Security Engineer  /  Application & Product Security  /  Cloud Security

8+ years in security. I find broken things for a living: web apps, cloud environments, APIs, internal tooling. Mostly AWS and GCP.

My day job is application and product security: offensive assessments, code review, threat modeling, and the occasional architecture fight. I write the report, then stick around long enough to help close the things in it. A finding that never gets fixed is just a PDF.

This site is where the interesting stuff lands. Research notes, tool walkthroughs, misconfigurations that have no business existing in 2026.

Focus areas

AppSec & Product

  • Web application pentesting
  • Secure code review
  • API security testing
  • SDLC security integration
  • Browser-side attacks (XSS, CSRF, clickjacking)

Defensive & Cloud

  • Cloud security assessments
  • Log analysis & SIEM
  • Threat modeling
  • Security architecture review
  • Vulnerability management

Tools & stack

  • Burp Suite, Metasploit
  • AWS, GCP
  • Python, Bash
  • Wireshark, Nmap
  • Docker, Kubernetes
linkedin github

This site got a refactor with help from Claude AI. Any mistakes in the copy, misconfigurations, or questionable CSS choices are mine.