Matías Schiappacasse

Self-taught pentester focused on web application security.

Penetration Tester, Chile

Matías Schiappacasse

About

Cybersecurity Specialist with experience in web, mobile, and internal network penetration testing. I have led and executed security assessments, as well as participated in security research. I am experienced in various security frameworks and penetration testing methodologies.

Work Experience

NIVEL4 CybersecurityRemote
April 2024 — Present
Cybersecurity Specialist
  • Conducted comprehensive web application and internal network penetration tests leveraging industry-standard methodologies (OWASP, WSTG) to effectively identify, validate, and prioritize security vulnerabilities.
  • Analyzed and categorized security findings using established frameworks and scoring systems (CWE, CVSS), facilitating accurate risk assessment and informed decision-making for both technical and business stakeholders.
  • Authored and presented detailed technical vulnerability reports with clear, actionable mitigation recommendations, actively supporting teams throughout the remediation lifecycle.
  • Led security assessment teams of up to three penetration testers, coordinating task delegation, defining engagement scopes, and ensuring the precise execution of ethical hacking activities.
  • Contributed to the security research team by conducting public and private research focused on the identification and in-depth analysis of vulnerabilities across applications, services, and software components.
NIVEL4 CybersecurityRemote
September 2023 — May 2024
Pentester
  • Performed penetration testing and ethical hacking engagements targeting web and mobile applications, internal networks, and ad-hoc wireless environments, identifying security weaknesses from a realistic, threat-actor perspective.
  • Leveraged industry-standard security methodologies (e.g., OWASP) to uncover technical and business logic vulnerabilities, documenting findings systematically and providing practical, actionable remediation guidance to facilitate risk mitigation by development and security teams.

Certifications

OffSec Web Assessor (OSWA)
2026
OffSec
Web Application Penetration Tester eXtreme (eWPTXv3)
2025
INE Security
Web Application Penetration Tester (eWPTv2)
2025
INE Security
Practical Web Pentest Associate (PWPA)
2024
TCM Security
Junior Penetration Tester (eJPTv1)
2022
INE Security

Skills

Penetration Testing / Ethical HackingBurp SuiteNmapNetExecOWASP Top 10 / OWASP API Security Top 10 / WSTGAPI Security TestingGobusterCVSS 3.1 & 4.0CWEMetasploitNessus / AcunetixPrivilege Escalation / Pivoting / Lateral MovementKali LinuxVulnerability ManagementHTTPTCP/IPWiresharkPython3Bash Scripting

Projects & Publications

BlackKali Dotfiles

A minimal, old-school hacker aesthetic inspired by Kali Linux 1.x and BlackArch Fluxbox

HackerDotfilesLinuxFluxbox

CVE-2026-6858

The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator

WebpayCVECWE-79

CVE-2024-55374

REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts

REDCapCVECWE-203

CVE-2025-34467

ZwiiCMS versions prior to 13.7.00 contain a denial-of-service vulnerability in multiple administrative endpoints due to improper authorization checks combined with flawed resource state management

ZwiiCMSCVECWE-667CWE-863

CVE-2025-57130

An Incorrect Access Control vulnerability in the user management component of ZwiiCMS up to v13.6.07 allows a remote, authenticated attacker to escalate their privileges

ZwiiCMSCVECWE-285

CVE-2025-7022

The My Reservation System WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

The My Reservation SystemCVECWE-79

National Cybersecurity Hall of Fame #1

Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities

March 2022ANCICSIRT Gob

National Cybersecurity Hall of Fame #2

Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities

April 2022ANCICSIRT Gob

National Cybersecurity Hall of Fame #3

Recognized by the CSIRT for contributing to the responsible disclosure of vulnerabilities

June 2022ANCICSIRT Gob
© 2026 T3slaChile