Methodology, writeups, and hard-won lessons from breaking applications and building the tools to break them. This is the clearest picture of how I actually work.
Broken access control tops the OWASP list and generic DAST tools are structurally blind to it — because they only ever see one user. Here's why, and how a multi-identity engine fixes it.
What it takes to build a corporate vulnerability scanner that runs with zero outbound connections — and why building the tool made me a sharper manual tester.
The methodology in these posts is exactly what I bring to an engagement.
Book an assessment →