About

A concise snapshot of my profile and how I work across offensive security and governance.

I'm Juan Esteban Grateron, a Penetration Tester and Computer Science Engineer based in Colombia. I work at the intersection of offensive security and GRC — identifying real weaknesses across systems and validating whether security controls hold up under actual attack conditions, not just on paper.

On the offensive side, I focus on hands-on penetration testing across network, Active Directory, and web exploitation environments. On the compliance side, I support ISO/IEC 27001 and ISO/IEC 42001 implementations through risk-based analysis, control effectiveness reviews, and audit-ready documentation — informed by what I know actually breaks in practice.

Certified eJPTv2, eCPPTv3, and ISO 42001 Lead Implementer (PECB). With 3+ years in cybersecurity, I'm driven by continuous learning and the challenge of turning complex security requirements into practical, measurable outcomes.

Outside of work, you'll usually find me reading manga, spending time with my cats, or enjoying a calm scenic view...

Professional Experience

OCT 2025 – Current
Insight Assurance

Staff Auditor (ISO)

Perform certification audit engagements based on ISO 27001, and readiness assessments.

  • Conduct third-party certification audits against ISO/IEC 27001 and ISO/IEC 42001.
  • Evaluate policies, risk treatment plans, and technical controls to assess effectiveness and conformity.
  • Perform risk-based sampling and evidence testing during audit fieldwork.
  • Document nonconformities and opportunities in formal audit reports.
  • Follow up on corrective actions to verify remediation and sustained compliance.
FEB 2025 – OCT 2025
Baker Tilly Colombia

IT Auditor

Supported IT audit and internal control assessments related to IT governance and risk management.

  • Analyzed configurations and documentation to identify control deficiencies and risks.
  • Collaborated with technical teams and management to define remediation priorities.
  • Delivered audit outputs to technical and non-technical stakeholders.
JUN 2024 – OCT 2024
Cooperativa de Panificadores de Santander

IT Consultant

  • Provided infrastructure and system support across Linux servers, databases, and user environments.
  • Documented procedures and improved operational workflows to enhance IT stability.
AUG 2022 – JAN 2023
Revista Colombiana de Computación

(Universidad Autónoma de Bucaramanga)

Jr Researcher

  • Supported the peer review process: finding reviewers, follow-up, and communications to strengthen the rigor of publications
  • Maintained internal communications and databases, improving the visibility of statuses and deadlines.

Core Skills

Web Application Testing

eWPTXv3 · OWASP Top 10, authentication flaws, injection, LFI, business logic abuse.

Burp Suite · Manual testing · Auth bypass · SQLi & injection chains · LFI / path traversal · Business logic flaws

Infrastructure & Active Directory

eCPPTv3 · Network enumeration, privilege escalation, lateral movement, AD attacks.

Network enumeration · Privilege escalation · Lateral movement · Active Directory attacks · Post-exploitation

GRC & Audit

Risk assessments and control evaluation with technical depth behind the findings.

ISO/IEC 27001 · ISO/IEC 42001 · IT General Controls (ITGC) · Risk management · Threat modeling · Compliance gap analysis · Audit reporting

Scripting & Environments

Supporting both offensive and governance work.

Linux · Windows · Bash · PowerShell · Python

Languages

Comfortable working in bilingual environments.

Spanish — Native
English — C1 (Professional working proficiency)