Thurein Soe
Singapore
Summary
Senior Red Team and Offensive Security professional with over 10 years of experience across APAC in banking, finance, insurance, and tech sectors. Skilled in manual penetration testing of web, mobile, and API applications, red team operations, phishing and ransomware simulations, and adversary emulation following MITRE ATT&CK and AASE/ICAST frameworks. Proven track record of identifying and remediating high and critical vulnerabilities, improving organizational detection and response capabilities, and supporting compliance with PCI DSS and ISO 27001. Experienced in collaborating with engineering, SOC, and executive teams to reduce attack surfaces and strengthen security posture.
Overview
11
11
years of professional experience
1
1
Certification
Work History
Senior Red Team Engineer
Samsung
08.2023 - Current
- Led manual red team assessments of web, mobile, and API services across Samsung APAC, including AI chatbots and multi-gateway e-commerce platforms.
- Executed phishing simulations and ransomware scenarios to test employee awareness and incident response capabilities.
- Discovered 40+ high/critical vulnerabilities, including application logic flaws, authentication bypass, and remote code execution, reducing product attack surface.
- Collaborated with engineering and SOC teams to validate fixes, prioritize remediation, and enhance detection and response.
- Keywords/Skills: Red Team, Penetration Testing, Adversary Emulation, API Security, Web Security, Mobile Security, Phishing Simulation, Vulnerability Assessment, RCE, Business Logic, Incident Response, SOC, APAC
Red Team Operations Manager
Ernst and Young - EY
03.2020 - 02.2023
- Led red team exercises for financial and insurance clients, following AASE and ICAST frameworks, mapping MITRE ATT&CK TTPs from reconnaissance to action on objective.
- Conducted phishing campaigns for banks and insurance companies to assess employee awareness.
- Performed APT attack emulation for energy industry clients and purple teaming exercises for global banks to strengthen detection and response.
- Keywords/Skills: Red Team, Adversarial Simulation, MITRE ATT&CK, APT Emulation, Phishing Simulation, Purple Team, Financial Security, Insurance Security
Senior Security Consultant
Deloitte
07.2020 - 03.2022
- Conducted 80+ manual web and mobile penetration tests across banking, insurance, energy, government, social media, and airline sectors.
- Delivered 20+ phishing simulations and red team engagements for government and financial institutions.
- Performed source code reviews for JSP/ASP.NET applications; assessed host/network security on F5, Palo Alto, Cisco IOS, Solaris, and Check Point platforms.
- Keywords/Skills: Penetration Testing, Phishing Simulation, Red Team, Source Code Review, Web Security, Mobile Security, API Security, Network Security
Senior Penetration Tester
PayPal
02.2019 - 06.2020
- Performed manual penetration testing for web and mobile apps, network vulnerability assessments, database audits, and source code reviews in Java, PHP, ASP.NET.
- Conducted quarterly phishing simulations globally to enhance user awareness.
- Keywords/Skills: Penetration Testing, Web Security, Mobile Security, Phishing Simulation, Network Security, Database Security.
Principal Security Analyst
KBZ Bank
05.2016 - 12.2018
- Identified 70+ critical vulnerabilities in core banking applications and infrastructure.
- Conducted source code reviews, Oracle/Flexcube infrastructure testing, and phishing campaigns to enhance security awareness.
- Collaborated with vendors for IBM AS/400 and ATM penetration tests; supported PCI DSS 3.6 and ISO 27001 compliance.
- Keywords/Skills: Banking Security, Penetration Testing, Vulnerability Assessment, Web/Mobile Security, PCI DSS, ISO 27001
Information Security Analyst
Kernellix
11.2014 - 02.2016
- Performed penetration testing for iBanking web and mobile applications; collaborated with external suppliers to improve security methodologies.
- Keywords/Skills: Penetration Testing, Web Security, Mobile Security, Banking Security.
Education
Master of Science - Cyber Security
University of West London
LondonSkills
- Critical thinking
- Project management
- Project planning
- Data analysis
Certification
CREST CRT, CREST CCT-INF, GXPN, GCPN, OSCP, CRTO, CRTE, eCPTX, eWPTX, HTB APTLabs.
Hobbies & Interests
Focused on malware development, including phishing techniques, EDR/antivirus bypass methods, and post-exploitation tools. Shared technical insights through blog posts, gaining hands-on experience in offensive security, reverse engineering, and exploit development., https://nyameeeain.medium.com/, https://github.com/NyaMeeEain
Security Research
- Thurein participated in public and private bug bounty programs, where several companies, including AT&T, Cisco, Amazon, and Trend Micro, were acknowledged for reporting application-based vulnerabilities. Mastercard and Visa, etc. Thurein also contributed to CVEs. He discovers several zero-day vulnerabilities in well-known products, including window privilege escalation vulnerabilities and critical web application vulnerabilities (Blind SQL injection, command injection, XXE, and XSS) on Hikvision, world-leading surveillance equipment for civilians and military use, and a leading Endpoint detection(EDR and EPP) product.
- Blind SQL Injection/RCE Hikvision CVE-2022-28171
- Persistent XSS Hikvision CVE-2022-28172
- Weak service permissions Priv Dfone Wondershare CVE-2023-27010
- Unquoted Service Paths Priv Filmora Wondershare CVE-2023-31747
- Weak service/Reg permissions MobileTrans CVE-2023-31748
- Time/Blind SQL Injection Ahab EPP Management CVE-2023-49440
Professional Training Attended
- Sans SEC660(6 Day) Advanced Penetration Testing, Exploit Writing in 2017, SG.
- Black Hat Asia (2 Day) Adversary Tactics Red Team (SPECTEROPS) in 2018, SG
- MDSec 2020 (4 days) Adversary Simulation and Red Team Tactics in 2020, online
- Netspi Adversary Simulation Training 2020, online
Languages
English
Advanced (C1)
Timeline
Senior Red Team Engineer
Samsung
08.2023 - Current
Senior Security Consultant
Deloitte
07.2020 - 03.2022
Red Team Operations Manager
Ernst and Young - EY
03.2020 - 02.2023
Senior Penetration Tester
PayPal
02.2019 - 06.2020
Principal Security Analyst
KBZ Bank
05.2016 - 12.2018
Information Security Analyst
Kernellix
11.2014 - 02.2016
Master of Science - Cyber Security
University of West London
Similar Profiles
Shannon M. BatesShannon M. Bates
Human Resource Manager at SamsungHuman Resource Manager at Samsung
CANSIN YAĞMUR GÜLTEN KABACANSIN YAĞMUR GÜLTEN KABA
Visual Merchandising & Display Assistant Manager at SamsungVisual Merchandising & Display Assistant Manager at Samsung
Tiffany GrossTiffany Gross
Assembly Line Worker at SamsungAssembly Line Worker at Samsung
Carol LimCarol Lim
AR Credit Control Officer at TP ICAP Management Services Pte LtdAR Credit Control Officer at TP ICAP Management Services Pte Ltd
Mohammad Nazim Bin AtanMohammad Nazim Bin Atan
Facilities / Accounts Manager at Newtech Technology (South Asia) Pte LtdFacilities / Accounts Manager at Newtech Technology (South Asia) Pte Ltd