Sep 2014 – Mar 2021 · 6 yrs 6 mos · Baltimore, Maryland Area

• Member of CTO team serving as principal architect and technical lead for threat intelligence and network security product lines. Led research and development of distributed database systems, real-time packet processing infrastructure, and threat intelligence platforms deployed across enterprise and government customers.
• ScoutPrime/ScoutVision Threat Intelligence Platform
• Architected and implemented horizontally scalable threat intelligence system processing billions of asserted facts with immutable storage model. Designed distributed graph-relational database engine (lg-interrogate) with Datalog and SQL query interfaces, temporal reasoning, and multi-backend storage (Elasticsearch, HDFS). Built STIX 2.0 processing pipeline with custom parsers and entity-fact-assertion model for threat data ingestion and correlation. Platform enabled real-time threat scoring and relationship analysis across Internet-scale datasets. Technology resulted in multiple patents on distributed threat intelligence and immutable knowledge systems.
• CloudShield Eclipse Packet Processing Appliance
• Co-architect of 10gbps+ line-rate packet processing and mitigation system on commodity hardware. Designed and implemented complete packet processing virtual machine (PacketStacker) with integrated TCP/IP stack, compiler, optimizer, and debugger toolchain. Built lock-free FPPU (Fast Path Processing Unit) infrastructure for programmable packet filtering and transformation with microsecond-level performance constraints. System achieved 1 operation per 4 clock cycles through direct-threaded dispatch and zero-copy packet handling. Deployed in production for real-time threat mitigation and deep packet inspection.
• Patents: US10469515B2 (distributed threat intelligence), US10614131B2 (immutable threat intelligence systems), and additional patents on low-latency stateful processing and dynamic network protection.

Oct 2013 – Aug 2014 · 10 mos

• Co-founded threat intelligence analytics company focused on bringing business intelligence-grade analytics to cybersecurity operations. Developed HPC-based processing engine and multi-dimensional analysis interfaces for threat correlation and investigation.
• Early work exploring distributed threat intelligence architectures that later informed LookingGlass platform development.

Aug 2010 – Sep 2013 · 3 yrs 1 mo

• VP Engineering and Chief Architect leading development of automated malware analysis platform that became core IP in Cisco's acquisition. Built and led R&D team from founding to eight engineers developing supercomputing infrastructure processing millions of malware samples daily.
• Architected scalable malware sandbox infrastructure with dynamic analysis, automated behavioral classification, and artifact extraction. Designed distributed processing platform with thousands of cores, terabytes of RAM, and petabytes of storage on 320gbps Infiniband backbone for real-time malware intelligence correlation. Developed custom hypervisor-level kernel debugger, network protocol analyzer, and Lisp-based expert system for behavioral analysis.
• Pioneered data storage framework with custom deduplication and compression algorithms enabling retention of every malware artifact and execution trace. Led Linux kernel and hypervisor performance optimization for high-throughput sandboxing. Designed customer-deployable appliance architecture based on core platform.
• Platform became foundational technology in Cisco's threat intelligence portfolio following acquisition, processing and analyzing malware samples for enterprise security operations worldwide.

Jul 2010 – Present · 15 yrs 9 mos · Washington DC-Baltimore Area · Hybrid

• Personal consultancy providing specialized engineering and research services across security infrastructure, distributed systems, and malware analysis. Work spans embedded systems development, custom language design, and architecture consulting for startups and established enterprises.
• Representative engagements include blockchain-based virtual black boxes and IPv6 communication systems for FAA-regulated drones, high-performance SYSLOG processing infrastructure (millions of events/sec), distributed intelligence monitoring systems with real-time alerting, custom domain-specific languages for security policy evaluation, signature management platforms with integrated version control, and malware sandbox architectures. Project lead on embedded network IDS appliance (MIPS/FreeBSD).
• Research presented at DefCon, Hack in the Box, and BSides on malware analysis methodologies and injectable virtual machine techniques.

