About

Hello! My name is Marcin Piosek, and I have been working in the IT security industry since 2013. Before that, I worked in software development and computer network administration. Currently, I work as a Pentester and IT Security Consultant, and I also provide technical support to sales teams.

On this website, you will find information about my work and publications.

Books

Introduction to IT Security

(2023, PL) Together with several other authors, I had the opportunity to co-create the second book in my career, Wprowadzenie do bezpieczeństwa IT (also known as Introduction to IT Security). The book is written in Polish and covers a broad range of topics in the field of IT security.

It is targeted at audiences such as:

  1. IT managers interested in IT security
  2. Individuals working in IT who want to learn current security recommendations
  3. Those taking their first steps in technical IT security
  4. People responsible for implementing security measures in organizations
  5. Pentesters who want to expand their knowledge in different areas of IT security

My chapter, titled Penetration Testing, has the following introduction:

The “Penetration Testing” chapter was created for those who wish to acquire or organize knowledge related to the essence and the process of conducting penetration tests from an organizational standpoint. In this chapter, I will outline the individual steps that need to be taken to define the scope of work, choose the appropriate methodology, and set requirements for the summary report. The information provided here should suffice for independently coordinating penetration tests from defining the scope to accepting the work.

The knowledge presented in this chapter is based on experience from over 550 penetration tests conducted in 2021 and 750 completed projects in 2022. In each case, I was the person responsible for defining the scope of work and assisting with problem-solving during their execution.

The goal of this text is not to convey knowledge about all possible techniques for conducting penetration tests, nor to discuss the career path of a pentester. Readers of this chapter do not need any experience other than what comes from working in the broadly defined IT industry.

Authors of the individual chapters are:

  1. On Ethics in Hacking (Gynvael Coldwind)
  2. What Every Administrator Should Know About Web Application Security (Michał Sajdak)
  3. Android – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
  4. iOS – System Security and Basic Penetration Testing of Mobile Applications (Marek Rzepecki)
  5. Penetration Testing (Marcin Piosek)
  6. Introduction to Cyber Threat Intelligence (Bartosz Jerzman)
  7. Threat Modeling and Risk Analysis of Applications (Łukasz Basa, Wiktor Sędkowski)
  8. Introduction to the MITRE ATT&CK® Framework (Wojciech Lesicki)
  9. Cryptology at a Glance (Iwona Polak)
  10. Introduction to the Security of Industrial Control Systems (ICS/OT) (Marcin Dudek)
  11. Data Security at Rest – Encryption and Data Deletion (Krzysztof Wosiński)
  12. OSINT – An Introduction (Tomasz Turba)
  13. Physical Security – Asset Protection (Tomasz Dacka)
  14. Modern Fuzzing (Marek Zmysłowski)
  15. Email Message Authentication Mechanisms – SPF, DKIM, and DMARC (Grzegorz Trawiński)
  16. Hashcat - Racing Against Time in a Balance of Forces and Resources (Konrad Jędrzejczyk)
  17. Introduction to the Metasploit Tool (Piotr Ptaszek)
  18. PowerShell in Offense (Paweł Maziarz)

More information:

Web Application Security

(2019, PL) I am a co-author of the book Bezpieczenstwo aplikacji webowych (book page; PL only), in which I wrote several chapters, including:

  1. Authentication, session management and authorization
  2. Advantages and disadvantages of OAuth 2.0 from a security perspective
  3. The SameSite flag: how does it work, and what does it protect against?
  4. Burp Suite Community Edition: an introduction to the HTTP proxy
  5. The Path Traversal vulnerability
  6. Command Injection and Code Injection vulnerabilities
  7. Introduction to WebSocket security

Table of contents: download PDF.

Certificates

Why do I “collect” certificates?

  • Certified Kubernetes Security Specialist (CKS) #LF-dldt1fl2zr (since 2024)
  • Certified Kubernetes Administrator (CKA) #LF-7jlmfe3i7t (since 2024)
  • Microsoft Certified: Cybersecurity Architect Expert (SC-100) #FB89F55D8D444608 (since 2023)
  • Microsoft Certified: Azure Security Engineer Associate (AZ-500) #52FDD24AEF427CBF (since 2023)
  • Certified Ethical Hacker #ECC47891281092 (since 2017)
  • Offensive Security Certified Professional #OS-101-04018 (since 2014)

CVEs

  • (2019) Google Chrome - CVE-2019-13727 [HIGH]: Insufficient policy enforcement in WebSockets in Google Chrome prior to 79.0.3945.79 allowed a remote attacker to bypass Same Origin Policy via a crafted HTML page (details).

Lectures

  • (2025, PL) Mega Sekurak Hacking Party Kraków - Wnioski po realizacji tysięcy testów penetracyjnych - edycja 2025 (event page)
  • (2024, PL) Mega Sekurak Hacking Party - Jakie wnioski można wyciągnąć z ponad 1000 testów bezpieczeństwa? (event recap)
  • (2018, PL) Sekurak Hacking Party Kraków - Spring Expression Language - jak wykonać dowolny kod w OS (event page)
  • (2014, PL) Quality Excites - Praktyczne ataki na aplikacje internetowe (event page)

Publications

  • (2017, PL) CouchDB – podniesienie uprawnień i zdalne wykonanie kodu (article)
  • (2017, PL) Czym jest podatność Path Traversal? (article)
  • (2017, PL) Jak wykrywać backdoory / webshelle w aplikacjach webowych? (article)
  • (2017, PL) Jak zabezpieczyć WordPress – poradnik krok po kroku (PROGRAMISTA 11/2016, article)
  • (2017, PL) OAuth 2.0 – jak działa / jak testować / problemy bezpieczeństwa (article)
  • (2017, PL) Bezpieczeństwo protokołu WebSocket w praktyce (article)

CTFs

  • (2014 - 2015) Church of 0x41414141 (team page)