LUCAS HANSON

Cyber Security Consultant and CTF player.

Experience

Cyber Security Consultant @ Cabinet Thierry MEYER Consultants

September 2025 - Present | Bordeaux, France

  • Conduct white-box, grey-box, and black-box penetration tests across client environments to identify and validate security weaknesses from initial assessment through exploitation.
  • Perform security reviews of web applications, APIs, and exposed attack surfaces, then provide clients with clear remediation guidance.
  • Lead R&D on offensive security techniques, test methods, and vulnerability discovery approaches that strengthen client assessments.
  • Design and develop internal tools that streamline reconnaissance, test workflows, and vulnerability reproduction for client assessments.

InfoSec Lab Co-Lead (Volunteer) @ Bordeaux Ynov Campus

September 2024 - Present | Bordeaux, France

  • Lead a 40-student cybersecurity lab, manage day-to-day operations, and organize regular technical activities for the community.
  • Supervise student projects and mentor participants from web security fundamentals to hands-on offensive security practice.
  • Hosted a CSP workshop that explained how browsers enforce Content Security Policy, reviewed the main fetch, navigation, and document directives, detailed source expressions such as nonces, hashes, and strict-dynamic, and examined policy tests plus common bypass patterns caused by weak allowlists or misconfiguration.
  • Hosted an SSRF workshop that covered classic, semi-blind, and blind SSRF, reviewed internal host and common port abuse, compared response length, status code, and response time differences, and examined cloud metadata exposure plus filter-bypass techniques such as open redirects, alternate URL formats, DNS rebind attacks, and protocol pivots.
  • Hosted a bug bounty methodology workshop on reconnaissance and application analysis, with modules on subdomain discovery, technology identification, content discovery, feature-based assessment, and review of common web issues such as XSS, CSRF, SSRF, IDOR, and SQL injection.
  • Hosted an introductory web security workshop that explained HTTP request and response flows, client and server roles, common web ports and cookies, XSS variants such as reflected and stored XSS, Burp Suite and browser developer tools, SQL injection basics, and exercises where students built then fixed vulnerable payloads.
  • Design, create, and organize the lab's yearly CTF.

Application Security Engineer @ DGFiP

September 2024 - September 2025 | Bordeaux, France

  • Performed secure code reviews and triaged findings as part of the Code Review team.
  • Conducted penetration tests on large-scale web and mobile applications.
  • Delivered application security training to development teams.
  • Built tailored tools to detect and exploit vulnerabilities within proprietary frameworks.

Cybersecurity Intern @ Knock Knock

June 2024 - July 2024 | Begles, France

  • Developed Python tools to automate penetration testing workflows.
  • Researched tools and techniques in penetration testing.
  • Conducted web application penetration tests.

Side Projects & Tooling

Sherleak

Browser-based XS-Leak comparison tool.

Project Harvester

Covert remote control tool for Linux systems, leveraging YouTube as a communication channel.

Education

Integrated Master's degree in Information Security

Bordeaux Ynov Campus | 2022 - 2027

CVEs