/// .NETRUNNER.PROFILE_LOADED LOC :: INDONESIA // 2026

HALCYON

CYBERSECURITY // AI ENGINEER_

I'm Faqih. I harden production systems for a living, run the investigation when a server gets popped, and build Halcyon Systems after dark. Current focus: Halcyon Prime.

0production apps hardened
0critical / high findings closed
0injection points mapped
0xroot compromise evicted

/// .SYS_01.PROFILE CLEARANCE :: PUBLIC

OPERATOR PROFILE

Faqih, mirror selfie in a navy shirt and glasses
FAQIH // HALCYON ID.VERIFIED

I work in cybersecurity in Indonesia, mostly on the web application side: legacy PHP fleets that run real businesses and were never designed with attackers in mind. My job is making them survivable without breaking a single invoice.

The numbers on this page are not from a lab. One audit alone confirmed 83 Critical and High findings; closing them meant changing four to five hundred files per application while the company kept billing through it. When a hosting server got popped at root, I ran the investigation: seven weeks of dwell time, a self-healing cron job, an SSH key that had no business existing. The attacker got evicted and the report got written.

The other half of my work is AI engineering for companies: getting coding agents safely onto corporate production servers, and building multi-agent workflows that audit code harder than any single reviewer can.

Nights belong to Halcyon Systems, my own lab. That is where the fox lives.

CERT_TRACK.STATUSPROGRESS: LOADING...
CompTIA Security+comptia security plus // exam SY0-701
IN PROGRESS
OSCPoffensive security certified professional
IN PROGRESS
CISSPcertified information systems security professional // the long game
NEXT TARGET

/// .SYS_02.FIELD_RECORD SOURCE :: PRODUCTION

FIELD RECORD

Real engagements on live systems. Client identifiers are redacted. The scars are not.

>> DFIR // CASEFILE_ROOT

Root-level server compromise, investigated and evicted

A client's hosting server was compromised at root and a previous "cleanup" had not actually removed the attacker. I reconstructed roughly seven weeks of undetected access, catalogued the persistence, and wrote the eviction runbook plus a formal DFIR report.

  • rogue root SSH key surviving the first restore
  • self-healing cron job re-minting revoked API tokens
  • hidden shell accounts posing as system users
  • rootkit-aware method: verify the binaries before trusting their output

DWELL TIME ~7 WEEKS :: IOCs CATALOGUED 10+

>> AUDIT

83

Critical / High findings, confirmed then closed

A full application security audit of the flagship ERP. Every finding verified as reachable, then remediated. The audit doubled as the worklist for a months-long hardening program.

METHOD 24-STAGE ANALYSIS

>> SQLI // ATTACK SURFACE

5,578

Injectable query sites mapped in one codebase

Against about 166 parameterized statements. An abstract risk turned into a countable, closeable worklist, then closed with a regression-safe recipe across 400 to 500 files per app.

GUARDS DEPLOYED UP TO 1,046 / APP

>> ACCESS CONTROL

10/10

Fleet-wide IDOR shutdown

The UI hid unauthorized menus, but any logged-in user could open any module by URL, finance screens included. Built a folder-level gate that fails closed and shipped it to all ten apps.

VERIFIED AGAINST 3,275 PERMISSION ROWS

>> RCE

0day left open

Unauthenticated upload RCE, closed

File importers reachable without login wrote uploads under their original names into web-served directories. Auth gates, strict allowlists, safe renaming, and script execution disabled in every upload folder.

VALIDATED WITH REAL MULTIPART UPLOADS

>> DATA EXPOSURE

120+

Anonymous export endpoints re-gated

Print, PDF, and spreadsheet exports had login checks commented out, serving financial data to anyone who asked. Every live endpoint now answers unauthorized requests with a 403.

SCOPE PER APPLICATION

>> MIGRATION // LEAST PRIVILEGE

Access rebuilt for 118 real users

Rebuilt user permissions by semantically mapping 706 distinct legacy menu grants out of a 22,000-row legacy table into the current schema: 3,275 rows migrated. An earlier ID-based copy looked fine and was quietly wrong; it got caught and rolled back before anyone inherited access they should not have.

ROWS MIGRATED 3,275 :: USERS 118

>> CSRF // DEFENSE IN DEPTH

Global CSRF layer, plus the three regressions it caused

Per-session tokens, automatic AJAX injection, central verification. Then the honest part: the rollout broke things in subtle ways, and I root-caused all three regression classes. A token silently truncated by PHP's max_input_vars on huge forms. A sanitizer that poisoned the commit stack on empty input. A report page that reloaded jQuery at runtime and wiped the token prefilter. Each one fixed fleet-wide.

REGRESSION CLASSES ROOT-CAUSED 3

/// .SYS_03.THE_LAB STATUS :: BUILDING

HALCYON SYSTEMS

Halcyon System lockup, a white and cyan fox mark with glitch lettering

Halcyon Systems is my independent lab. Everything I build outside working hours ships under the fox: security tooling, agent infrastructure, and the automation that runs my own machines.

