Senior offensive security specialist — breaking web apps, APIs, and authentication flows before someone with worse intentions does. 7+ years turning assumptions into proof.
Full-scope assessments — injection, access control, business-logic abuse, and the things scanners never find.
REST & GraphQL testing, authorization boundary mapping, and broken-object-level access at scale.
OAuth 2.0, PKCE, OIDC and session management — where the deepest, quietest bugs tend to live.
Authorized phishing and social-engineering ops — pretext design, delivery, and measuring how people and controls actually respond.
Post-foothold internal testing — lateral movement, privilege escalation, Active Directory weaknesses, and segmentation gaps.
Internet-facing exposure — misconfigurations, exposed services, and the soft spots an outside attacker reaches first.
Offensive Security Certified Professional — hands-on exploitation under exam conditions.
VERIFY ↗Offensive Security Web Assessor — modern web application attack techniques.
VERIFY ↗Active security clearance — cleared for sensitive engagement work.
Advanced web exploitation & white-box source-code review. Currently in pursuit.
An offensive look at how a credible, authorized phishing op is built, launched, and measured.
↗Walking through the implementation gaps that quietly defeat PKCE protection in real OAuth deployments.
↗How an "image" upload becomes a credential-stealing surface — and why your CSP probably is not catching it.
↗