Apr 2022 – Sep 2022 · 5 mos

• As the technical editor, I reviewed the content of Black Hat GraphQL for clarity and GraphQL hacking content. Worked closely with No Starch Press editors and the author to ensure the accuracy of this book. Performed hands-on testing of all hacking subject matter including:
• Building a vulnerable GraphQL application environment
• Discovering GraphQL endpoints and findings information from GraphQL implementations during recon
• Exploiting GraphQL APIs with specialized tools like Altair, graphw00f, CrackQL, and GraphiQL
• Conducting offensive security tests against GraphQL systems
• Testing APIs for vulnerabilities, like injections, information disclosure, and Denial of Service

Mar 2020 – Jun 2022 · 2 yrs 3 mos

• An Application Programming Interface (API) is a software connection that allows applications to communicate and share services. Hacking APIs will teach you how to test web APIs for security vulnerabilities. You’ll learn how the common API types, REST, SOAP, and GraphQL, work in the wild. Then you’ll set up a streamlined API testing lab and perform common attacks, like those targeting an API’s authentication mechanisms, and the injection vulnerabilities commonly found in web applications.
• In the book’s guided labs, which target intentionally vulnerable APIs, you’ll practice:
• Enumerating API users and endpoints using fuzzing techniques
• Using Postman to discover an excessive data exposure vulnerability
• Performing a JSON Web Token attack against an API authentication process
• Combining multiple API attack techniques to perform a NoSQL injection
• Attacking a GraphQL API to uncover a broken object level authorization vulnerability
• By the end of the book, you’ll be prepared to uncover those high-payout API bugs that other hackers aren’t finding, and improve the security of applications on the web.

Jan 2022 – Present · 4 yrs 2 mos

• As the Founder and Head of APIsec University, I lead efforts to evangelize our premier API security learning platform. I create hands-on hacking courses and foster relationships with content creators to help prevent API-related data breaches across the Internet.

Mar 2020 – Dec 2020 · 9 mos · Seattle, Washington, United States

• As the technical editor, I reviewed the content of Kali Linux Penetration Testing Bible for clarity and penetration testing content. Worked closely with Wiley editors and the author to ensure the accuracy of the 500+ page book. Performed hands-on testing of all hacking subject matter including:
• Building a modern dockerized environment
• Discover the fundamentals of the bash language in Linux
• Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
• Analyzing vulnerability findings
• Performing buffer overflow, lateral movement, and privilege escalation
• Applying practical and efficient pentesting workflows
• Automating penetration testing with Python

Nov 2019 – Mar 2025 · 5 yrs 4 mos · Greater Seattle Area

• Lead the penetration testing consulting practice providing API, web app, mobile app, and network adversary emulation services. Assist clients with remediation efforts and ensure that their needs and expectations are met and exceeded. In addition, I help improve penetration testing methodologies and the team's capabilities.

Aug 2018 – Oct 2019 · 1 yr 2 mos · Folsom, California

• Manages the day-to-day operations, including the people, processes, and technology. Assists the team-building processes and procedures to manage the security services line of business. Plays an integral role in the development of the overall culture, strategy, and direction.
• Leadership & Management
• Strategizes and executes operational process improvement roadmaps. Leverages technology and automation, where possible without sacrificing customer experience. Launched high-impact initiatives that increased conversion rate, improved customer experience scorecards, decreased costs, and reduced manual processes.
• Oversees fiscal performance, makes recommendations on matters of policy, and approves changes in the functional area of expertise, establishes objectives, schedules, and cost data as necessary.
• Ensures overall program management integrity through internal communication of program requirements.
• Directs work assignments, measures results, and initiates personnel actions as required.
• Cybersecurity Management
• Monitor and evaluate unit performance on key security issues and programs, recommends corrective action programs are appropriate.
• Establish/maintain robust customer relationship to ensure a complete understanding of customer processes to enable the delivery of viable security responses.
• Plans, develops and implements security plans, security programs such as Emergency Response and Crisis Management, Physical Security, Information Protection, Incident Management, and Investigation.
• Develops and implements security protocols, policies, and procedures, and conducted ongoing audits to ensure compliance.
• Gamifies continuous offensive security training with monthly competitions by using Guts and Glory.
• Performs risk assessments based on NERC CIP and CIS Controls.
• Designs Personal Development Plans for GridSecurity Staff with monthly one-on-one meetings.
• Manages service desk team and change management utilizing Fresh Service.

Jun 2015 – Aug 2018 · 3 yrs 2 mos · Roseville, California

• Successfully provided strategic leadership in client business applications, IT infrastructure, databases, storage, risk management, enterprise security governance, security operations management, incident response, and telecommunications. Improved quality and delivery of security services for virtual datacenter hosting UNIX, Linux, and Windows servers, VMware ESXi hosts, mainframes, and network devices and appliances. Managed multiple local and remote teams responsible for 24/7 security monitoring, patching, event logging, user provisioning, vulnerability management, auditing, incident response, and enterprise compliance with applicable federal laws and regulations.
• Managed compliance audits and resulting in remediation planning/implementation (ISO 27001, SOC 2, PCI, NIST 800-53, HITRUST, HIPAA).
• Managed information security projects, including planning and deployment of new processes and technologies in areas of intrusion detection and response, deployment and management of authentication tokens and VPNs, and vulnerability assessment and remediation practice.
• Migrated to web application infrastructure to AWS. Managed associated AWS risk with policies, procedures, and security controls.
• Managed quarterly internal network and web application testing. Lead and organized the Incident Response Team.
• Mitigated network vulnerabilities by simplifying Dell Sonicwall rule set.
• Managed the operation, availability, and maintenance of Avaya call center and virtual private-cloud infrastructure.
• Migrated from legacy infrastructure to Vsphere virtualized cloud infrastructure.

Jan 2011 – May 2015 · 4 yrs 4 mos · Roseville, California

• Accountable for ongoing development and management of the servers and network, system security, overseeing department budget and planning, and maintaining accurate documentation including resource time tracking and network design documents. Provided daily support of individual computers and employees. Spearheaded special projects while ensuring they met strategic business requirements and were completed on time and within budget constraints.
• Hired, trained, and lead a team of technicians to provide superior customer service and excellent repair services to computers, laptops, and other electronics.
• Managed IT related solutions: game console repairs, PC repairs, virus removal, network setup/maintenance, and security administration.
• Ensured all work requested was reviewed, sized, scheduled, tested, and implemented through the appropriate governance oversight process.
• Monitored and tracked resource capacity to support assignment, tracked progress through all testing phases, and completed work within a budget.
• Provided on-going direction, coaching, training, and development opportunities to staff members, enabling the ability to build new skills and increase engagement.
• Developed new business and customer service-related strategies to increase profits annually. Provided incident response for local businesses.
• Repaired over 10,000 computers, laptops, and other devices.