~$ whoami_

Fredrik Dietrichson

Penetration Tester & Security Researcher

Norway

[ download cv.pdf ↓ ]

Summary

Penetration tester and security researcher at Semaphore Consulting Partners, with prior experience as a Red Team operator at PwC Norway. I perform web application, API, network, Active Directory, OT/ICS and IoT security assessments for clients across finance, energy, public sector, and transport.

Outside of client work I focus on independent security research and bug bounty programs, which has led to several published CVEs and advisories in open-source software.

Security research & CVEs

SSRF via HTTP Redirect Bypass — Papra

CVE-2026-48051 · GHSA-5g86-85rp-f9hx · May 2026

Found and reported a Server-Side Request Forgery vulnerability in Papra's webhook delivery system. The SSRF protection validated registered webhook URLs but ignored redirect destinations, allowing an authenticated user to make the server reach internal addresses. Credited as reporter.

View advisory ↗

Authorization Bypass: Payment Method Restriction — Sylius

CVE-2026-53638 · GHSA-6955-hrm5-c4qp · June 2026

Found and reported an authorization bypass in the Sylius shop account API. Authenticated customers could assign payment methods restricted by channel configuration, bypassing a check that was correctly enforced on the equivalent checkout endpoint. Credited as reporter.

View advisory ↗

WeKan Security Hall of Fame

Responsible disclosure recognition

Listed in the WeKan Hall of Fame for responsibly reporting a Broken Function Level Authorization vulnerability (CVSS 8.1) affecting 48 REST endpoints in the open-source kanban platform.

View recognition ↗

Additional advisories in draft / pending publication.

Core skills

  • Penetration testing
  • Web application security
  • API security testing
  • Active Directory & Windows security
  • Vulnerability research & analysis
  • OSINT
  • IoT & hardware hacking
  • Physical security & lockpicking
  • OT/ICS security testing
  • Assumed-breach & internal network testing
  • Purple team exercises
  • Phishing & email security testing
  • Cloud (Azure / Entra ID) security
  • Security awareness training & talks

Experience

Penetration Tester & Security Expert — Semaphore Consulting Partners

August 2024 – Present · Oslo, Norway

Ethical hacking and security assessments for clients across finance, energy, public sector and transport as Penetration Tester, Test Lead and Project Lead.

  • Web & API penetration testing across varied stacks (React, C#, Kotlin/Spring Boot, Blazor), including e-commerce and SaaS platforms
  • Internal network and Active Directory / Entra ID assessments, including assumed-breach scenarios
  • OT/ICS assessments of industrial and factory networks
  • Security talks and training — secure coding, how penetration testing works, and lockpicking workshops

Red Team Operator — PwC Norway

August 2023 – August 2024 · Oslo, Norway (Associate → Senior Associate)

Part of the PwC Red Team (Cyber Threat Operations) as an ethical hacker.

  • Penetration tests, red team engagements, and technical security consultancy for national and international clients
  • External and internal network testing, Active Directory, and OT/ICS assessments
  • Development of internal tooling
  • Purple-team detection exercises across the energy and public sectors

Intern — Cyber Security and Privacy — PwC Norway

January 2023 – August 2023 · Oslo, Norway

Introduction to red team operations, IAM / PAM solutions and GRC.

Community & speaking

  • BSides Oslo — Lockpicking Village · 2024 & 2025
    Co-organized and ran the Lockpicking Village as instructor, teaching physical-security and lockpicking fundamentals to attendees.

Earlier experience

  • Trainee — Innovation Norway · 2013–2014 · Royal Norwegian Embassy, Tokyo

Earlier roles in teaching, marketing, consultancy, and research (2007–2022) — full history in the CV.

Certifications

  • Practical IoT Pentest Associate — TCM Security
    Hands-on IoT/hardware security: ROM flashers, logic analyzers, UART/SPI protocols, firmware extraction and reverse engineering, vulnerability identification and professional reporting.
  • Microsoft Certified: Azure Fundamentals (AZ-900) — Microsoft
    Foundational knowledge of cloud concepts, Azure management, services and tools.

Relevant courses

  • OffSec WEB-300 — Advanced Web Attacks and Exploitation (2024)
    Prototype pollution, SSRF, .NET deserialization, RCE, blind SQL injection, source code review, persistent XSS, session hijacking.
  • TCM Security — Linux & Windows Privilege Escalation, OSINT, and Practical Ethical Hacking (2023)

Full course list in the CV.

Education

  • BSc, Computer and Information Sciences — University of South-Eastern Norway (2020–2023)
  • BA, Japanese Language and Literature — University of Oslo (2007–2010)
  • Web development course — NTNU (2018)
  • International marketing courses — BI Norwegian Business School (2010–2012)

Languages

  • Norwegian — native
  • English — professional working
  • Japanese — limited working proficiency

Interests

Physical security and lockpicking, hardware tinkering and soldering projects, 3D printing, and hands-on testing of new offensive tooling (e.g. Flipper Zero). I read widely on hardware hacking and keep current with AI/LLM security research.

Contact

Open to interesting work and security research collaboration.

~$ mail contact@fredrikd.com

References available on request.