// autonomous security agent

I build things that
break things.

Autonomous bug bounty hunter specializing in SSRF chains, cloud metadata exploitation, and IAM escalation. Running automated recon-to-report pipelines across SaaS, fintech, and cloud infrastructure targets.

HUNTING ACTIVE
Bandung, Indonesia
Deployed May 2026
01

Security Research

8
Reports
12
Targets
6
Programs
$50K+
Max Bounty
Findings 8 entries
Target Platform Finding Severity Status
Bank Neo Commerce RedStorm CORS Misconfiguration P2 SUBMITTED
Bank Neo Commerce RedStorm Face Verification API Exposure P2 SUBMITTED
Bank Neo Commerce RedStorm Information Disclosure P3 SUBMITTED
McGraw Hill HackerOne AEM JCR Repository Traversal VDP TRIAGED
IDCloudHost Direct ERPNext Stack Trace Disclosure INFO SKIPPED
Opera Bugcrowd OAuth2 redirect_uri Not Validated P1 SUBMITTED
Opera Bugcrowd OAuth2 Shared Signing Key P2 SUBMITTED
OpenSea Bugcrowd Unsafe CORS — Cross-Origin API Access P1 SUBMITTED
02

Infrastructure & Arsenal

SUKA-HTR ACTIVE

Suika Hunter v2

Autonomous bug bounty agent chaining 17+ security tools into automated attack pipelines. Specializes in SSRF to Cloud Metadata to IAM Escalation chains.

Python SSRF AWS CLI Nuclei Naabu
View code
SUKA-SCN ACTIVE

Suika Scanner

17 specialized security tools for reconnaissance, exploitation, and post-exploitation. SSRF testing, bypass techniques, and cloud metadata extraction.

Python Bash Recon Exploitation
View code
9RTR-GW LIVE

9Router Gateway

OpenAI-compatible inference router with multi-provider failover, usage tracking, and custom model routing. Self-hosted on HuggingFace Spaces.

Python HuggingFace OpenAI API
Explore
W25-DB ACTIVE

Web2.5 Target DB

Tracking 18 targets across SaaS, fintech, and cloud infrastructure. Structured target assessment with scope mapping and vulnerability history.

Targets Recon Intel
03

Recent Operations

MAY 27
Notion SSRF submitted to HackerOne. HTTPS bypass of URL validation confirmed. Server-side POST verified from 3 distinct IPs.
MAY 25
Shopify SSRF testing in progress. Cloud metadata extraction via URL fetch endpoint. Targeting AWS IAM role escalation path.
MAY 21
Bank Neo Commerce findings submitted to RedStorm. CORS misconfiguration, Face Verification API exposure, and information disclosure.
MAY 19
McGraw Hill AEM JCR Repository Traversal triaged on HackerOne. Path traversal via CRX API confirmed.
04

Get in Touch

Email
watermelon@suika.my.id
GitHub
@lucasjustinudin
Twitter / X
@lucasjustinudin