Hazem Elbatawy
Discuss a Project

Independent Full-Stack and Security Consultant

I build secure web systems, internal tools, and technical publishing assets.

My work combines product delivery, security thinking, technical content structure, deployment, analytics, and operational clarity. I focus on building useful systems that are production-ready, understandable, and directly tied to business or technical outcomes.

Experience

Full-Stack Developer & Deployment Engineer

Freelance · Remote · International clients · 2023 - Present

  • Built and deployed production-ready web applications using React, TypeScript, FastAPI, Django, Laravel, PostgreSQL, MySQL, Docker, Nginx, and Linux servers.
  • Deployed Vox Estate Agent, a FastAPI + React application, on a Linux VPS with Nginx, systemd process management, HTTPS, and production server configuration.
  • Delivered AI Product Image Similarity Search for a German client through the AutoHubPlatform GitHub organization, using AI image embeddings and containerized deployment practices.
  • Built and deployed SECHIVE, a multi-page React/TypeScript website for a physical security firm, under the SECHIVEE GitHub organization on GitHub Pages.
  • Worked with OpenAI APIs, WebSockets, multi-tenant SaaS patterns, CI/CD through GitHub Actions, and Linux server administration.

Security Researcher

Independent · Web & API Security · 2024 - Present

  • Conduct scoped web and API bug bounty testing with a focus on recon, attack-surface mapping, controlled validation, and responsible disclosure.
  • Test for broken access control, authorization logic flaws, insecure object references, privilege boundary issues, and business logic weaknesses.
  • Produce clear, reproducible reports with evidence quality focused on triage and remediation.
  • Build practical automation to reduce false positives and improve testing efficiency.
  • Develop public proof through redacted case studies and open-source security tooling.

Services

Secure MVP and Web System Builds

Build or refine web applications, admin systems, and product MVPs with practical full-stack delivery, clean structure, and production-minded implementation.

Internal Tools and Workflow Systems

Create operational tools, database-backed flows, automation helpers, and structured interfaces that reduce manual overhead and improve business workflows.

Technical Publishing and Content Platforms

Design and implement technical publishing assets such as digital book platforms, guide systems, structured documentation flows, and conversion-ready content pages.

Proof

Selected public repositories and implementation assets that show how I approach secure systems, full-stack delivery, workflow design, technical integrations, and production-focused problem solving.

Applied Work

The repositories above are the technical proof layer. These selected implementations show how that work translates into client-facing systems, internal workflows, and production-ready digital assets.

FolioVista Books

React · Vite · GTM/GA4 · SEO · Technical Publishing Platform

  • Designed and launched a live digital publishing platform for books, samples, waitlist capture, and reader-facing discovery.
  • Implemented page structure, branded UX, metadata, search-ready SEO foundations, GTM/GA4 tracking, and business email contact paths.
  • Built the platform as a practical conversion asset rather than a static brochure, with live samples and operational content publishing flow.

Users & Vehicle Management System

Django · Python · Crispy Forms · Middleware · Faker · Black · pytest

  • Built a Django system with a custom user model, separate user/client registration workflows, and dynamic nested forms for vehicle and service details.
  • Added custom middleware for authentication and HTTP request logging while excluding sensitive password values.
  • Used pytest for unit testing, Black for formatting, and Faker + UUID for realistic test data in a realistic internal-tool workflow.

WooCommerce to Looker Studio Integration

WooCommerce · Data Integration · Reporting Workflow · Commercial Operations

  • Built a practical integration path for commercial reporting and operational visibility across business data flows.
  • Structured the work around useful outputs for business teams, not just raw technical connectivity.
  • Demonstrates workflow-system thinking for clients who need reliable reporting, structured data movement, and clearer operational dashboards.

Case Studies

Public-friendly summaries only. Keep sensitive details redacted and share only authorized evidence.

Case Study 1: Private Program Access-Control Finding (Duplicate)

Authorized testing in a private bug bounty workflow with object-level authorization validation.

  • Focus: authorization boundary checks on account-owned objects.
  • Method: controlled account testing with reproducible evidence and strict redaction.
  • Outcome: report submitted with clear reproduction and remediation guidance; triage status duplicate.
  • Signal: demonstrates discipline in reporting and technical validation quality.

Case Study 2: Redacted Recon and Fuzz Pipeline

Recon plus fuzz automation flow for authorized target assessment and endpoint behavior analysis.

  • Focus: exposure mapping, endpoint probing, and fuzz-based edge case validation.
  • Authorization focus: object-level access checks and workflow state validation in controlled testing scenarios.
  • Method: DNS and CT recon, orchestrated fuzz runs, and result triage.
  • Tooling: recon.py, recon_fuzz_orchestrator.py, selenium_socks_simple_fuzz.py.
  • Outcome: prioritized findings and reusable evidence bundles for remediation.

Recon and Fuzz Workflow

A practical workflow used to move from discovery to reproducible findings.

Phase 1: Passive Recon DNS, CT logs, headers, and endpoint map
Phase 2: Guided Fuzz Parameter/path test cases and anomaly checks
Phase 3: Evidence Pack Repro steps, logs, and impact summary
Phase 4: Remediation Support Fix guidance and verification rerun

Engagement Process

  1. Scope call and risk focus alignment
  2. Recon and attack-surface mapping in approved scope
  3. Controlled vulnerability validation and evidence collection
  4. Remediation-first report for engineering teams
  5. Verification pass and handover summary

Disclosure Compliance

Public references are disclosure-safe summaries only and follow program policy boundaries.

Contact

Based in Cairo, Egypt. Available for secure web builds, internal tools, technical publishing platforms, and direct consultant engagement.