Ahmed Anwar Elshnawy
Riyadh,Saudi Arabia
Summary
GRC Consultant with practical experience across Governance, Risk, and Compliance, information security audit, and technical security testing. Skilled in supporting gap assessments, risk assessments, control reviews, policy and procedure development, and remediation planning in alignment with frameworks such as NCA, SAMA Cybersecurity Framework, ISO/IEC 27001, and NIST CSF. Combines GRC knowledge with hands-on web application and network penetration testing experience, enabling a balanced understanding of both compliance requirements and real-world technical security risks.
Overview
4
4
years of professional experience
5
5
years of post-secondary education
1
1
Certification
Work history
Cybersecurity Consultant
ECOVIS AL SABTI
2026.03 - 2026.06
- Supported and delivered Governance, Risk, and Compliance engagements across multiple organizations, assessing cybersecurity practices against frameworks such as NCA ECC, CCC, CSCC, DCC, TCC, OSMAC, MSOC, SAMA Cybersecurity Framework, ISO/IEC 27001, and NIST CSF.
- Conducted cybersecurity gap assessments, maturity reviews, and control effectiveness evaluations to identify compliance gaps, control weaknesses, and areas requiring improvement.
- Developed practical remediation plans and improvement roadmaps by translating assessment results into clear actions aligned with business priorities and regulatory requirements.
- Assisted in the design and enhancement of cybersecurity governance documents, including policies, standards, procedures, operating models, and control frameworks to support sustainable compliance.
- Performed enterprise cybersecurity risk assessments covering people, process, and technology areas, including information assets, third-party risk, cloud security, critical systems, and key security operations.
- Prepared GRC deliverables such as risk registers, compliance dashboards, assessment reports, management presentations, and executive summaries to communicate key risks, observations, and recommendations to stakeholders.
- Participated in information security audit activities, including walkthrough meetings, evidence review, audit programs, risk and control matrices, observation drafting, and follow-up on remediation actions.
- Reviewed security controls related to identity and access management, vulnerability management, incident response, change management, cloud security, SOC operations, third-party management, and disaster recovery.
- Performed web application and network penetration testing activities on real-world environments, documenting vulnerabilities, evidence, business impact, risk ratings, and remediation recommendations.
Security Researcher
HackerOne
2022.09 - 2026.06
- Reported 15+ valid vulnerabilities across Department of Defense and private programs, including High and Critical severity findings.
- Identified authentication bypass, IDOR, SQL injection, access control, business logic, and API security vulnerabilities through structured manual testing, enhancing overall security posture of real targets.
- Performed web, API, and infrastructure reconnaissance using Burp Suite, Nmap, Amass, FFUF, Nuclei, SQLMap, Postman, and related tooling.
- Conducted 10+ private program assessments, applying OWASP Top 10 and OWASP API Top 10 testing methodologies to identify critical vulnerabilities.
- Compiled detailed vulnerability reports with proof-of-concept evidence, outlining business impact, technical root cause, and remediation recommendations to guide stakeholders in addressing security risks.
Education
Bachelor of Engineering - Telecommunications and Electronics Department
Mansoura College Academy
Mansoura, Egypt 2018.09 - 2023.06
Skills
- GRC & Cybersecurity Consulting: NCA ECC, CCC, CSCC, DCC, TCC, OSMAC, MSOC, SAMA Cybersecurity Framework, ISO/IEC 27001, NIST CSF, Cybersecurity Audit, Information Security Assessment, IT Consulting, Evidence Assessment, Gap Assessment, Maturity Assessment, Control Review, Risk Assessment, Remediation Roadmaps, Audit Documentation, Policy and Procedure Development
- Penetration Testing & Offensive Security: Web Application Security Testing, API Security Testing, Network Penetration Testing, OWASP Top 10, OWASP API Top 10, Vulnerability Assessment, Active Directory Penetration Testing, Privilege Escalation, Lateral Movement
- Tools & Frameworks: Burp Suite, Nmap, NetExec, Metasploit, BloodHound, Mimikatz, Rubeus, FFUF, SQLMap, Amass, Gobuster, Postman, Wireshark, SharpHound, Nessus, Nuclei
Certification
- Certified Information Systems Auditor (CISA) - ISACA | In Progress
- Certified Red Team Professional (CRTP) - Altered Security | 2025-10-01
- API Penetration Testing - APIsec University | 2025-11-01
AWARDS & HONORS
Oracle Security Top Credit - CVE-2022-21500
TRAINING & COURSES
- Practical Ethical Hacking - TCM Security
- Windows Privilege Escalation - TCM Security
- Linux Privilege Escalation - TCM Security
- Practical Web Hacking - TCM Security
- Advanced Web Hacking - TCM Security
- HTB Certified Web Exploitation Specialist - Hack The Box Academy
- HTB Certified Penetration Testing Specialist - Hack The Box Academy
SELECTED PROJECTS
- Cybersecurity Audit - Enjaz
- Information Security Assessment - Al Rajhi Capital
- T Consulting - MVPI
- Penetration Testing - Auditvare, Taskvare
- Risk Assessment - Coffee Address
Timeline
Cybersecurity Consultant
ECOVIS AL SABTI
2026.03 - 2026.06
Security Researcher
HackerOne
2022.09 - 2026.06
Bachelor of Engineering - Telecommunications and Electronics Department
Mansoura College Academy
2018.09 - 2023.06