Welcome to 0xRafaSec — Where Security Gets Real
Why this security research blog exists, what you'll find here, and how to get the most out of it — from CVE breakdowns to hands-on hacking tutorials.
Available in Português
Welcome to 0xRafaSec — Where Security Gets Real
The internet has a vulnerability problem.
In 2025 alone, the NVD catalogued over 40,000 CVEs — roughly 110 new vulnerabilities published every single day. Ransomware groups extorted billions. Supply chain attacks compromised software that millions of organisations trusted blindly. AI-generated phishing became indistinguishable from the real thing. And somewhere in all that noise, a security community of researchers, defenders, and hunters kept showing up — learning, disclosing, patching, and sharing.
That's what this blog is about.
Who Is 0xRafaSec?
I'm a security researcher focused on offensive techniques, vulnerability analysis, and the kind of practical knowledge that actually moves the needle — whether you're hunting bugs on a bug bounty platform, hardening a production environment, or studying for your next certification.
The hex prefix isn't decoration. It's a mindset: look past the surface, understand what's running underneath, and always ask why before asking how.
What You'll Find Here
CVE Analysis
Not summaries. Real breakdowns.
When a critical vulnerability drops, I dig into the root cause, the affected code paths, the CVSS score reasoning, and — when responsible disclosure permits — the exploitation mechanics. The goal is to understand vulnerabilities well enough to defend against them, not just patch and move on.
Recent focus areas include memory corruption bugs, authentication bypasses, and the increasingly dangerous class of supply chain vulnerabilities targeting CI/CD pipelines and package registries.
Hands-On Security Tutorials
The theory-practice gap in security is real. You can read about SQL injection for hours and still freeze when you see a real login form. These tutorials bridge that gap.
Every tutorial comes with:
- A safe, legal lab environment (Docker, HackTheBox, TryHackMe)
- Step-by-step walkthroughs with actual commands and expected outputs
- A blue team section — because understanding the attack is only half the job
- Practice challenges so you leave with a skill, not just knowledge
Topics range from web application classics (XSS, SQLi, SSRF, IDOR) to Active Directory attacks (Kerberoasting, BloodHound, lateral movement), cloud security (AWS IAM privilege escalation, Kubernetes escapes), and smart contract vulnerabilities for the Web3 side of the attack surface.
Bug Bounty Writeups
These are written manually — no AI-generated fluff. Real vulnerabilities, real programs, real lessons. The kind of writeup that teaches you to think like a hunter, not just follow a checklist.
The Rules of the House
Security knowledge is dual-use. Every technique here can defend or attack. The frame I use:
Understand it to defend it. Test it with permission. Disclose it responsibly.
Every offensive technique includes detection signatures, mitigation strategies, and responsible disclosure guidance. This isn't a playground for script kiddies — it's a resource for people who take their craft seriously.
Content in English and Portuguese
All major content is published in English and Brazilian Portuguese. Use the language switcher in the header. If a translation feels off, open an issue — fluency matters more than word count.
Where to Start
- New to offensive security? Start with the tutorials section — beginners are welcome, gatekeeping is not.
- Hunting bugs? Head to the CVE analysis posts for technical depth on recent critical vulnerabilities.
- Defending systems? Every attack post has a blue team section. Read both halves.
The threat landscape in 2026 isn't getting simpler. Neither is this blog. Let's get to work.
— 0xRafaSec