The current focus is Halcyon Prime, the core platform the rest of the lab will hang off. It is in active development, and I'm keeping the details close until it is ready to show. The status board does not lie, though.

SYSTEM STATUSALL GREEN

  • HALCYON PRIMEACTIVE DEV
  • NEURALGRIDPROTOTYPE
  • OPENCLAW GATEWAYONLINE
  • STARFORGESTABLE

/// .SYS_04.SYSTEMS COUNT :: 05

SELECTED SYSTEMS

SYS_01CLASSIFIED_

HALCYON PRIME

The flagship. The core platform of Halcyon Systems, in active development. Publicly quiet on purpose; it gets revealed when it works, not before.

IN DEVCORE

SYS_02OPS_

NEURALGRID

An operations HUD that wraps headless AI agents over a live app fleet and an Obsidian knowledge vault, with a Three.js graph as the map.

AGENTSTHREE.JSDASHBOARD

SYS_03GATEWAY_

OPENCLAW

A self-hosted personal assistant gateway, reachable from a Telegram bot, running against local agent infrastructure. Hardened after a 22-bug adversarial review.

AGENTSSELF-HOSTEDTELEGRAM

SYS_04ECON_

STARFORGE

A crafting operating system for a space sim: screenshot-to-database ingestion, a deterministic dependency-tree profit calculator, and a 471-item knowledge graph.

PYTHONOBSIDIANGRAPH

SYS_05FLEET_

ERP FLEET

Ten production PHP applications for an industrial group: billing engines, reporting, print pipelines, and every deploy that keeps them alive. The day job's proving ground.

PHPMYSQL10 APPS

/// .SYS_05.AI_OPS MODE :: PRODUCTION

AI ENGINEERING

Not chatbot demos. Agents with real permissions on real infrastructure, deployed like anything else that can break production: carefully.

>> CORPORATE ROLLOUT

Coding agents on enterprise production servers

Putting an AI agent on a corporate host is a compliance problem wearing a technical costume, and I treat it that way. Audit the floor first: kernel and libc versions, CPU instruction sets, hosting panel and firewall stacks. Open exactly one API endpoint through egress policy and prove it with a live handshake. Authenticate with headless tokens, because production boxes do not get interactive logins.

TARGET ENTERPRISE LINUX // CPANEL STACKS

>> AGENT INFRASTRUCTURE

Gateways, HUDs, and control surfaces

Self-hosted agent gateways reachable from a chat app. An operations HUD that wraps headless agents over a live application fleet and a knowledge vault. The lab systems double as staging: what survives there is what lands on corporate metal.

SYSTEMS OPENCLAW // NEURALGRID

>> MULTI-AGENT PRACTICE

Agent swarms as an engineering discipline

I run adversarial review workflows where agents hunt for defects and other agents try to refute the findings, so only verified problems survive. One review ran 28 agents in a single pass; another caught 22 real bugs in a gateway before it shipped. The fleet hardening program ran on the same machinery, pairing deterministic code transforms with adversarial verification at a scale no single reviewer can match.

PEAK SWARM 28 AGENTS :: CONFIRMED BUGS IN ONE REVIEW 22


/// .SYS_06.SERVICE_LOG RECORDS :: 02

SERVICE LOG

ACTIVECURRENT POST

Cybersecurity Engineer

PT. Datapart // Indonesia

Infrastructure and application security. Server provisioning and hardening, incident response when it counts, and rolling out AI-assisted tooling on production Linux hosts.

ONGOINGENGAGEMENT

Application Security & Engineering

Multi-company ERP fleet // industrial group

Sole engineer for ten production PHP applications. Security hardening at fleet scale, feature development, billing and reporting engines, and the production deployments in between.


/// .SYS_07.ARSENAL LOADOUT :: FULL

ARSENAL

>> OFFENSE // ASSESSMENT

WEB APP PENTESTINGSQL INJECTIONXSSCSRFIDOR / BACLFIUPLOAD RCEATTACK SURFACE MAPPING

>> DFIR // RESPONSE

THREAT HUNTINGIOC ANALYSISPERSISTENCE DISCOVERYLOG FORENSICSROOTKIT-AWARE TRIAGEINCIDENT REPORTSREMEDIATION RUNBOOKS

>> DEFENSE // HARDENING

PREPARED STATEMENTSINPUT ALLOWLISTINGOUTPUT ENCODINGCSRF LAYERSSESSION HARDENINGACCESS GATESREGRESSION-SAFE ROLLOUTS

>> ENGINEERING // STACK

PHPMYSQL / MARIADBJAVASCRIPTPYTHONLUALINUXCPANEL / WHMAPACHE

>> AI ENGINEERING

CLAUDE CODEAI AGENTSMULTI-AGENT WORKFLOWSMCPHEADLESS DEPLOYMENTAGENT GATEWAYSEGRESS / COMPLIANCE VETTINGADVERSARIAL AI REVIEWPROMPT + CONTEXT ENGINEERING
Halcyon fox mark

OPEN CHANNEL

Security problem, project, or you just want to talk shop. The inbox is open.