety of IT systems, applications, and infrastructure. My focus was on identifying and mitigating high-risk vulnerabilities, including SQL Injection, XSS, and Remote Code Execution (RCE) in web applications and API endpoints.To ensure comprehensive coverage, I employed advanced security tools such as Burp Suite, OWASP ZAP Proxy, Nuclei, and Rengine, utilizing them to detect and exploit vulnerabilities and provide actionable insights for enhancing system defenses. Additionally, I performed social engineering tests, including phishing simulations, to evaluate the organization's susceptibility to human-based threats and improve cybersecurity awareness among employees.I also carried out log analysis to investigate suspicious activity, potential breaches, and identify any signs of unauthorized access across the organization’s systems, strengthening the incident detection and response processes.Throughout my engagement, I worked closely with internal teams to review access control mechanisms and ensure secure IAM (Identity and Access Management) practices, addressing risks related to privilege escalation and ensuring robust authentication and authorization measures. Show less

• 

  ArcelorMittal

  Apr 2024 - Mar 2025

  Pentester

  Led a large-scale security enhancement initiative for ArcelorMittal, executing targeted phishing campaigns for over 50,000 employees to assess and strengthen human resilience against social engineering attacks. As part of the Red Team at IntrusionCyber.com, I combined offensive security tactics with awareness strategies, leveraging frameworks like MITRE ATT&CK and OWASP to identify vulnerabilities and improve the company's overall cybersecurity posture.

• 

  Milvus

  May 2024 - Jun 2024

  Penetration Tester
• 

  AGU - Advocacia-Geral da União

  Jun 2024 - Feb 2025

  Pentester Líder

  Conducted advanced penetration testing for AGU, identifying and mitigating hundreds of vulnerabilities that safeguarded the sensitive data of over 80 million users. Utilizing offensive security techniques such as SQL Injection, XSS, RCE, and privilege escalation, I assessed critical systems to enhance their resilience against cyber threats. As part of the Red Team at IntrusionCyber.com, my work contributed to strengthening the security posture of national digital assets, ensuring robust protection against real-world attacks. Show less

• 

  ChatGuru

  Jul 2024 - Jan 2025

  Pentester

  Red Team Pentest & Offensive Security for ChatGuru | IntrusionCyber.comUncovered critical security flaws in ChatGuru’s digital ecosystem through deep-dive penetration testing, fortifying its defenses against real-world cyber threats. Leveraging advanced offensive techniques—SQL Injection, XSS, RCE, and sophisticated phishing campaigns—I simulated adversarial attacks to expose vulnerabilities before malicious actors could. My assessments not only strengthened application and infrastructure security but also reinforced user data protection. As part of the Red Team at IntrusionCyber.com, I turn proactive threat hunting into actionable security, ensuring ChatGuru remains resilient in an evolving cyber landscape. Show less

• 

  ACATE - Associação Catarinense de Tecnologia (Catarinense Technology Association)

  Jul 2024 - Oct 2024

  Pentester Líder

  At ACATE, I conducted offensive security assessments on web applications, APIs, and critical infrastructure, focusing on OWASP Top 10 vulnerabilities such as SQL Injection, XSS, IDOR, SSRF, and CSRF. I performed security testing on Swagger, admin panels, and exposed endpoints, ensuring system resilience.I utilized a range of security tools, including:Burp Suite – Web application security testing and exploitationNessus (Tenable) & OpenVAS – Vulnerability scanning and risk assessmentMaltego – OSINT and threat intelligence gatheringRengine & Nuclei – Automated reconnaissance and vulnerability detectionNikto – Web server security scanningAdditionally, I conducted social engineering tests, identifying human-based security weaknesses and strengthening the organization's security posture. Show less

• 

  IFood

  Aug 2024 - Mar 2025

  Pentester líder

  Realizo testes de intrusão e simulações de ataque para o iFood, identificando vulnerabilidades e avaliando a segurança dos sistemas de forma ofensiva. Como parte do Red Team da IntrusionCyber.com, executo avaliações realistas para fortalecer a postura de segurança da empresa, antecipando ameaças e garantindo a resiliência contra ataques cibernéticos.

