Experience

VerSprite Cybersecurity

• United States
• IT Services and IT Consulting
• 1 - 100 Employee

• Senior Security Consultant

  • Sep 2020 - Present



NCC Group

• United Kingdom
• IT Services and IT Consulting
• 700 & Above Employee

• Senior Security Consultant

  • Jan 2015 - Jul 2020

  Penetration testing for a variety of high-profile clients, including major financial organisations, public institutions, software and telecommunication vendors. Large number of on-site engagements with on-going communication with clients during all the phases of the projects. Penetration testing for a variety of high-profile clients, including major financial organisations, public institutions, software and telecommunication vendors. Large number of on-site engagements with on-going communication with clients during all the phases of the projects.



Revelock · A Feedzai Company

• United States
• Computer and Network Security
• 1 - 100 Employee

• Senior Security Consultant

  • Sep 2012 - Dec 2014

  Penetration testing and source code audits for a variety of high-profile clients, including major financial organisations, public institutions and software vendors.Main developer for the research and development team of Golismero, a cloud-enabled automated penetration testing tool for web applications, helping with both this software's architecture and implementation.

• Senior Developer

  • Oct 2010 - Aug 2012

  Developer for the BugScout product, web-based a static code analyzer for web applications, written in Java using Eclipse and OSGI for the backend and the Google Web Toolkit for the frontend. Developed custom mechanism of flexible user permissions and roles for the BugScout web services and API. Contributed in the development of the static code analyzer for Java and ABAP.



ECIJA

• Spain
• Legal Services
• 200 - 300 Employee

• Security Consultant

  • May 2010 - Sep 2010

  Performed penetration testing and security assessments for different banks in Spain. Researched and developed solutions for the detection and prevention of e-crimes for different banks in Spain. Researched and developed tools for automated information gathering on malware threats, using a system of multiple probes and an asynchronous secure channel of his own design that prevented an attacker from discovering the main hub or the other probes if one of the probes was compromised. Performed manual analysis of malware (banking Trojans mostly) for specific samples when automated analysis was insufficient. Show less



Core Security

• United States
• Computer and Network Security
• 1 - 100 Employee

• Exploit Writer Sr.

  • May 2008 - Feb 2010

  Developed stable multi-target exploits in Python for the CORE Impact framework, mostly from Microsoft patches and also from other public sources of information on known vulnerabilities. Some examples include: MS09-048 (TCP/IP timestamp), CVE-2009-3676 (Win7 SMB DoS), CVE-2009-3023 (IIS FTP NLST), CVE-2008-0660 (Facebook photo uploader), CVE-2007-1365 (IPv6 mbuf), MS06-001 (WMF), CVE-2006-3869 (MS06-042 flawed patch), CVE-2006-2369 (RealVNC auth), CVE-2005-2668 (CA Unicenter).Also collaborated with the development of the second remote exploit for OpenBSD (CVE-2007-1365) with Alfredo Ortega (http://www.coresecurity.com/content/open-bsd-advisorie)Developed several libraries and shellcodes for the CORE Impact framework, most importantly an advanced memory hunter stager, an HTTP staging and tunneling mechanism for exploit payloads, a stager to migrate the payload into the memory of another process (tipically explorer.exe), a payload stager using shared memory on Windows (for privilege escalation exploits), a shellcode to recreate the main process heap (solves stability problems in many heap-based exploits), a shellcode to temporarily disable the Windows firewall), a library to convert any payload to a sequence of Windows commands (to exploit command injection flaws), a flexible in-memory HTTP server in pure Python, an automated mass mailer for client-side exploits and a new version of InlineEgg (a multi-OS shellcode assembler) also written in Python.Some of this work (HTTP stager and process escape stager) was presented in Black Hat Federal 2006 by Max Caceres:http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Caceres-up.pdf Show less

• Exploit Writer SSr.

  • Jan 2007 - Apr 2008

• Exploit Writer Jr.

  • Jun 2005 - Dec 2006