00 · Opening · The shield

Available For collaborations & speaking

Currently Paris, France

The art of cybersecurity.

Offensive Security Lead Cybersecurity Engineer Creator

A practice in offensive security, governance, and the slow work of clarity.

Begin

I · The beginning

Every discipline begins as a question.
Mine was simple. What is a system worth, the moment before it fails?

II · Introduction

Hello.

I'm Johann. I live in the space between the rule and the risk.

Johann Lahoud is an Offensive Security Lead in financial services, running a 70+ engagement annual testing programme across BNP Paribas Asset Management and AXA Investment Managers.

A practitioner first. Years spent inside governance, pentest oversight, purple teaming, DORA delivery and executive reporting. The work moves between the boardroom and the engagement scope, translating regulatory weight into controls that hold up.

CyberWithJohann is the creator side. A brand built to give the next generation of cybersecurity professionals a real way in, without the hype and the gatekeeping the industry is known for.

Paris, FR 2026

The portrait. The practitioner. The same person who reads RFCs at night and presents to the CSO at dawn.

III · The practice

Security is not a feature.
It is the architecture beneath the architecture.

IV · Expertise

What I do.

Six disciplines, one continuous practice. From the scope of a single engagement to the architecture of a regulatory programme — the work is the same: turn uncertainty into something measurable.

Offensive Security Oversight

End-to-end stewardship of offensive programmes: engagement scoping, vendor coordination, remediation pressure, risk acceptance.

Pentest Program Management

Orchestrating 70+ engagements a year across 12 testers, internal stakeholders and external providers.

Purple Teaming

Closing the loop between offense and defense through measurable, repeatable exercises and crisis simulations.

DORA & ISO 27001 Governance

Leading DORA work-streams across departments, translating regulatory requirements into concrete control, governance and resilience actions.

Vulnerability Governance

From technical control assessments to remediation tracking, built on a Python automation stack that turns raw outputs into structured management reporting.

Executive Reporting

Authoring and presenting cybersecurity strategy to the CSO. Risk, maturity, and the initiatives a board can act on.

V · The path

Where I've worked.

Four chapters. One throughline. Each role added a layer — governance, automation, programme leadership, the brand — to the same question I started with.

Since 2023

Offensive Security Lead

BNP Paribas Asset Management / AXA Investment Managers

Lead security assurance initiatives in a large regulated financial environment, combining programme governance, executive reporting and regulatory delivery.
Manage an annual testing programme covering 70+ engagements per year, coordinating 12 testers across internal stakeholders and external providers.
Authored and presented the 2024 cybersecurity strategy to the CSO, covering risk, maturity assessment and strategic initiatives.
Led DORA implementation work-streams across departments; designed purple team exercises and cyber crisis simulations.

Since 2025

Founder

CyberWithJohann

Built a cybersecurity education platform delivering structured content for IT and cybersecurity professionals.
Developed long-form educational resources and grew a 10,000+ online audience.

2021 / 2023

Governance Information Security Officer

AXA Investment Managers

Delivered and maintained 130+ technical security control assessments across multiple environments.
Developed a Python-based data parsing and reporting automation tool, transforming raw assessment outputs into structured dashboards and management reporting.
Analysed control data across Active Directory, enterprise networks and applications to identify gaps, track remediation and support governance decisions.

2022 / 2023

Founder

Adondroid

Led a small software development venture delivering digital products for external clients.
Managed a team of developers to build and deliver an MVP mobile application aligned with client requirements.

VI · The proof

Credentials.

Certifications are a signal, not a substitute. The work comes first; the paper follows.

Certifications

ISO/IEC 27001 Lead Implementer Certified
Certified Ethical Hacker Pentester (CEHP) Certified
TOEIC Certified

Education

EPITA · Engineering Diploma in cybersecurity 2019 / 2023
Ajman University · AI & Data Science 2023
TSI Riga · Entrepreneurship & Management 2022

VII · The voice

There is a generation waiting for a door.
I am building it slowly, on nights and weekends.

VIII · The brand

CyberWithJohann.

Built quietly, alongside a full-time offensive security role. The thesis is simple: the industry is hungry for clarity. The work is to deliver it with restraint.

CyberWithJohann is a creator brand built to demystify cybersecurity for the next generation: aspiring engineers, career switchers, and the curious. No hype, no gatekeeping, no recycled threat-intel.

A 100-page Career Guide. An 8-path Career Quiz. A growing community across TikTok and Instagram. The standards held to product design, not influencer content.

It bridges the boardroom and the bedroom developer. Built quietly, on nights and weekends, alongside a full-time offensive security role at one of Europe's largest asset managers.

A long game. The kind that compounds.

Take the quiz → Visit the brand →

IX · The craft