• 

  IFood Benefícios

  Aug 2024 - Mar 2025

  Pentester líder

  I conduct intrusion tests and attack simulations for iFood Benefícios, identifying vulnerabilities in APIs, mobile applications (APK/IPA), and critical systems using methodologies such as NIST, OWASP, and Google's CASA framework. As part of the Red Team at IntrusionCyber.com, I perform realistic offensive security assessments, including OWASP API Security Top 10, reverse engineering of mobile applications, and exploitation of authentication and authorization flaws. My work strengthens the company's security posture, anticipating threats and ensuring resilience against cyber attacks. Show less

• 

  Polícia Civil do Estado do Pará

  Aug 2024 - Jan 2025

  Pentester Líder

  Red Team Pentest & Cyber Threat Simulation for Polícia Civil do Pará | IntrusionCyber.comExecuted comprehensive penetration tests and adversarial simulations for the Polícia Civil do Pará, identifying and mitigating critical security gaps in systems targeted by organized crime. Conducted full-spectrum assessments, leveraging all OWASP Top 10 vulnerabilities, including SQL Injection, XSS, RCE, and authentication bypass, alongside social engineering campaigns to evaluate human resilience. Simulated real-world attack scenarios, such as credential leaks, privilege escalation, API exploitation, and phishing campaigns, replicating tactics used by cybercriminal organizations. As part of the Red Team at IntrusionCyber.com, my work directly contributed to strengthening the security posture of law enforcement digital assets, ensuring the protection of sensitive data and operational integrity against evolving cyber threats. Show less

• 

  Brasal

  Aug 2024 - Dec 2024

  Pentester Líder

  Red Team Pentest & Cyber Threat Simulation for Brasal | IntrusionCyber.com (via Fasthelp)Conducted comprehensive penetration testing for Brasal through Fasthelp, assessing internal network security, Active Directory (AD) configurations, antivirus efficacy, and firewall resilience. Utilizing industry frameworks such as NIST, I executed offensive security tests targeting OWASP Top 10 vulnerabilities, including SQL Injection, XSS, RCE, and authentication bypass, alongside phishing simulations to evaluate user awareness.Simulated real-world attack scenarios such as lateral movement within the internal network, privilege escalation in AD, evasion of endpoint protection solutions, and firewall rule bypassing to assess and enhance Brasal’s security posture. As part of the Red Team at IntrusionCyber.com, in collaboration with Fasthelp, I played a key role in fortifying critical systems, ensuring robust defenses against sophisticated cyber threats. Show less

• 

  Polícia Civil do Distrito Federal

  Nov 2024 - Feb 2025

  Pentester Líder

  Red Team Pentest & Cyber Threat Simulation for Polícia Civil do Distrito Federal | IntrusionCyber.comConducted in-depth penetration testing and adversarial simulations for the Polícia Civil do Distrito Federal, proactively identifying and mitigating vulnerabilities that could be exploited by cybercriminals and organized crime. Assessed critical systems using the full spectrum of OWASP Top 10 threats—SQL Injection, XSS, RCE, authentication bypass—while executing social engineering campaigns, including phishing and credential harvesting, to evaluate human security awareness. Simulated real-world attack vectors such as API exploitation, privilege escalation, insider threats, and data exfiltration, reinforcing the digital resilience of law enforcement operations. As part of the Red Team at IntrusionCyber.com, I played a key role in strengthening cybersecurity defenses, protecting sensitive intelligence and ensuring the integrity of police digital infrastructure. Show less

• 

  Conselho Regional De Engenharia E Agronomia Da Bahia

  Dec 2024 - Feb 2025

  Pentester Líder

  At CREA-BA, I was responsible for conducting comprehensive penetration testing and security assessments on a wide range of IT systems, applications, and network infrastructures. My work included identifying and mitigating critical vulnerabilities such as SQL Injection, XSS, and Remote Code Execution (RCE) across web applications and API endpoints.In addition, I simulated phishing attacks to assess the organization’s vulnerability to social engineering threats, testing employee awareness and response to email-based attacks. I also performed detailed log analysis to detect potential signs of security breaches or malicious activity within internal systems, providing actionable insights to enhance incident response capabilities.Working closely with internal teams, I assessed access control mechanisms and privilege escalation risks, and reviewed IAM (Identity and Access Management) strategies to ensure appropriate user roles and permissions were being enforced.Through these assessments, I contributed to strengthening the security posture of CREA-BA by identifying weaknesses and providing tailored recommendations for improving defenses against both technical and human-based threats. Show less