Oct 2023 – Present · 2 yrs 6 mos

Nov 2022 – Present · 3 yrs 5 mos · Remote

• First investor in Depot

Aug 2022 – Mar 2025 · 2 yrs 7 mos · Remote

• NightVision provides advanced Web and API Security Testing solutions that go beyond traditional tools by offering distributed scanning, private network compatibility, and high-quality API testing. As the founder and CTO, I oversee product strategy, engineering, and customer success to deliver impactful security solutions to enterprise clients.
• Designed and launched a security platform leveraging serverless and containerized architectures in AWS, adopted by top-tier customers such as a leading identity provider and a $30B financial services firm.
• Built innovative features, including a next generation web and API security testing platform, a Smart Proxy for scanning private networks, a Static Analysis API Discovery Tool, and an Application Authentication Service that automates browser-based session token management for seamless API testing.
• Lead a cross-functional team of engineers, security researchers, and customer success specialists to align technical development with business goals.
• NightVision has received recognition for its innovative approach to usability and effectiveness in the security testing landscape.

Nov 2021 – Aug 2022 · 9 mos · Los Angeles, California, United States

• As the technical lead for cloud vulnerability management, I spearheaded efforts to address critical gaps exposed during the Log4j vulnerability, building a scalable system from scratch to improve vulnerability detection and response across Block’s cloud infrastructure.
• Designed and deployed Block’s Cloud Vulnerability Management Solution, introducing innovative workflows for result deduplication, false-positive filtering, and automated ownership attribution tailored to individual business units (e.g., Cash App, Square Seller).
• Partnered with engineering teams across Block to integrate the solution seamlessly into existing workflows, minimizing disruptions and maximizing impact.
• Mentored team members, ensuring they were equipped to sustain and enhance the system after my departure.
• Conducted targeted penetration testing to address privilege escalation risks in CI/CD pipelines, aligning findings with broader attack surface management strategies.
• Log4j PTSD.

Jun 2019 – Nov 2021 · 2 yrs 5 mos · San Francisco, California, United States

• At Salesforce, I was a founding member of the REDSCAR team (under Security Assurance), a cross-functional team of hackers and recovering consultants who love to use their technical expertise to influence internal customer teams. As the “SEAL Team Six of DevSecOps Engineers”, we embedded with teams on projects to prevent bugs from happening in the first place. This required a mix of threat modeling, security automation, pentesting, consulting, evangelization, creativity, and a willingness to “get your hands dirty.”
• Open Policy Agent (OPA) Strategy:
• Designed Salesforce’s approach to leveraging OPA for application authorization and Terraform static analysis.
• Partnered with engineering teams in design and implementation, proposed scalable distribution methods, integrated OPA into existing workflows, and trained team members on using OPA/Rego effectively.
• AWS Access Control Plane:
• Delivered a strategy to transition from IAM users to AWS STS credentials with enhanced monitoring, traceability, and attribution.
• Collaborated with teams to ensure solutions for managing human and service identities (e.g., Okta integration) were effective and non-disruptive.
• Microsoft Azure Security Strategy:
• Drove and designed Salesforce-wide security strategy for Azure environments.
• Produced POC attack patterns.
• Built framework for deploying developer friendly Azure Security Guardrails across the organization.
• Open-Source Impact:
• Developed Cloudsplaining and Policy Sentry (50 million combined downloads). Cloudsplaining was the first security assessment tool to scalably identify security risks in IAM policies across Data Exfiltration, Resource Exposure, and Privilege Escalation, and more.
• It is now used daily for 10,000+ AWS accounts at Salesforce and is leveraged by the engines of several venture-funded CSPM companies with billion-dollar valuations.
• It also has been integrated into infrastructure as code scanning engines such as Checkov (170 million downloads).

Aug 2018 – May 2019 · 9 mos

• As a trusted advisor to Fortune 500 companies, I built and scaled security programs, threat-modeled and built critical production systems, and designed innovative automation solutions that improved operational efficiency and security posture.
• Top Project - Automating Continuous Security Testing:
• Built an Automated Application Security Testing Library - a Jenkins Shared Library that performs various AppSec activities (DAST, SAST, SCA, report delivery, automated issue tracking, metrics aggregation) and allows developers or administrators to configure or toggle testing in a YAML file. Allows clients to start automating their continuous security testing within 30 days.
• Integrations included both commercial and open source tools.
• Built training and documentation to support consultants deploying solution for clients.
• Evangelized the solution and piloted with clients successfully.

Sep 2015 – May 2019 · 3 yrs 8 mos

• Worked with global organizations across financial services, automotive, and hospitality industries, providing expertise in penetration testing, secure code reviews, and threat modeling. Example projects below.
• HashiCorp Vault Deployment for Top 3 Worldwide Hotel Chain:
• Developed infrastructure as code (Terraform, Packer, Ansible) and an infrastructure deployment CI/CD pipeline, to build a customized HashiCorp Vault deployment, ensuring high availability, security, and stable deployment.
• Developed Golden Images for secure-by-default AMIs.
• Pioneered the first use of infrastructure as code at the company.
• This infrastructure stood in the critical path – if the secrets management solution went down, no customers could book hotel rooms. It has continued to be highly successful.
• CI/CD Identity Strategy:
• Developed a comprehensive strategy for identity management in CI/CD pipelines, including the integration of secure access controls and automated credential management.
• Threat Modeling and Penetration Testing:
• Conducted threat modeling for clients – for example, an access management system at a Top 5 US Bank, wealth management applications at a Top 3 US investment firm, and architecture risk analysis of CI/CD systems at a public good organization with $2 billion in revenue.
• Performed application security assessments for high-stakes environments, discovering critical vulnerabilities in online casinos, car manufacturer braking APIs, and banking applications.

Sep 2015 – Nov 2016 · 1 yr 2 mos · Sterling, VA

• My first role in the cybersecurity industry was incredible. I started out as a web application penetration tester at Cigital/Synopsys, one of the top application security firms at the time. Here, I honed my web app and API pentesting skills and worked with some of the most brilliant people in the industry. I also started performing cloud security research, back when nobody had heard of Terraform and very few people had used AWS.

May 2014 – Sep 2014 · 4 mos · Arlington, VA

• After picking up a copy of Peter Kim’s “Hacker Playbook” as a sophomore in college and following the tutorials, I became obsessed with hacking and computer security – it was all I could think about. I read all 1000 posts of RSnake’s blog on appsec and couldn’t stop consuming as much information as I could. I wanted to dedicate my summer to studying this new art that I loved. As a rising senior, I received a research grant with the national science foundation to study Dynamic Web Vulnerability Scanners.
• I spent the summer building, researching, and writing. Research can be ruthless – every bit of published research must present a new way to do things or a unique and novel finding to be examined within the scientific and research community. After receiving approval from my professors, I submitted my research, and it was eventually published in an academic journal. It can be found elsewhere on my profile. When I eventually presented my research Conference on Information Systems Applied Research (CONISAR) in Baltimore, MD, I was the only person in the room without a PhD – and I didn’t even have my degree yet. It was an incredible learning experience and growth opportunity as a young aspiring hacker.

Jan 2007 – Dec 2013 · 6 yrs 11 mos

• Fun fact – I didn’t start out in computer science or cybersecurity. I was a music teacher for about 14 years – it’s how I paid my bills in college. This is where I learned how much I love mentoring young people, an appreciation for creativity with technique, and teaching others about topics that I’m passionate about.