What I do

I do penetration testing for a living. Web applications, APIs, cloud-native architectures, and the AI-adjacent systems that are increasingly wired into all of them. External engagements, internal engagements, source code review when the scope calls for it. I’ve worked across a wide range of clients and industries.

The work covers the full spectrum of application security. SQL injection, cross-site scripting, broken access controls, server-side request forgery, insecure deserialization, denial of service via SlowHTTP or request flooding. I’ve built multi-step proof of concepts that chain low-severity findings into critical impact. If it’s on the OWASP Top 10 or any of the common vulnerability taxonomies, I’ve found it in production.

What I’m curious about

Outside of client work, I spend time on the problems that don’t fit neatly into a checklist.

Concurrency bugs that only surface under production load. Authorization logic that breaks at the seam between two services that were each configured correctly. Trust boundaries in cloud-native architectures where the provisioning layer, the network layer, and the data plane each assume someone else is enforcing the constraint. The kinds of things that survive audits because they require crossing a boundary to see.

I’m also interested in how AI is changing the attack surface. Not the hype, but the practical reality: what happens when you wire an LLM into an application that was never designed for adversarial input, or when AI-driven tooling creates new classes of testing that weren’t possible before.

What I build

I write tools. When I find a pattern worth repeating, I automate it. When I find a bug worth explaining, I build a demo.

The CharsetDecoder race condition project is a good example: a Spring Boot service that reproduces a Java concurrency vulnerability under load, with an interactive visualization of the results. AWSSigner is a Burp Suite extension for AWS request signing that I contribute to. Whispy is an AI-powered transcription tool I built in Python.

More of my work is on GitHub and Codeberg.

What I write about

This site is where I think through problems in public. Some posts are deep dives on a specific vulnerability. Some are notes on a class of bug I keep seeing across engagements. Some are about the tooling itself. I try to be specific about what I found, how I found it, and what the fix looks like.

Verify me

The canonical handles for anything I publish:

For security-related contact, see .well-known/security.txt.