Skip to content

SECURITY RESEARCHER // SWEDEN

I break things before they do.

live · andrei.sh

Work with me

Book a security engagement

Authorized audits and pentests for Rust and web codebases. Scoped, ethical, with a real report.

Book a call

Flagship project

HUGIN

Coming soon

An intercepting proxy and vulnerability scanner in a single Rust binary.

Every engine in it is mine, written from scratch in Rust — and they go past Burp and Caido on capability, not just speed. It runs local-first with no account or telemetry, and you can drive the whole thing from your AI over 162 MCP tools. Hugin comes soon: Community will be free, and Pro will be a flat €7/month.

Hugin comes soon
Hugin desktop app — the HTTP History view, intercepting and listing captured requests

Single Rust binary

GUI + CLI in one

Local-first · no account

Drive it from your AI

Findings

all findings →

Vulnerabilities I find and disclose responsibly — CVEs, advisories, bug-bounty work.

high CVE-2026-28840 CVSS 7.8 Apple

Local privilege escalation to root in macOS PackageKit

Impact An app could gain root privileges — full local compromise of the machine (read/modify any data, persist, disable protections).

Writing

all writing →

Writeups on the bugs above, and articles on tooling, Rust, and method.

Article 4 min read // flagship

JavaScript is the past

JavaScript won the browser, but the next edge in security tooling belongs closer to the machine: native binaries, memory-safe systems code, and tools that can keep up with the protocols.

#Rust#JavaScript#systems#security tooling
Article 2 min read

Read the scope first

Most of the time I lose on a target is lost to my own setup and assumptions — not the target. A short note on the boring discipline that actually moves findings.

#methodology#bug-bounty
Article 3 min read // flagship

Why I built Hugin

Every engine in Hugin is mine, written from scratch in Rust. The honest version of why it exists, before it ships.

#Hugin#Rust#tooling