Adam Ziaja

Cybersecurity Expert  ·  Co-Founder REDTEAM.PL & RTFS.PL

redteam.pl rtfs.pl LinkedIn
Adam Ziaja — Cybersecurity Expert

About

Involved in IT and cybersecurity since the late 1990s — identified first critical web application vulnerabilities in 2003. With 25+ years in IT and 20+ years in cybersecurity, each of the core disciplines — penetration testing, red teaming, threat hunting, SOC, CSIRT operations, and digital forensics & incident response — was held as a distinct full-time role.

Co-founder of REDTEAM.PL (pentest, red teaming) and RTFS.PL (SOC, threat hunting). Over a decade ago held senior technical positions at Deloitte and Royal Bank of Scotland (RBS) — since 2017 building his own cybersecurity business.

IT Expert Witness (biegły sądowy z informatyki) on the register of the District Court in Warsaw. Author of Praktyczna analiza powłamaniowa (Wydawnictwo Naukowe PWN, 2017). Co-author of European Union Agency for Cybersecurity (ENISA) publications for EU CERT/CSIRT teams. Speaker at numerous security and academic conferences in Poland. Security research at blog.redteam.pl has been featured by SANS, Splunk, CERT Polska, and BleepingComputer.

OSCP certified since 2015. Acknowledged by Adobe, Apple, BlackBerry, eBay, Netflix, Nokia, VMware, Yahoo, and dozens of other companies for responsible vulnerability disclosure. Background: B.Eng. in IT systems and computer networks (2011), technical high school of the same specialisation (2006).

Services

Penetration Testing & Red Teaming

Infrastructure, web applications, wireless, AI systems. CPH red team exercises. OWASP, PTES methodology. PCI DSS & TIBER-EU compliant.

redteam.pl
Threat Hunting & SOC

24/7 SOC/CSIRT operations. In-house tools: RedEye (NBA/NIDS) and ASM (Attack Surface Management).

rtfs.pl
Digital Forensics & IR

Post-breach analysis, evidence preservation, incident response. Linux & Windows forensics. APT response and ransomware investigation.

Expert Witness

IT Expert Witness (biegły sądowy z informatyki) on the register of the District Court in Warsaw. Computer forensics, hacking, cybercrime.

Experience

2019–present
Co-Founder, Principal Security Consultant RTFS.PL

24/7 SOC/CSIRT operations, threat hunting, DFIR. Lead architect of in-house RedEye (NBA/NIDS) and ASM (Attack Surface Management) platforms. Clients span critical and regulated sectors including aviation, energy, media broadcasting, healthcare, automotive, gaming, and fuel retail networks.

2017–present
Co-Founder, Principal Security Consultant REDTEAM.PL

Penetration testing and red teaming for enterprises, financial institutions, and critical infrastructure. References include Diagnostyka, Allianz, Centralny Ośrodek Informatyki (COI), Instytut Pamięci Narodowej (IPN), TELDAT, GoSport, PKO BP, Jeronimo Martins, Crédit Agricole, SeaChange, LPP, Orbis/Accor, Telewizja Puls, Stock Spirits, and Farm Frites Poland (FFP).

2017–2018
Cybersecurity Expert Collective Sense (now Sumo Logic)

Research on cyber threat hunting and CTI for next-generation IDS/SIEM.

2016–2017
Senior Cybersecurity Consultant Deloitte

CPH red teaming, web application pentesting, DFIR.

2015–2016
Lead Cybersecurity Engineer Exatel (now under the Ministry of National Defence)

Building a Security Operations Center (SOC), penetration testing.

2014–2015
Penetration Testing Specialist Royal Bank of Scotland (RBS)

Web application and infrastructure pentesting (OWASP, PTES) for one of the world's largest banking groups.

2013–2014
IT Security Specialist ComCERT (CSIRT)

Threat intelligence, DFIR, CSIRT operations for major Polish banks and the Polish Parliament. Author of one of Poland's first CTI systems.

2012–2013
Computer Forensics Specialist ProCertiv

IT Expert Witness — expert opinions on hacking, botnets, digital forensics.

2010–2011
System Administrator Onet.pl  ·  Śląskie Laboratoria Analityczne

Linux systems administration at one of Poland's largest internet portals (top 200 globally in 2011). Earlier: IT systems administration at Śląskie Laboratoria Analityczne (2010).

