Marcin Gebarowski
Professional Summary
Senior Offensive Security Engineer & Penetration Tester with extensive experience directing complex penetration testing engagements within the global financial sector. Proven track record of orchestrating technically demanding projects that balance rigorous security requirements with critical business objectives. Expert in Android application testing, workstation exploitation (Windows/macOS), payment systems security (ATM/POS), and low-level vulnerability research, including the discovery of flaws in native Android libraries and enterprise data transport protocols. Adept at communicating technical risk to diverse stakeholders and championing security excellence through knowledge sharing sessions.
Core Expertise & Technical Toolkit
- Adversarial Operations: Scenario-based penetration testing aimed at delivering offensive security approach within time constrained engagement.
- Vulnerability Research & Reversing: Deep-dive analysis of third party applications, libraries, network protocols, and binary files leveraging tools like Ghidra/IDA Pro, 010 Editor, and custom ones tailored for the target.
- Systems & Hardware: Advanced testing of Windows/macOS endpoints (including Direct Memory Access (DMA) attacks), ATMs, and POS terminals.
- Development: High proficiency in C/C++, C#, Java, and Python for creating custom exploitation tools and automated testing plugins.
Professional Experience
Commonwealth Bank of Australia | Sydney, Australia
Senior Penetration Tester (Lead) | May 2015 – Present
- Technical Leadership: Served as Lead for multi-phased, high-stakes engagements, including the security review and rollout of a company-wide remote access solution.
- Risk-Based Offensive Strategy: Executed time-boxed adversarial simulations, translating complex technical vulnerabilities into actionable business risk for executive stakeholders.
- Mobile & Payment Security: Identified critical flaws in native Android libraries used for Tap&Pay conducted assessments of ATM and POS ecosystems.
- Endpoint Exploitation: Identified pre-login Remote Code Execution (RCE) issues and developed custom exploits. Worked on engagements focusing on evasion of enterprise-grade security controls (EDR/DLP).
- Vulnerability Research: Conducted specialized exploitation research targeting the XCOM Data Transport (CVE 2022-23992).
Wroclaw Centre for Networking and Supercomputing | Poland
Software Developer & System Administrator | July 2010 – August 2014
- Software Engineering: Integrated and customized Public Key Infrastructure (PKI) using EJBCA; developed web applications in Java.
- Incident Response: Investigated security incidents and performed vulnerability assessments across Solaris and Linux environments.
- High-Performance Computing: Ported complex algorithms to OpenCL and helped develop benchmarks for computing hardware.
Education & Industry Credentials
Education
- Master of Science in Engineering: Information Systems in Control Engineering | Wroclaw University of Technology
- Bachelor of Engineering: Wroclaw University of Technology
Certifications & Advanced Training
- Red Teaming: CRTO (Certified Red Team Operator)
- Exploitation: Corelan Advanced, OSCE, OSCP, Xipiter Practical ARM Exploitation
- SANS Institute: SEC760 (Advanced Exploit Development), SEC660 (Advanced Penetration Testing)