kuba-hdx
Offensive Security & Full-Stack

Break things on purpose.Build the ones worth keeping.

Kuba — independent operator. Offensive security is the main trade (pentests, reverse engineering, CTF). Full-stack web lives on the side as lead developer of weedwize.com. A home lab runs a private AI stack out back.

kuba-hdx
Accepting engagements
Main trade
Offensive
Pentest · RE · CTF · OSINT
Arsenal
100+
MCP-wired offensive tools
Shipping since
2021
Independent, by design
Signature
weedwize.com
Lead developer
About

Offense first. Polymath by habit.

Independent operator working out of a home lab. Offensive security is the main trade; everything else grew out of needing tools, context, and shipping code that holds up.

01

Offensive ops

Authorized pentests against web apps, networks, and hosts. I play the attacker so your defenders don't find out the hard way.

02

Reverse engineering

Binary-level work in Ghidra, IDA, and x64dbg. Unpacking obfuscation, reproducing CVEs, writing the PoC that ends the argument.

03

Forensics & OSINT

Memory, disk, and network forensics — timeline reconstruction when it matters. OSINT when the source of truth isn't the thing being measured.

04

Production web

The shipping side of the trade. Next.js, TypeScript, Postgres — designed, built, and operated end-to-end. Small client list by design.

Proof

The shipping side of the trade.

Active freelance engagement for a licensed Doctor of Pharmacy. Lead developer — architect, shipper, and on-call.

Lead developer· Production· Case Study
Next.jsTypeScriptTailwind CSSVercelSupabase

WeedWize

Clinical-grade cannabis medicine reference, built for pharmacists and patients.

Visit weedwize.com
Proof of role

Active freelance engagement — lead developer and full-stack engineer for a licensed Doctor of Pharmacy. Architected the Next.js 16 stack, the watermarked-PDF guide pipeline, and the security posture. Shipped alongside a second developer handling bug and security testing. Serves Arkansas plus nine additional states with 21+ gated access, strict brand governance, and a zero-tolerance 'no-stoner' tone.

States served
10
Role
Lead dev
Proof
/built-by
Product

KubaOS — the local-first founder OS.

A private Windows desktop cockpit I built for myself, now shipping publicly. Interviews, pains, features, build log, metrics, launch tasks, content calendar, and focus mode — all in one signed MSI.

KubaOS — run the whole company from one screen
  • Local-first

    SQLite on your machine. Optional Supabase sync for a single forum channel.

  • Offline by default

    Works without a network. Every secret lives in Windows Credential Manager.

  • Signed + silent updates

    Tauri 2 MSI, code-signed, updates verified through a manifest you control.

See the build
Download v0.1.3 MSIGitHub
Ops

Four trades. One operator.

Scoped per engagement, priced per scope, not per hour. No retainers until we've worked together once. Authorized targets only.

01

Offensive engagements

Scoped, authorized pentests. External and internal networks, web apps, hosts, Active Directory. Reports written the way someone who has to fix the finding would want to read it.

  • External / internal network pentest
  • Web application assessment
  • Active Directory review
  • Prioritized remediation brief
02

Reverse engineering & exploit dev

Static and dynamic analysis — Ghidra, IDA, x64dbg. Unpacking obfuscation, reproducing CVEs, and writing the PoC that makes people believe you.

  • Binary triage + static analysis
  • Dynamic instrumentation
  • CVE reproduction + PoC
  • Custom exploit primitives
03

Forensics, OSINT & CTF

Memory, disk, and network forensics. Targeted OSINT when it earns its keep. Active CTF player — comfortable with ugly challenges and weird formats.

  • Memory + disk forensics
  • Timeline reconstruction
  • Targeted OSINT
  • CTF support / coaching
04

Production web builds

The full-stack side. Next.js, TypeScript, Postgres — from the first Figma frame through the 3 a.m. deploy. Small client list by design.

  • Full-stack Next.js
  • CI/CD + hosting setup
  • Ongoing site operation
  • Performance + a11y audits
Lab

What runs on my own hardware.

Private AI stack, offensive tooling, and research builds. The stuff that keeps my trade sharp between engagements.

01
PersonalResearch

OMNIAPX

Local, unrestricted AI stack for private security work.

Ollama + Open-WebUI + n8n running off a Ryzen 9800X3D / 9070 XT box. Custom Modelfile over deepseek-r1:32b, wired to the HexStrike bridge via MCP. No cloud, no rate limits, full control of scope.

OllamaOpen-WebUIn8nMCPDocker
02
In ProgressIntegration · not authored

HexStrike bridge

100+ offensive tools behind one MCP surface.

Integrated into OMNIAPX so the local model can drive nmap, ffuf, Burp, sqlmap, and friends on demand. Turns a chat session into a disciplined recon / exploit loop.

PythonMCPHexStrikeFlask

Implemented — Kuba didn't author HexStrike AI. Credit: muhammadrizwan / HexStrike AI team.

More lab write-ups landing soon.

On the grind

The loop, on tape. A tool wrapper, typed live.

A small recurring habit. Ship the primitive, wire it into the local MCP, watch the reconnaissance stop being manual work.

kuba@hdxrecon.ts
idle
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
run ·mcp://local/scan
waiting for compile…

Written locally, executed by the model through MCP. The same primitive powers the OMNIAPX workflow — no third party sees the target, the schema, or the result.

scene 03 · live tape
Engagements open

Got something worth breaking — or building?

Tell me what the target is and what stage it's at — pentest scope, RE job, or a site that needs shipping. One business day for a scope or a straight no.

contact@kuba-hdx.dev