skip to content

$ cat ./about

Who I am, where I came from, the principles I work by.

Background

Operator first. A decade in the defense sector — reconnaissance, protective and counterterrorism operations, command in airborne and special structures; left as a major. Accountable for people, decisions, and outcomes where a mistake had a real cost.

Second background — technical. Warsaw School of Computer Science: engineering degree in IT, thesis on MITRE ATT&CK and the Cyber Kill Chain in AD attack analysis. Collegium Civitas: postgraduate studies in terrorism and hybrid threats.

Now

Offensive security — independent practice. Penetration testing and red team: web, infrastructure, social engineering, OSINT, multi-vector scenarios. The last years of service ran on the cyber track — threat and adversary analysis, campaign and TTP identification (including APT groups), OSINT attribution, hardening, inter-agency reporting.

The specialization I'm building hardest right now: AI systems security — red teaming agentic systems, tool chains, and the organizational processes around them. Agents, LLMs, integrations and delegated permissions form a new attack surface most organizations are only starting to model.

The second lane is OSINT and OPSEC — the same skills pointed two ways. Investigative attribution and due diligence on one side; privacy and footprint hardening for executives and at-risk people on the other. Drone-assisted recon where online OSINT needs ground truth. Investigative work runs under contract and NDA, licensed under Polish detective-services law. Full practice → /osint .

Certs: OSCP, eWPTX, BSCP, BTL1, C-AI/MLPen, AIRTP+ → OSAI → OSWE → OSCE³ . Full log on /path .


# principles

Not "company values". The rules the work doesn't scale without.

# work

  1. 01

    A report changes decisions, it doesn't fill shelves. Exec summary with risk ranking and concrete remediation. An exploit dump is raw material, not a report.

  2. 02

    I don't run what I haven't read. Read the source first, then RCE. Copy-paste from GitHub is not a pentest — it's cosplay.

  3. 03

    The client pays for the outcome, not technical performance. If a finding doesn't change a decision, it's noise.

  4. 04

    Good documentation beats a flashy exploit. A PoC without notes = waste for everyone after me — the client, the blue team, future me.

# operations

  1. 05

    Extreme ownership. If it didn't work — that's on me. "The tool failed" = I picked the wrong one. "The client didn't grant access" = I didn't communicate well. Looking for someone to blame adds nothing.

  2. 06

    The plan survives contact for ~3 seconds. After that, intent rules — not the plan. Every engagement starts from one sentence: "why we're doing this". That stays when everything else falls apart.

  3. 07

    Discipline beats motivation any day of the week. Motivation runs out by Wednesday. The habit keeps working.

  4. 08

    Escalate before impact, not after. Critical finding — phone, not ticket. At 2 AM too. The report ships on schedule, the call happens now.

  5. 09

    No ROE — no work. Zero "quick free audits", zero "just see if you find something". Contract, NDA, scope, escalation channel — in writing, before the first packet.

# ethos

  1. 10

    Disclosure is always coordinated. Full disclosure is '90s folklore. The vendor gets time to fix, the community gets the lesson. One doesn't preclude the other.

  2. 11

    OSINT without ethics is stalking. I know the line: law, ROE, consent. I don't deanonymize for clout. I do it for incident attribution and protecting victims.

  3. 12

    Methods public, specifics private. I explain how I work — let the field grow. Specific tooling, TTPs and client data stay on the OPSEC side. Not a contradiction — hygiene.

# lineage

The shape of this craft was set before me. Phrack 7:3 (1986) — The Mentor's The Conscience of a Hacker. Read it. Read Steven Levy's Hackers for the prequel. The form is dated. The spirit isn't.

The other half came in uniform. Boyd's OODA — intent over plan, get inside their loop. Mitnick on the human as the cheapest exploit. OffSec methodology over all of it: earn it, don't claim it.

Distilled, the way I carry it:

  • Curiosity is the entry fee.
  • The system is the curriculum.
  • Authority is provisional. Verification is permanent.
  • You are what you can demonstrate, not what you've been called.

The goal doesn't change. The angle does.

# north star

To be the name that comes up — in Poland first, then across the EU — when the problem is an AI system under attack, an adversary to attribute, or an exposed person who needs their footprint erased.

Senior, hands-on work — not agency volume. No filler, no theater, no claims I can't demonstrate. The AI attack surface is the frontier, and it's wide open.

# acknowledgments

Built on the shoulders of others. A few worth naming:

  • OffSec — the methodology spine. OSCP, OSWE, OSED, OSAI. "Try harder" sounds corny on a t-shirt and right under exam pressure.
  • PortSwigger — Web Security Academy made deep web appsec free. Most of what I know about HTTP I owe to running their labs to the end.
  • The community — researchers who post their work, vendors who ship fixes, blue teams who write up their detections. The flywheel only spins because people share.

# bio — for organizers & press

Rafael Gacek is an offensive security researcher and OSINT/OPSEC practitioner focused on AI/LLM red teaming, attribution, and privacy hardening. He spent a decade in special operations before moving to offensive security full-time. He is credited with CVE-2026-41496 and publishes research at bersec.me. Based in Warsaw, Poland.

Copy-paste friendly. No approval needed.

Contact

Available for selective engagements — AI/LLM red team, OSINT & attribution, OPSEC / privacy hardening, advisory. Email contact@bersec.me . Vulnerability disclosure → /security .