Pilot: About Me

Pilot: About Me

2024, Jun 13    

I help clients understand what their attack surface is, how attackers can target the various aspects of it, and what they can do to minimize some of the threats they are faced with. While I have spent the entirety of my professional career in cyber security, I was initially drawn to the industry because of my obsession with learning and understanding how computers and networks work at a deeper level (and in-turn, how to break them). I take a scientific approach to my work, which seemingly creates good outcome-based results in an industry that needs to be driven by facts (unknown = risk). Specifically, the majority of my experience has been in performing in-depth penetration testing - identifying vulnerabilities and risks within different networks, systems, and identity systems, demonstrating the impact of these items through exploitation, and advising on strategies to remediate, mitigate, and/or compensate for those risks - I now work closely with our clients to implement these controls to decrease risk around different areas of their attack surfaces. This includes building programs and implementing controls within the following areas for clients across industries and of varying sizes; identity and access management (IAM), vulnerability management (VM), as well as application and cloud security.

I used to think it was powerful to be able to take over (pwn or pwned) organizations again and again - I would time myself at the start of each assessment to see how fast I could breach an organization’s perimeter and/or get to DA. After having conversations with more and more clients, I realized over time the difficultly and intricacies there are to continuously identify these problems and fix them at scale. While there may be technical solutions to mitigating cyber risks, there are resource constraints, business considerations, other priorities, etc., that increase the complexity dramatically. And if organizations do not have solutions to continuously identify and correct for added/removed scope of risk within various types of environments, the risk stays unknown. This is a much harder and complex problem to solve for, which is why I am focusing on building off of established foundations or preventative cyber security to help organizations keep taking steps in the right direction.

I will be releasing research and analysis I tend to share on more of an internal or client-by-client basis here soon. More to come…