Independent specialist · Wavect Expert Network
11 years in offensive security. Smart contract and Solana audits at Quantstamp and Halborn, now Enya Labs Security. Brought in when a Wavect build needs an adversarial review before mainnet, or when the threat model has to clear a regulated buyer.
Souhail started in cybersecurity in 2014 at Absec Cybersécurité in Morocco. Trading platforms, insurance mobile apps, vulnerability analysis, reverse engineering. IT6 Group followed, with security testing of Moroccan banking infrastructure (EURAFRIC), the Ministry of Agriculture platform code review, and the Ministry of Health platform vulnerability program. By the time he joined Société Générale Morocco as Senior Security Consultant, he was running DevSecOps integration across the development cycle. Mobile banking audits, risk analysis, EU and Moroccan compliance. He authored the pentesting methodology reference for Société Générale Morocco, hardened Nginx, Zuul, Keycloak, and Jenkins, and cut roughly 90% of the vulnerabilities surfaced in pre-engagement testing.
In May 2020 he pivoted to Web3. Halborn brought him in as Offensive Security Engineer for Solidity smart contract audits, Solana program pentests, and DEX/DeFi assessments. Quantstamp hired him as Senior Security Researcher in 2021. There he led audit teams on large Solana programs and Solidity contracts, analyzed fraudulent transactions and reverse-engineered live exploits at the assembly level, and built internal tooling that helped auditors scope engagements and estimate time more accurately. He is now at Enya Labs on the security side, still in the same line of work: adversarial review of code that holds real value.
Parallel to that, Souhail runs an academic and public-education track. He is a blockchain security researcher at Cadi Ayyad University in Marrakech, with peer-reviewed publications on the blockchain trilemma in Applied Sciences (MDPI), on privacy-preserving application-layer frameworks in IJCNA, and a Springer book chapter on decentralized identity for the Web of Things. He has given 22+ keynotes and workshops across Moroccan universities, the Arab Security Conference, Arab EmTech, BlaBlaConf, and GDG. He has been a blockchain mentor on MentorCruise since 2021. He holds CCSSA, CBSP, and CEE charters across cryptocurrency custody, blockchain protocol security, and Ethereum.
When Wavect brings Souhail in, the work is straightforward. Adversarial review of code that is about to hold value. Threat-modelling of an architecture before it is locked in. Forensics when something has already gone wrong. He is not a generalist consultant. He is the auditor who has read the assembly.
Wavect builds the product. When a build crosses into a domain that exceeds our own bench, we bring in the specialist who already lives there. This is the brief for this one.
Senior auditor at Quantstamp and Halborn. Solidity and Solana program audits, EVM-level review, threat modelling of dApps, DEXs, and DeFi protocols. When a Wavect build is going to mainnet and there is real value at stake, Souhail runs the adversarial pass before deployment. He has shipped enough audit reports to know which findings stop a launch and which can wait.
At Quantstamp he analyzed fraudulent transactions and reverse-engineered live exploits on the blockchain, reading assembly to understand what actually happened. When a client gets hit and the team needs a post-mortem that holds up in front of investors, regulators, or insurers, Souhail does the forensic work.
Société Générale Morocco: integrated DevSecOps into the development cycle, hardened Nginx, Zuul, Keycloak, and Jenkins, cut 90% of vulnerabilities, and authored the pentesting methodology reference. When a Wavect build needs to clear EU or Moroccan compliance, or sell into a regulated industry where audit trails matter, this is the depth we rent.
Academic researcher at Cadi Ayyad University with peer-reviewed work on the blockchain trilemma, privacy-preserving application layers, and decentralized identity for IoT. When a build needs cryptographic primitives sense-checked before the system is locked in, Souhail reads the spec the way an attacker reads it.
Brought in. Not introduced.We engage these specialists inside our own projects, when a brief calls for depth our bench does not carry.
Keynote speaker · Introduction to Blockchain Security
A two-hour public webinar covering the threat surface of modern blockchain systems. Souhail walked through smart contract attack patterns, EVM-level pitfalls, and the disclosure workflow auditors use when a live protocol gets hit. The session is hosted as a publicly viewable artifact of his teaching depth.
Indexed academic publications. Full list on Google Scholar.
Public keynotes, workshops, and webinars delivered independently. Conference links and recordings where available.
Get to know how Souhail thinks. Recent posts, in their own words.
Verified profiles & ratings
Not our domain?
If we lack the depth in-house, engage through Wavect (one contract) or directly with them. We take no referral cut.
Discuss a project