SYS_01CLASSIFIED_
HALCYON PRIME
The flagship. The core platform of Halcyon Systems, in active development. Publicly quiet on purpose; it gets revealed when it works, not before.
/// .NETRUNNER.PROFILE_LOADED LOC :: INDONESIA // 2026
CYBERSECURITY // AI ENGINEER_
I'm Faqih. I harden production systems for a living, run the investigation when a server gets popped, and build Halcyon Systems after dark. Current focus: Halcyon Prime.
/// .SYS_01.PROFILE CLEARANCE :: PUBLIC
I work in cybersecurity in Indonesia, mostly on the web application side: legacy PHP fleets that run real businesses and were never designed with attackers in mind. My job is making them survivable without breaking a single invoice.
The numbers on this page are not from a lab. One audit alone confirmed 83 Critical and High findings; closing them meant changing four to five hundred files per application while the company kept billing through it. When a hosting server got popped at root, I ran the investigation: seven weeks of dwell time, a self-healing cron job, an SSH key that had no business existing. The attacker got evicted and the report got written.
The other half of my work is AI engineering for companies: getting coding agents safely onto corporate production servers, and building multi-agent workflows that audit code harder than any single reviewer can.
Nights belong to Halcyon Systems, my own lab. That is where the fox lives.
/// .SYS_02.FIELD_RECORD SOURCE :: PRODUCTION
Real engagements on live systems. Client identifiers are redacted. The scars are not.
>> DFIR // CASEFILE_ROOT
A client's hosting server was compromised at root and a previous "cleanup" had not actually removed the attacker. I reconstructed roughly seven weeks of undetected access, catalogued the persistence, and wrote the eviction runbook plus a formal DFIR report.
DWELL TIME ~7 WEEKS :: IOCs CATALOGUED 10+
>> AUDIT
83
A full application security audit of the flagship ERP. Every finding verified as reachable, then remediated. The audit doubled as the worklist for a months-long hardening program.
METHOD 24-STAGE ANALYSIS
>> SQLI // ATTACK SURFACE
5,578
Against about 166 parameterized statements. An abstract risk turned into a countable, closeable worklist, then closed with a regression-safe recipe across 400 to 500 files per app.
GUARDS DEPLOYED UP TO 1,046 / APP
>> ACCESS CONTROL
10/10
The UI hid unauthorized menus, but any logged-in user could open any module by URL, finance screens included. Built a folder-level gate that fails closed and shipped it to all ten apps.
VERIFIED AGAINST 3,275 PERMISSION ROWS
>> RCE
0day left open
File importers reachable without login wrote uploads under their original names into web-served directories. Auth gates, strict allowlists, safe renaming, and script execution disabled in every upload folder.
VALIDATED WITH REAL MULTIPART UPLOADS
>> DATA EXPOSURE
120+
Print, PDF, and spreadsheet exports had login checks commented out, serving financial data to anyone who asked. Every live endpoint now answers unauthorized requests with a 403.
SCOPE PER APPLICATION
>> MIGRATION // LEAST PRIVILEGE
Rebuilt user permissions by semantically mapping 706 distinct legacy menu grants out of a 22,000-row legacy table into the current schema: 3,275 rows migrated. An earlier ID-based copy looked fine and was quietly wrong; it got caught and rolled back before anyone inherited access they should not have.
ROWS MIGRATED 3,275 :: USERS 118
>> CSRF // DEFENSE IN DEPTH
Per-session tokens, automatic AJAX injection, central verification. Then the honest part: the rollout broke things in subtle ways, and I root-caused all three regression classes. A token silently truncated by PHP's max_input_vars on huge forms. A sanitizer that poisoned the commit stack on empty input. A report page that reloaded jQuery at runtime and wiped the token prefilter. Each one fixed fleet-wide.
REGRESSION CLASSES ROOT-CAUSED 3
/// .SYS_03.THE_LAB STATUS :: BUILDING
/// .SYS_04.SYSTEMS COUNT :: 05
SYS_01CLASSIFIED_
The flagship. The core platform of Halcyon Systems, in active development. Publicly quiet on purpose; it gets revealed when it works, not before.
SYS_02OPS_
An operations HUD that wraps headless AI agents over a live app fleet and an Obsidian knowledge vault, with a Three.js graph as the map.
SYS_03GATEWAY_
A self-hosted personal assistant gateway, reachable from a Telegram bot, running against local agent infrastructure. Hardened after a 22-bug adversarial review.
SYS_04ECON_
A crafting operating system for a space sim: screenshot-to-database ingestion, a deterministic dependency-tree profit calculator, and a 471-item knowledge graph.
SYS_05FLEET_
Ten production PHP applications for an industrial group: billing engines, reporting, print pipelines, and every deploy that keeps them alive. The day job's proving ground.
/// .SYS_05.AI_OPS MODE :: PRODUCTION
Not chatbot demos. Agents with real permissions on real infrastructure, deployed like anything else that can break production: carefully.
>> CORPORATE ROLLOUT
Putting an AI agent on a corporate host is a compliance problem wearing a technical costume, and I treat it that way. Audit the floor first: kernel and libc versions, CPU instruction sets, hosting panel and firewall stacks. Open exactly one API endpoint through egress policy and prove it with a live handshake. Authenticate with headless tokens, because production boxes do not get interactive logins.
TARGET ENTERPRISE LINUX // CPANEL STACKS
>> AGENT INFRASTRUCTURE
Self-hosted agent gateways reachable from a chat app. An operations HUD that wraps headless agents over a live application fleet and a knowledge vault. The lab systems double as staging: what survives there is what lands on corporate metal.
SYSTEMS OPENCLAW // NEURALGRID
>> MULTI-AGENT PRACTICE
I run adversarial review workflows where agents hunt for defects and other agents try to refute the findings, so only verified problems survive. One review ran 28 agents in a single pass; another caught 22 real bugs in a gateway before it shipped. The fleet hardening program ran on the same machinery, pairing deterministic code transforms with adversarial verification at a scale no single reviewer can match.
PEAK SWARM 28 AGENTS :: CONFIRMED BUGS IN ONE REVIEW 22
/// .SYS_06.SERVICE_LOG RECORDS :: 02
ACTIVECURRENT POST
PT. Datapart // Indonesia
Infrastructure and application security. Server provisioning and hardening, incident response when it counts, and rolling out AI-assisted tooling on production Linux hosts.
ONGOINGENGAGEMENT
Multi-company ERP fleet // industrial group
Sole engineer for ten production PHP applications. Security hardening at fleet scale, feature development, billing and reporting engines, and the production deployments in between.
/// .SYS_07.ARSENAL LOADOUT :: FULL
Security problem, project, or you just want to talk shop. The inbox is open.