Thanarak
Kanyaprasit

Cybersecurity / Penetration Testing / Product Security
Scroll to play
CHAPTER 02
portfolio
01 — Who
TRAINED ATWORK AT
CHIANG MAIITSC
UNIVERSITYCMU
CurrentlyCybersecurityrunningWeb Pentestengagements·and building customThreat Inteltooling
Interlude — 00:06 / 00:18

Start with the basics.

Good security work starts with careful observation, clear notes, and understanding how the system actually behaves.

02 — Focus

What I'm working on now.

Web application penetration testing, threat intelligence, and custom tooling — currently studying AI security.

Focus01 / 05

Web Pentest

Empty chair, low light
Focus02 / 05

AI Security

Single flower, close crop
Focus03 / 05

Threat Intel

Mountain ridge with bird
Focus04 / 05

Field Notes

Bird in flight
Focus05 / 05

Custom Tooling

Flower with bird
02 — Reading list01/05
No. 01Web hacking · methodology

Bug Bounty Bootcamp

The Guide to Finding and Reporting Web Vulnerabilities

— Field library —256 — 612 pp.
Interlude — 00:12 / 00:18

Learn, test, improve.

Each lab, challenge, and write-up adds a little more clarity to how systems break and how they can be made safer.

03 — Experience
Experience across
building and securing software.
001
Cyber Security Engineer ITSC, Chiang Mai University
Cooperative education at the IT Service Center: conduct web application penetration testing, build threat-intelligence software for security monitoring and analysis, and report vulnerabilities while supporting remediation with the security team.
2026 · ITSC / CMU
002
AI Engineer & System Architect SmartMath
Designed a service-oriented AI learning platform with separate student and admin interfaces, authenticated API orchestration, streamed RAG tutoring, durable background quiz generation, and purpose-specific data stores.
2025 · SmartMath
04 — Case files
Built and
reviewed.

Selected builds documented with their purpose, security decisions, and remaining risks.

simplified system flowscan ▸ 000%
Case file 012025

SmartMath

AI Engineer · System Architect · AI-powered math learning platform

Web Apps · APIStreamed RAGDurable JobsPrivate Storage

Student and admin web apps share a central API. Interactive tutoring streams through an internal RAG service, while quiz generation runs as durable background jobs. The platform separates primary records, private files, transient state, and retrieval data.

  1. 01
    Retrieved content is untrustedattack surface

    Course material enters model context after hybrid retrieval and optional reranking, so uploaded content remains an attack surface.

  2. 02
    AI stays behind the APIdefense

    The backend verifies session ownership for chat and administrator authorization for ingestion before proxying to the internal AI service.

  3. 03
    Background work checks statedefense

    Quiz jobs are recorded before dispatch; workers fetch current job state and report results through the backend.

  4. 04
    Uploads checked before indexingdefense

    Administrative ingestion is size- and type-checked before document processing and retrieval indexing.

village-security.app/dashboardscan ▸ 000%
Case file 022025

Village Security Platform

Scrum Master · Full-Stack Developer · University course project · team delivery

Next.jsBun · ElysiaWebSocketRBAC

A gated-community platform: admins approve residents and manage houses, guards log visitors in and out at the gate, and everyone gets real-time notifications. I ran the sprints and built the access-control core.

  1. 01
    No self-activated accountsdefense

    New residents stay pending with no data access until an admin approves them; signing up alone does not grant access.

  2. 02
    Role checks live server-sidedefense

    Admin, resident, and guard see different dashboards — but the UI is just a mirror. Every backend route re-checks the caller's role, so hiding a button never counts as security.

  3. 03
    Records bound to the sessionattack surface

    House and visitor records are looked up through the caller's own identity, not a raw ID from the request — guessing another house number gets you a 403, not a neighbor's visitor log.

  4. 04
    Sockets join by verified identityattack surface

    Real-time notifications are room-scoped to the authenticated user. A guard's gate events push to that village only — the socket layer trusts the session, never the client's claim.

05 — Contact

Open to product security work.

Open to Product Security, Application Security, and Penetration Testing roles in Bangkok, Chiang Mai, or remote. Focused on securing applications across the development lifecycle — from secure design and development through testing and remediation.