CTF Platform BSides Limburg
Built a full CTF platform for a real security conference, custom challenges, isolated Docker instances per player, and shared GitHub quality control.
Penetration Tester & Cybersecurity Consultant
Fresh graduate in Applied Computer Science, offensive security enthusiast, and incoming penetration tester at The Security Factory. This portfolio is a look at the work, projects, and experiences that got me here.
A bit about who I am, what I do, and how to reach me.
I recently graduated with a Bachelor's degree in Applied Computer Science (Electronics-ICT), specialising in Cloud & Cybersecurity. Throughout my studies I built a solid technical foundation. From low-level electronics and networking to cloud infrastructure and secure software development, but it was offensive security that truly captured my attention.
Breaking things to understand how they work, finding the crack in a system before someone with bad intentions does, that mindset drove me towards penetration testing. During my internship at The Security Factory I got to put that into practice for real: running professional assessments, uncovering vulnerabilities in live environments, and translating complex findings into clear, actionable reports for clients.
That experience made it clear this is exactly where I belong. On the 1st of July 2026 I officially join The Security Factory as a full-time penetration tester, and I couldn't be more ready to get started.
Working as a penetration tester demands more than just technical ability. Clear communication, structured thinking, and a methodical mindset are equally important when delivering findings to clients and teams.
My education and professional experience so far.
Applied Computer Sciences
Specialisation in offensive and defensive security, covering penetration testing, network security, cloud infrastructure, and secure software development.
Secondary Education
Dual focus on business accounting and IT fundamentals, building a foundation in both analytical thinking and technical problem solving.
The Security Factory
Performed professional penetration tests for real clients under supervision of senior consultants. Delivered full engagement reports and presented findings to stakeholders.
Competitive Bug Bounty Event
Participated in a government-organised ethical hacking competition, identifying security vulnerabilities in official systems within a controlled and authorised scope.
My internship as a penetration tester at The Security Factory.
During my final-year internship at The Security Factory I took part in real client engagements across web application, infrastructure, and mobile testing. I performed hands-on penetration tests, documented findings, and delivered professional reports, working alongside experienced security consultants on live assessments from start to finish.
View Full InternshipA selection of projects that best represent my skills and growth.
Built a full CTF platform for a real security conference, custom challenges, isolated Docker instances per player, and shared GitHub quality control.
Built a Security Operations Centre from scratch, Wazuh SIEM, automated Discord alerting via Shuffle, VirusTotal enrichment, and live attack simulations.
Automated, secure hosting platform on the Thomas More datacenter, Kubernetes on ESXi, CI/CD pipeline, and security group firewall configuration.
NFC-based voting system built for the Skill 1 event, one vote per person, no cheating, live scoreboard.
As part of a multidisciplinary team project, we were commissioned to build a fully working CTF (Capture The Flag) platform for BSides Limburg, a real security conference. The goal was to deliver a professional, themed CTF experience with challenges spanning Web Security, PWN & Reverse Engineering, Forensics & Crypto, and Privilege Escalation & Lateral Movement. Each player got their own isolated Docker instance, and the platform had to be stable, scalable, and easy to reset for a live event audience.
My main responsibilities were challenge creation, making sure all challenges came together cohesively, and serving as the quality control gatekeeper for the shared GitHub repository. Since all teams pushed to the same repo, every contribution had to follow a standardised structure, a Dockerfile, challenge.yml, and README per challenge, and be properly reviewed before merging. I enforced this structure and flagged anything that didn't meet the standard. Beyond that, I helped make sure the overall challenge set was balanced in difficulty and consistent in quality across all categories.
Building challenges for a CTF is a completely different mindset from solving them, you have to think like a defender who deliberately leaves a crack, and make sure the path to the flag is fair, unambiguous, and not breakable by accident. Managing a shared codebase with multiple teams also taught me a lot about Git workflows, code review discipline, and the importance of standards when more than one person is committing. The combination of building offensive content, enforcing quality, and delivering for a live audience made this one of the most complete team experiences of my degree.
This was a school project where the goal was to design and build a fully functional Security Operations Centre (SOC) from scratch. The environment consisted of three virtual machines: a SOC-vm for monitoring (Ubuntu Server), a target-vm simulating a production system (Ubuntu Server), and an attacker-vm running Kali Linux.
I deployed Wazuh as the SIEM on the SOC-vm, with an agent running on the target-vm to forward events. To get real-time visibility, I built automated alerting workflows in Shuffle SOAR that pushed Wazuh alerts to Discord, split across four severity channels (low, medium, high, critical). For high and critical alerts, I added VirusTotal enrichment: the source IP is automatically checked and a separate report is posted to a dedicated Discord channel, colour-coded by verdict. I then validated the setup with both a manual attack (Hydra SSH brute force from Kali) and an automated one using the Infection Monkey adversary simulation tool, which performed a simulated ransomware-style attack on the target.
This project gave me hands-on experience on the defensive side of security, something that complements my offensive focus well. Setting up a SIEM, tuning alert rules, building SOAR workflows, and enriching alerts with threat intelligence are all real-world SOC skills. I also ran into limitations, like Wazuh not picking up all of Infection Monkey's file changes, which taught me that no monitoring solution is perfect out of the box and that fine-tuning detection rules is an ongoing process.
This was a team project for Thomas More, with the goal of building a production-grade hosting platform for student application projects. The requirements were clear: the platform had to be automated, secure, and reliable. It runs on the Thomas More ESXi datacenter and follows a modern architecture, a CI/CD pipeline pulls Docker image templates from a Git repository and deploys containerised applications onto a Kubernetes cluster with two worker nodes, each running database and application containers. Persistent storage, automated backups via Restic to NFS, and a full management environment with Grafana, Ansible, a vulnerability scanner, and OCS Inventory round out the platform.
My main responsibility was the security side of the platform. I configured the firewall security groups that control traffic between the customer environment and the management environment, making sure only the right services could communicate with each other. Once that was done, I supported the rest of the team where needed, helping troubleshoot and fill in wherever an extra hand was useful.
This project gave me a solid understanding of how a professional hosting infrastructure is designed and secured. Working with Kubernetes, ESXi, and a real CI/CD pipeline in a team context showed me how all the individual pieces, compute, networking, storage, monitoring, and security, have to work together. Thinking about least-privilege network access and segmenting environments properly was a valuable exercise that connects directly to what I do in penetration testing: understanding how infrastructure is built is essential to finding where it breaks.
The Skill 1 event brings together competing teams and lets visitors vote for their favourite. In previous years, the voting process was google form based and prone to cheating, people voted multiple times and results couldn't be trusted. Our team was tasked with building a digital solution that would make cheating impossible while keeping the experience smooth and engaging for attendees.
I was mainly responsible for building the live scoreboard, a real-time dashboard that updated as votes came in and was displayed publicly during the event. I also helped set up the general system, which used a terminal-style voting interface paired with NFC cards. Each visitor received a unique NFC card that could only be scanned once, ensuring one vote per person regardless of how many times someone tried to vote again.
The core problem was enforcing a strict one-vote-per-person rule in a busy event environment. We solved this by tying each vote to a unique NFC card ID, which was registered server-side the moment it was used. Any subsequent scan of the same card was rejected immediately. This eliminated the repeat-voting that had plagued previous years and gave the event organisers confidence in the final results.
Whether you have a question, want to collaborate, or just want to connect, feel free to reach out. I'm always open to a good conversation.