- Conducting secure architecture review of full stack cloud applications- Authoring risk assessments and remediation guidance for developers and stakeholders- Performing manual penetration testing and source code review for a variety of technologies- Developing security tooling for the detection and prevention of security threats- Performing independent research on emerging threats and vulnerabilities

- Led security assessments for web applications, networks, and cloud-hosted assets- Defined and developed core capabilities in application and cloud security service offerings- Authored and reviewed technical documentation including proposals, reports, and deliverables- Created remediation guidance and engineering solutions for product teams and senior leadership- Performed independent research on topics relevant to cloud security and the threat landscape

Federal Client (June 2016 – June 2020)Provided security services to a government agency migrating to a cloud environment powered by Amazon Web Services (AWS): - Conducted full-scoped penetration testing of cloud-hosted applications - Provided guidance on network architecture and application security - Performed OSINT research to provide actionable threat intelligence - Integrated security services into automated development pipelinesCreated and released “CloudFrunt” – an open-source AWS CloudFront exploitation tool: - Observed anomalous behavior in customer AWS CloudFront deployments - Performed private research into exploitable issues in core CloudFront functionality - Created “CloudFrunt” tool to automate the process of discovering and hijacking domains - Squatted roughly 2,000 domains over a five-day period, which were turned over to AWS Security - Nine vulnerable federal domains were reported to US-CERT at NCCIC - Research covered by Bleeping Computer, Threatpost: disloops.com/cloudfront-hijackingPrivate Client, Financial (May 2016 – June 2016)Provided security services to a super-regional financial institution in support of an Enterprise Architecture (EA) effort.

- Provided secure research and network capabilities to full-spectrum cyber operations personnel- Participated in an Agile software development lifecycle (SDLC) in a laboratory setting- Created mission-critical web applications for federal customers using RESTful API, Java, and C#

Federal Client (Jan 2014 – April 2015)Provided security services to a government agency migrating to a cloud environment powered by Amazon Web Services (AWS). Acted as the lead security contact for applications being deployed or updated. Responsibilities included: - Conducting targeted penetration testing of network and web applications - Performing static code reviews in a variety of languages - Creating reports to describe existing vulnerabilities and steps required for remediation - Responding to emerging threats that affect the security of hosted applications - Performed platform hardening, event monitoring, and compliance tasks as requiredFederal Client (Feb 2014 – Apr 2014)Performed an assessment of a sensitive production network in support of a legislative government agency: - Reviewed existing network inventory to define an acceptable network architecture - Enumerated active devices using a variety of network mapping tools - Performed physical verification of devices, cabling, and air gaps - Conducted vulnerability scans of network hosts using a proprietary security platform - Verified tool-driven results using manual testing where necessary - Documented network discrepancies and created remediation guidancePrivate Client, Financial (May 2013 – Dec 2013)Authored an original Application Security policy for a super-regional financial institution: - Created a charter document to describe best practices in Application Security - Performed a gap analysis of the development process and developer proficiency - Identified engagement points for new security activities - Created a developer training plan and a solution for delivering security requirements - Established attack surface analysis and threat modeling as part of application design - Succeeded in creating new roles for security experts on development teams

Participated in the full Software Development Life Cycle (SDLC) of a web interface for personnel stationed at Eastern Naval Warfare Centers – the Naval Surface Warfare Communicator: - Gathered requirements to create deliverable design documents - Deployed and maintained an Apache Tomcat web server - Implemented a compliance-based architecture using AJAX, Java, JavaScript, Perl, and PHP - Constructed data repositories within an Oracle relational database using Oracle SQL Developer - Provided continuous support and enacted revisions based on changing customer needs - Currently serving the occupational needs of 4,000+ military and contractor personnel dailyActed as Lead Developer on the following projects: - Created an Emergency Muster system for Naval Sea Systems Command (NAVSEA) Dahlgren - Created an automated system for identifying inactive phone lines and circuits