Apr 2009 – Jul 2010 · 1 yr 3 mos

• As a Principal Security Consultant, acted as lead on penetration testing, code review, reverse engineering and application security engagements, with a strong research focus in Malware Analysis.
• As Principal, functioned as project lead and customer interface, leading software assessment and code reviews for Fortune 500 software and computer manufacturers.
• Conducted numerous successful application assessment projects, engaging with the development teams of cutomers.
• Functioned as part of customer's Red Team attacking VPN systems and assessing internal security practices.
• Developed an automated malware analysis framework with Scott Dunlop, and used it to give talks about malware analysis.

Mar 2008 – Apr 2009 · 1 yr 1 mo

• Senior security consultant, doing penetration testing work, as well as reverse engineering and research and development for clients.
• Extensive VoIP assessment using custom in-house tools, including a softphone client using knowledge obtained from reverse engineering proprietary protocols.
• Malware analysis and reverse engineering for incident response, developing tools and processes.
• Conducted security assessments using hardware and software reverse engineering practices, writing in-house automated debugging tools.

Mar 2007 – Dec 2007 · 9 mos

• Performed malware analysis work, doing research on malware samples and developing automated analysis systems to help in the process of finding false positives and false negatives.
• Developed tools to identify false positives, and false negatives in product's malware detection.
• Wrote reporting tools that showed trends, pulling data from the database.
• With a team, reworked the in-house malware analysis sandbox for better speed and analysis accuracy.
• Developed virtualization infrastructure using AMD CPUs and Xen for malware analysis.

Sep 2005 – Mar 2007 · 1 yr 6 mos

• As one of Accuvant's senior consultants, automated and streamlined the assessment practice's workflow and engagements and providing guidance when needed. Also did conventional security consulting with a keen focus on code reviews and application assessments. Functioned as a domain expert and resource on system architecture, Unix, and application asssessments.
• Performed on-site assessments of application and network infrastructure.
• Wrote tools that streamlined the data collection and reporting process, reducing manpower requirements on assessments.
• Did Red Team exercises onsite for customers.

Jan 2000 – Jul 2005 · 5 yrs 6 mos

• One of the founding consultants in the penetration testing practice. Performed penetration and network security testing, and security tools programming. Also performed application assessment for web applications.
• Wrote in-house tools such as a highly effective and massively parallel port scanner.
• Engineered the virtual machine infrastructure for a remote penetration testing lab, using first VMWare Workstation and then the first version of VMWare GSX when it was released.
• Conducted hundreds of successful penetration tests.

Feb 1999 – Apr 2000 · 1 yr 2 mos

• Conducted software quality assurance work on network analyzer and decoder product. Provided Unix support and expertise for a broad range of platforms including HP-UX, SGI IRIX, Digital Unix, IBM AIX, Sun Solaris, and Linux to the rest of the QA product team.
• Configuration management, unifying test platforms for a host network monitoring application, ensuring that the services provided were homogenous and testable.
• Automated deployment of test machines.
• Wrote in-house tools to audit and test network acquisition engine, an early predecessor to network-based IDS'es.

Jun 1997 – Dec 1998 · 1 yr 6 mos · Exxon (EUTeC)

• Full time salaried consultant for IT consulting firm, Berger & Co, specializing in security, Unix infrastructure/administration, and networking. Primary client was Exxon's technical computing and supercomputing group.
• Wrote an in-house host-based Intrusion Detection System and system auditing tool that ran cross-platform on HP-UX, SGI IRIX, IBM AIX, SunOS, and Solaris.
• Wrote job control software for Cray Unicos and SGI Irix that reported to IBM MVS for auditing purposes.
• Developed an automated network installation infrastructure that deployed Sun and SGI configurations from a single console using Tcl/Tk.
• Developed Standard Load Image for SGI Irix 5.3, and 6.2.