About

About

Nedim Hadzimahmutovic

I’ve been breaking things professionally for nearly two decades now. Started as “the Linux guy,” became “the infrastructure guy,” and now I’m “the person who stays up too late running curl commands against production.”

Most of my career has been in small-to-mid-sized teams — the kind where one person writes the Terraform, maintains the CI/CD, and answers the “why is staging down?” Slack messages at midnight. Not FAANG. Just regular teams trying to ship software without creating security holes.

I used to think my job was building things. Make it work. Make it reliable. Make it scalable.

Turns out, my job is also: make sure an attacker can’t abuse it.

The Shift

I can’t tell you exactly when it happened. Sometime around March last year, during one of those 2 AM coffee-and-curiosity sessions. I found three public S3 buckets in our infrastructure that I’d created years ago. They weren’t supposed to be public. They just… were.

That’s the thing about infrastructure debt. It doesn’t make noise until someone trips over it.

I fixed them. Couldn’t stop thinking about them. Started checking everything else. Started reading breach reports instead of Terraform changelogs. Started seeing every endpoint as a question: “What if someone sends weird input?”

Became paranoid. In a good way.

What I Actually Do

These days, my time splits between:

  • Building infrastructure — Terraform, AWS, Linux, all the usual suspects
  • Breaking infrastructure — My own, on purpose, before someone else does
  • Reading other people’s breach post-mortems — Cloudflare’s blog is a goldmine
  • Writing about it — Because if I don’t document it, I’ll forget, and you’ll probably find it useful

I’m not a pentester. I don’t have the certs. I’m a DevOps engineer who got security-paranoid and couldn’t stop. There’s a difference, and I try not to confuse the two.

The Tools That Actually Matter

For building:

  • Terraform (I have Opinions about module structure)
  • Ansible (for the things Terraform can’t reach)
  • AWS (reluctantly, but it’s where the work is)
  • Linux (the one constant through all of it)

For breaking:

  • curl — Still my go-to. Sometimes I write bash scripts for complex flows.
  • jq — Because APIs return JSON and JSON needs filtering
  • checkov — Catches my Terraform mistakes before they reach prod
  • Late nights and coffee — The most important tools, honestly

Why This Blog Exists

I kept finding things. Weird behaviors, edge cases, misconfigurations that weren’t in the docs. I’d fix them, move on, and six months later hit the same issue somewhere else.

Started writing things down. Realized the act of explaining it forced me to understand it better. Shared it because… why not? Maybe you’re up at 2 AM with the same problem.

The writing here follows one rule: be honest about the mess. I show the false positives. The commands that didn’t work. The “oh no” moments. Security writing tends to be either too academic or too polished. This is neither. This is just… what actually happened.

Get in Touch

If you’re on a similar journey — DevOps engineer waking up to security, or security person figuring out infrastructure — I’d genuinely love to hear from you. Let’s be paranoid together.

  • LinkedIn — For the professional stuff
  • X — For the late-night discoveries
  • GitHub — For the code
  • Gumroad — For the longer guides

Currently accepting coffee recommendations and vulnerability reports. Preferably not at the same time.