Douglas Lopes PENTESTER
Available · Brazil · Portugal · Italy · Spain · Dublin · USA

Where the breach
would make headlines,
I'm the call.

Eighteen years of offensive security across banking, government, media, healthcare and critical infrastructure. Brazil to Europe. Federal-grade trust.

Pentester · Red Team · Open Banking · FAPI · LGPD · GDPR · PCI-DSS

Schedule a call WhatsApp
Douglas Lopes
Brasília · BR Porto · PT Roma · IT
18+ Years operating
30+ Engagements
12+ Banks · public & private
4 Continents · operating + speaking
01 — In the press

Featured in major Brazilian and international outlets covering cybersecurity, financial fraud and digital investigations.

Where we were the focus

02 — Background

Pentester by craft.
Not by certificate.

I started in 2007. No hacking course — I watched my first bank get breached and realized the problem wasn't technical, it was about people.

Eighteen years on, the same obsession: find the door before the criminal does. I've operated inside Latin America's largest public bank, on Open Banking platforms, in private banking across Brazil, Portugal, Italy and Morocco, at the world's largest iGaming company and on Europe's payments backbone.

In parallel, I've supported the Federal Police and Civil Police on complex cyber casework, and spoken at the Florida Association of Private Investigators on phishing and web attack tradecraft.

The focus is the same wherever the engagement: where it hurts most, where the adversary is most sophisticated, where the margin for error is zero.

03 — Sectors I operate in

Eight sectors. One discipline.

Financial sector dominates the engagement count, but the craft is the same across every regulated, high-stakes environment. Where the data has consequence, I've operated.

/01 Banking & finance Public and private banks, Pix, Open Finance, Open Insurance, FAPI 1.0/2.0, brokerages.
/02 Government & security Federal Police, Civil Police, treasury, regulators. Casework + offensive assessment.
/03 Media & communications National press outlets, broadcast networks, publishing platforms. Newsroom-grade pressure.
/04 Healthcare Hospitals, Santa Casa, regulated institutions. LGPD/GDPR-bound patient data.
/05 Critical infrastructure Payments backbone, telecom, identity providers. Failure = systemic, not local.
/06 iGaming & payments Global iGaming platforms. Highest-scale fraud surface in private tech.
/07 Industry & manufacturing Automotive, atacadista, manufacturing OT/IT crossover environments.
/08 Sports & global events Olympics, Formula 1, federations. Short window, zero tolerance for failure.
04 — Selected engagements

Where I helped identify the gaps.

By contractual restriction, descriptions are intentionally generic. Specific vulnerabilities, exploited vectors and audit findings are never published — not here, not on LinkedIn, not on a CV. The list below covers only public contractual relationships.

Banking & financial BR · PT · IT · MA
Caixa Econômica Federal Banco BMG XP Investimentos Sinqia Captalys Paraná Banco Grupo JMalucelli COOPERFORTE BMP Private banks · Italy Private banks · Morocco
iGaming & payments Europe · global
SoftSwiss · iGaming Jogos Santa Casa · PT Multibanco · EU backbone
Government & public security BR
Federal Police Civil Police Treasury · Minas Gerais
Healthcare BR · PT
Santa Casa de Misericórdia Hospital Lifecenter CBV · Eye Hospital Federal Nursing Council
Sports & global events Global
Rio 2016 Olympics Brazilian GP · Formula 1 CBF · Brazilian Football Confederation
Industry, media & tech BR · LATAM
Honda Brasil Pearson Brasil Diário do Poder ACATE Arab-Brazilian Chamber FENACOR Tambasa Atacadistas IPOG Place Tecnologia Kufa Advocacia

Partial list · Active engagements are not listed publicly until contract end and disclosure embargo expires

05 — Speaking & investigative support

When the room needs to understand the adversary.

Florida · USA

Florida Association of Private Investigators

Talk on digital threats, cyber investigations and data protection. Focus on phishing, web attacks and forensic evidence chain applied to private investigation.

myfapi.org · Cybersecurity speaker
Brasília · Federal District

Federal Police & Civil Police

Technical support on high-complexity cyber cases — forensic analysis, attack attribution, vector identification and investigative phase support.

Investigative support · Sensitive casework
06 — Operating frameworks

Standards that guide every engagement.

OWASPTop 10 · ASVS · WSTG
MITRE ATT&CKTactics · Techniques
PTESPenetration Testing Standard
NIST800-115 · CSF
PCI-DSSPayments · card data
GDPR · LGPDPrivacy · personal data
OSSTMMOpen Source Security Testing
ISO 27001SOC 2 · CIS Controls
07 — Operating stack

The tools I actually use.

Recon & OSINTMapping · enumeration
NucleiRengineAmassRecon-ngSublist3rTheHarvesterShodanCensysMaltegoGobusterNikto
ExploitationWeb · network · auth
Burp SuiteMetasploitSQLmapNoSQLMapHydraHashcatJohn the RipperCrackMapExecResponderMimikatzBloodHoundEmpireCobalt Strike
Defense, monitoring & forensicsBlue team · response
WiresharkSnortSuricataZeekSplunkElasticGraylogArkimeYARAVolatilityAutopsyRadare2GhidraCyberChef
Cloud & DevSecOpsAWS · Azure · GCP
AWSAzureGCPKubernetesDockerTerraformAnsibleCodeQLSonarQubeBanditSemgrepOpenAPIOAuth · JWTFAPI 1.0/2.0
08 — Where I am

Five bases. One operational time zone.

PT · Portugal Porto European base. Coordination hub for clients across the continent.
BR · Brazil Brasília Origin and Brazilian base. LATAM operations and federal-sector engagements.
IT · Italy Rome Italian private banking and Mediterranean coverage.
ES · Spain Vigo Spain and Galicia coverage. Iberian operation jointly with Portugal.
MA · Morocco Casablanca Private Moroccan banking and Maghreb coverage.
09 — Let's talk

Thirty minutes. No SDR. No funnel.

You explain the scope. I explain if it fits. Direct conversation with the operator — not a salesperson.

WhatsApp · Brazil +55 61 99638-5018 Phone · Portugal +351 913 680 875 Email douglaslopesweb@gmail.com LinkedIn /in/douglaslopesweb

Direct booking

30-minute slot. Video or voice. English, Portuguese, Spanish or Italian.

Can't see the calendar? Open in new tab.