Nii Osa Odoi
I started as a software engineer. That background is the reason I find what others miss — I understand how code is built under pressure, where shortcuts live, and how systems fail in practice. Now I use that to break things intentionally and build them more securely.
Most security engineers learned security first. I learned software engineering first — three years building and shipping production systems before moving into security. That background gives me something most practitioners lack: a developer's instinct for how code actually fails.
I know what it feels like to ship under deadline pressure. I know where developers cut corners not out of laziness but out of necessity. I know which security advice gets ignored in code review and why. That context makes me a better attacker and a more credible advisor.
Today I work as a Security Engineer, leading penetration testing engagements across web applications, APIs, and AWS cloud environments — and building the security architecture and visibility systems that keep those environments defensible. I'm based in Accra, Ghana.
Attacker mindset, defender output
I run offensive assessments — but the point is always the remediation. Every finding gets a clear fix, not just a CVSS score.
Architecture, not tooling
Dropping GuardDuty into an account is not cloud security. I design the architecture — segmentation, IAM, visibility, detection — that makes cloud environments defensible.
Automate the boring work
I write custom Python and Bash tooling to scale coverage and catch what off-the-shelf scanners miss.
Security teams can actually use
Findings that sit in a PDF help no one. I write remediation guidance developers can act on and deliver security awareness training that sticks.
Technical proficiency matrix.
How an engagement runs.
The same process underneath every assessment, regardless of scope.
Recon
Mapping the attack surface — subdomains, endpoints, exposed services, and the technologies behind them.
Threat Modelling
Identifying the most likely attack paths and prioritising what to test based on real risk, not a generic checklist.
Assessment
Manual and automated testing across web apps, APIs, and infrastructure to validate and exploit vulnerabilities.
Reporting
Clear, severity-ranked findings with reproducible steps — not a vague PDF dump.
Remediation Support
Working with engineering teams through the fix, not just handing over a report and disappearing.
Where I've worked.
- Leads penetration testing engagements for major organisations across Ghana — spanning web applications, APIs, IT infrastructure, and AWS cloud environments — uncovering critical-severity vulnerabilities and owning the full assessment lifecycle from scoping through client-facing reporting.
- Designs and maintains the company's AWS cloud security architecture, including multi-account network segmentation, centralised threat detection, and IAM governance across production environments.
- Builds and manages a centralised security visibility programme — aggregating findings from cloud detection services into a single operational interface with automated alerting for high-severity events.
- Runs phishing simulations and internal security awareness training as the primary driver of human-layer risk reduction across the organisation.
- Participates in red team exercises, simulating realistic attack chains to surface and prioritise architectural weaknesses.
- Monitors and investigates security incidents — from log analysis through root cause identification and documented remediation.
- Runs an independent security consultancy helping early-stage tech startups review and harden their security architecture and products before they ship.
- Delivers penetration testing, architecture reviews, and clear remediation guidance scoped for teams without an in-house security function.
- Conducted manual and automated vulnerability assessments on institutional web applications and IT infrastructure — building hands-on depth across the standard pentest toolkit.
- Worked alongside IT teams to validate findings and support patch implementation, developing habits in clear technical communication across security and engineering functions.
- Built and presented a custom Python-based vulnerability scanner at an internal security bootcamp — grounded in practical use cases rather than academic demonstration.
- Designed and shipped software solutions for multiple clients — the foundation of a developer's instinct that now informs how I approach vulnerability research and secure architecture.
- Led code review sessions and debugging workflows, building the habit of reading other people's code carefully — a skill that transfers directly to finding vulnerabilities in production systems.
Where I operate at depth.
Three areas where I work beyond tool proficiency — architectural understanding and end-to-end delivery.
AWS Security Visibility & Detection Architecture
Designing multi-account AWS environments where threats surface automatically — not after someone manually reviews a dashboard once a week. I build the pipelines that turn raw cloud signals into actionable alerts.
IAM Governance & Least-Privilege Enforcement
IAM debt accumulates fast in growing AWS accounts — stale roles, wildcard policies, unconstrained PassRole. I audit, remediate, and automate the ongoing review process so it stays clean.
Secure Multi-Account Network Architecture
Designing AWS network topologies where accounts are hard-segmented from each other, egress is centralised and inspected, and the whole thing is provisioned via Terraform.
Certifications & education.
I've deliberately prioritised hands-on experience over certifications early in my career — the engagements come first, the paper follows. Sevn Ghana Limited has been a major part of that: the breadth of real-world work I've been trusted with there has shaped my skills more than any course could. I'm now formalising that experience through certification.
Certifications
Education
Let's work together.
Open to penetration testing engagements, cloud security architecture work, and consulting. Based in Accra, Ghana — working with teams globally.
Particularly interested in organisations building their security function from the ground up — I can design the architecture, run the assessments, and help the team build the habits that make it last.