Recognition & Publications

2017–presentRedEye — proprietary LAN threat hunting platform (RTFS.PL) — Lead architect of a tool that defines an entirely new product category: Active Intruder Targeting. Where traditional SIEM/IDS/NDR/XDR passively wait for an attacker to make a mistake, RedEye actively baits and traps intruders inside the LAN — the attacker is provoked, not merely monitored, while remaining unaware of detection. Detects threats invisible to conventional tools; near-zero false positive rate by design. In continuous operational use as the core detection layer within RTFS.PL's 24/7 SOC service.
2017–presentASM — proprietary Attack Surface Management platform (RTFS.PL) — Lead architect of a continuous internet-facing monitoring service covering the full external attack surface: unknown and forgotten assets, shadow IT, vulnerability exposure, and misconfiguration. Built on attacker-perspective techniques from years of penetration testing and red team operations. In continuous operational use as the external attack surface monitoring layer within RTFS.PL's 24/7 SOC service.
2020CISS2020-OL — Invited by Singapore's Ministry of Defence to participate as the red team in the international Critical Infrastructure Security Showdown (iTrust SUTD, Singapore). Successfully breached SCADA HMI controls of a water treatment plant (SWaT).
2019CERT-PL, CERT-EE, CERT-LV — Officially acknowledged for detecting and stopping the large-scale badWPAD attack. Research featured in SANS ISC Stormcast podcast.
2019DNS research & ICANN — Research on DNS-based threat hunting, DNS firewall construction, attacks leveraging DNS infrastructure, and DoH led to an ICANN invitation to present at the DNS abuse working group in the USA. Highlighted by Splunk Staff Picks.
2019DNS collision attack — Original research on internal domain name collision as an attack vector, demonstrated live during a red team operation for a financial organisation.
2019FBI & Europol — Cooperation on Sodinokibi / REvil ransomware investigation (TTPs & IOC research).
2017BookPraktyczna analiza powłamaniowa: Aplikacja webowa w środowisku Linux, Wydawnictwo Naukowe PWN, ISBN 9788301193478.
2014 & 2016Academic & professional publications — Author of chapter Bezpieczeństwo aplikacji webowych in Przestępczość teleinformatyczna 2014 (Police Academy, Szczytno; ISBN 9788393445653). Co-author of Bezpieczeństwo IT w kancelarii (ISSA, 2016), published under the patronage of the Supreme Bar Council (Naczelna Rada Adwokacka).
2015OSCP — Offensive Security Certified Professional, one of the most respected technical certifications in offensive security. Among the first Poles to obtain it. Completed all lab machines in under half the allotted time; passed the 24-hour exam on the first attempt in one third of the time.
2014–presentConference speaking — Recurring speaker at TAPT (Police Academy, Szczytno), Security Case Study / SCS (Fundacja Bezpieczna Cyberprzestrzeń), CSO Council, TÜV NORD, PolCAAT IIA (Institute of Internal Auditors), Sekurak, ISSA, and other security and academic events.
2014ENISA Cyber Europe — 1st place among 100+ European teams (as ComCERT).
2013–2016MalwareMustDie (MMD), NPO — Member of the international white-hat research workgroup combating malware and botnets. MMD was first to publish analysis of the Mirai botnet, responsible for the largest DDoS attack in history at the time.
2013–2014ENISA — Co-author of Digital Forensics, Cybercrime Traces, and Artifact Analysis handbooks for EU CERT/CSIRT teams.
2013–2014Underground Monitoring (UGM) — one of Poland's first automated CTI systems — Designed and built an automated Cyber Threat Intelligence platform at ComCERT delivering alerts on threats targeting Polish infrastructure. UGM aggregated data from VirusTotal API (custom YARA rules), Twitter/Facebook APIs, Pastebin crawlers, IRC monitoring, phishing traps, C&C trackers, Tor-based blackhat forums, and CVE — all correlated in Splunk. Core scripts were incorporated into the ENISA publication Identifying and Handling Cybercrime Traces (2013). Techniques and methodology were subsequently taught to CERT Orange.
2010–2014Bug bounty & responsible disclosure — Acknowledged by Acquia, Adobe, Apple, Base CRM, BlackBerry, Deutsche Telekom, eBay, GitHub, GitLab, Harvard University, iFixit, LastPass, Netflix, Nokia, OTRS, Prezi, Reddit, SoundCloud, VMware, Yahoo, Yandex, Zynga; and Polish companies including Onet, Interia, Wirtualna Polska (WP), Empik, Home.pl, Gadu-Gadu, Nasza-Klasa.
2010–2011Wardriving thesis — B.Eng. thesis Wireless Networks Maps on wardriving methodology and wireless network mapping in Poland. Research available at wardriving.adamziaja.com.
2008First publicationNiebezpieczny Livebox (Dangerous Livebox), Magazine Xploit 3/2008, Linux New Media — full remote wireless exploitation scenario targeting Neostrada routers.

Certifications

OSCPOffensive Security Certified Professional2015
eWPTeLearnSecurity Web Application Penetration Tester2016
OSWPOffensive Security Wireless Professional2016
XWFX-Ways Forensics Practitioner2012

References

Allianz · Biedronka (Jeronimo Martins) · Carefleet / Crédit Agricole · Centralny Ośrodek Informatyki (COI) · Diagnostyka · Diki / LangMedia · Empik · Europejski Fundusz Leasingowy (EFL) · Farm Frites Poland (FFP) · GoSport · Home.pl · Instytut Pamięci Narodowej (IPN) · Interia · iPresso · Kontomatik · Nomachine · Onet · Orbis/Accor · PKO Ubezpieczenia · Reserved (LPP) · Royal Bank of Scotland (RBS) · SeaChange · Stock Spirits · TELDAT · Telewizja Puls · Wirtualna Polska (WP) · XPlus · and others.
Full references available upon request  ·  Recommendations on LinkedIn