Phase 1 Discovery
Ayoub Bouhnine
Cyber Security Incident Response Analyst at Proximus Ada
I investigate breaches, reverse malware, and build the tools that make incident response faster. When a system is compromised, I'm the one who figures out what happened and how to stop it from happening again.
DFIR specialist with a Master's in Cybersecurity from ULB, currently working on the front lines of incident response at Proximus Ada. From RFID badge exploitation during my Red Team internship to sandbox evasion research in my thesis, I like understanding how things break so I can help defend them better.
Currently exploring
Cloud Forensics (Azure/AWS)
Detection Engineering at Scale
Threat Hunting Automation
Phase 2 Background
Education
M.Sc. Cybersecurity
Université Libre de Bruxelles (ULB), Brussels | September 2022 - June 2024
Specialization: Digital Forensics & In-Depth Analysis
Grade: Grande Distinction (High Honors)
B.Sc. Computer Science
Université Libre de Bruxelles (ULB), Brussels | September 2019 - June 2022
Grade: Grande Distinction (High Honors)
Languages
French - Native
English - Fluent (C1)
Arabic - Fluent (C1)
Phase 3 Field Operations
Professional Experience
Cyber Security Incident Response Analyst
Proximus Ada
September 2024 - Present
- Conducted digital forensic investigations across Windows, Linux, macOS, and vendor-specific appliances (Ivanti, Palo Alto, Fortinet), delivering findings to stakeholders and clients
- Investigated multi-stage incidents end-to-end — from initial access through lateral movement to impact — using EDR tooling and log correlation to reconstruct attack timelines
- Identified root causes of security incidents and provided actionable remediation guidance to minimize business impact
Internship CSIRT - Red Team
Proximus Ada
July 2023 - September 2023
- Assessed the security of a physical access control badge system by researching RFID/NFC cryptographic weaknesses and executing a full attack chain from analysis to proof-of-concept
- Enhanced the Proxmark open-source tool to support red team exercise workflows
- Participated in a real-world red team engagement to validate physical security weaknesses in a live environment
Phase 4 Technical Analysis
Skills
Domains
Networking
Cybersecurity
Incident Response
Penetration Testing
Threat Intelligence & Analysis
MISP
Recorded Future
Cuckoo Sandbox
CAPEv2
YARA
SIEM & EDR
Splunk
Elastic Stack
Security Onion
Microsoft Defender for Endpoint
CrowdStrike
SentinelOne
Detection Engineering
Sigma Rules
Sysmon
Security Tools
FortiGate
Cisco
pfSense
Suricata
Snort
Microsoft Defender for Office 365
Blue Coat
Programming & Scripting
Python
C++
Java
PowerShell
Bash
PHP
PostgreSQL
Infrastructure & Virtualization
Proxmox
Azure
Frameworks & Methodologies
MITRE ATT&CK
NIST IR Lifecycle
PICERL
Cyber Kill Chain
Diamond Model
Phase 5 Findings
Certifications
CompTIA Security+
August 2025
(opens in new tab)
Blue Team Level 1 (BTL1)
February 2025
(opens in new tab)
ISC2 Certified in Cybersecurity (CC)
March 2024 - March 2027
(opens in new tab)
Achievements
- Grande Distinction - M.Sc. Cybersecurity, ULB, 2024
- Grande Distinction - B.Sc. Computer Science, ULB, 2022
- Finalist - CyberSecurity Challenge Belgium, 2023 & 2024 (two consecutive years)
CTF Participations
CDX
Mastercard CyberDefense Exercise (CDX)
14-16 September 2025 | Mastercard
Participated in a cross-sector cyber defense exercise as part of the Blue Team, focusing on detection, hardening, and infrastructure protection against simulated Red Team attacks.
Finalist
CyberSecurity Challenge Belgium 2024
March 2024 | CSC BE
Finalist in a CTF competition organized by the CyberSecurity Challenge Belgium.
Finalist
CyberSecurity Challenge Belgium 2023
March 2023 | CSC BE
Finalist in a CTF competition organized by the CyberSecurity Challenge Belgium.
Phase 6 Evidence Collection
Projects
Attacking and Defending a Network Topology
Network security lab implementing port scanning, FTP brute-force, reflected DDoS, and ARP cache poisoning attacks with corresponding nftables-based defenses on a Mininet-emulated topology.
Grade: 19/20
Python
Scapy
Mininet
nftables
View on GitHub(opens in new tab)
DNS Traffic Host Classifier
Machine learning pipeline that classifies network hosts as human, bot, or mixed from DNS traffic traces using decision trees, random forests, neural networks, and KNN.
Grade: 20/20
Python
scikit-learn
tcpdump
DNS Analysis
View on GitHub(opens in new tab)
Malware Obfuscation & AVET Extension for CAPEv2 Evasion
Extended the AVET framework with stageless Meterpreter payloads via shellcode injection into msedge.exe, dynamic API/NTAPI loading, direct syscall execution (Syswhispers2/3), and custom arithmetic encryption to bypass CAPEv2 sandbox and Windows Defender detection.
Grade: 16/20
C
Shell
Python
AVET
Syswhispers
View on GitHub(opens in new tab)
Archive Format Fuzzer
Custom fuzzer targeting archive extraction and file handling routines. Discovered vulnerabilities including empty header injection and end-of-archive padding exploits across multiple architectures (M1, x86_64).
Grade: 20/20
C
Makefile
Fuzzing
View on GitHub(opens in new tab)
Belgian Rail Geospatial Database
Geospatial system combining PostgreSQL/PostGIS with OpenStreetMap data, GTFS transit schedules, and real-time SNCB train positions. Features interactive Folium maps and dashboards for transportation analysis across Belgium's rail network.
Grade: 17/20
Python
PostgreSQL
PostGIS
Flask
Folium
View on GitHub(opens in new tab)
Phase 7 Report Submission
Get in Touch
Interested in collaboration, consulting, or just want to discuss DFIR topics? Reach out through any of the channels below.
Download CV