Jan Hoersch

IT Security Consultant, Penetration Tester

nv1t.github.io - keybase.io/nv1t - nv1t - nv1t@chaos.social

Career Profile

IT Security Consultant with 10+ years of experience, specializing in penetration testing, red teaming, and reverse engineering across diverse industries including FinTech, chemical, banking, and automotive. Experienced in both technical deep-dives (hardware hacking, code reviews, exploit development) and scenario-driven security assessments (red team operations, physical security). Passionate about building internal tools, mentoring teams, and advancing security research.

Core Competencies

Offensive Security: Penetration Testing (Web, Mobile, Infrastructure), Red Teaming, Physical Security
Reverse Engineering: Embedded Systems, Hardware Interfaces (SPI, JTAG, UART), Binary Analysis (IDA Pro, Immunity, Emba)
Tools & Frameworks: Burp Suite, Metasploit, CobaltStrike, CANAPE, Wireshark
Development & Automation: Python, Bash, Docker, Linux/Unix Administration
Additional: Security Monitoring, Hardware & IoT Security

Education

2017 OSCE, Offensive Security

2015 MASPT, eLearnSecurity

2014 OSCP, Offensive Security

2011-2013 IT Specialist for System Integration

Experience

2021-present Senior Security Consultant, SSE - Secure Systems Engineering GmbH

Conducted penetration tests across web applications, infrastructure, mobile, cloud environments, and code reviews; performed scenario-based assessments, red team engagements, and physical security tests for clients in FinTech, chemical, banking, and automotive sectors; developed internal security tools to enhance testing efficiency.

2018-2021 Lead Security Consultant, Context Information Security Ltd.

Penetrationtests (Web-Applications, Infrastructure, Mobile, Cloud, Code Review), scenario based tests and Redteams for various customers (FinTec, Chemical Industries, Banking, Automotive), internal tool development

2014-2018 IT Security Consultant, Securai GmbH

Performing penetration tests and reverse engineering tasks on mobile application, web applications and rich clients for various customers.

2011-2014 Network & Security Engineer, TMT GmbH & Co. KG

During 2.5 years as a trainee as a network engineer, i managed several tasks, mainly system programming, server monitoring as well as internal software audits based on network environment and web applications.

Publications

Reverse Engineering and Dismantling Kekz Headphones, blog.nv1t.me

The post details the reverse engineering of Kekz headphones to understand their NFC-based audio playback system.

Swapping Heads: A Disk-y Business, blog.nv1t.me

HDD Recovery of a clicking drive through head swap and less intrusive imaging.

I hate you, WD, blog.nv1t.me

Recovering a failing HDD by swapping the bios chips on a PCB and disabling the re-location list for faster transfer speed.

IoT Pentest - Der Weg von der Firmware zur Shell, Securai Blog

Demonstrating an IoT attack path from downloading firmware to remote code execution on the device.

Binary Patching von Java fuer Rich-Client Penetrationtests, Securai Blog

Patching Java Rich-Clients to circumvent checks during security assessments.

SQLi after order by in less than 22 chars, blog.nv1t.me

Solving a SQLi challenge by using the order by feature and known content.

IoT Security Nightmares - 20 minutes, 10 devices, Kaspersky Security Analyst Summit, 2017

Talk about easy exploitation of IoT devices and current state of responsible disclosure due to bad communication with vendors.

I like trains, MRMCD 2015

Accessing undocumented APIs from big companies is fun. Especially if you get loads of data to store and analyze from them.

Men who stare at bits (Part 2), 29th Chaos Communication Congress

Reverse Engineering of multiple RFID payment systems from different universities. Most of these systems were based on Mifare Classic Cards with custom encryption on the card.

Men who stare at bits, Sigint12

Reverse Engineering of one RFID payment system with custom encryption of the credit sector of the card.

Projects

Virtualbox Web Panel - A lightweight HTTP server script, with standard Python3 libraries, that offers a simple web interface for controlling and interacting with VirtualBox virtual machines.

Standing Desk Interceptor - Reverse Engineering my standing desk to create more functionality. It consists of two UART Communication channels and a custom protocol running between two Microcontrollers.

iliketrains - Accessing undocumented APIs from big companies is fun. Especially if you get loads of data to store and analyze from them. (See publication for talk on this project)

FreeElmo - Reverse Engineering an Elmo Document Camera and writing MultiOS Client.

Personal

Citizenship: German

Residence: Dresden, Germany