“The more I learn, the more I realize how much I don’t know.” - Albert Einstein
That statement appropriately encapsulates my journey through the realm of infosec thus far (~5 years), and I don’t expect that to change any time soon. I’ve had a number of people ask me how I ended up in the wonderful world of penetration testing, reverse engineering, exploitation development, etc. My answer never wavers - a healthy combination of curiosity and chance. Early in my collegiate career as a computer/software engineer, I had been exposed to the fundamentals of computer networking (mainly the inner workings of the TCP/IP and OSI reference models). At one point in the curriculum, my professor briefly described the mechanics of a Man-in-the-Middle attack. Naturally, I took it upon myself to conduct further research on my own time, which led me to the discovery of various open-source security tools, blog posts describing use cases for web proxies, the list goes on. This behavior intensified as I progressed through my undergraduate courses (e.g., computer architecture, modern cryptography).
Fast-forward a few years - I had experienced various positions at a few unique organizations. Data analysis, e-Discovery, software engineering. Although each and every one of these experiences were critical in building my technical skill set and further sharpening my problem solving skills, there still existed a seemingly unquenchable thirst for more knowledge. That’s when I decided to go back to school for my Masters and focus all of my efforts towards breaking into information security, hacking, whatever label you prefer. I was fortunate enough to attend courses delivered by multiple, well-respected security researchers, such as Alex Sotirov, Brad Antoniewicz, Aaron Portnoy, among others. Those two years ultimately kickstarted my shift in career path, leading me to where I am now.
I’m currently a member of the Red Team at a large tech company based out of Silicon Valley. Prior to my current position, I amassed over five years of experience as a consultant, where I took part in a wide spectrum of projects: external and internal network penetration testing, red team exercises and adversary simulation, social engineering, web/mobile/thick client application assessments, and much, much more. In my free time I enjoy participating in CTFs, tackling mobile bug bounties, furthering my exploit development and vulnerability research skills, adding a mountain of books and /netsec/ articles to my reading list, trying a new (IPA|.ipa), and occasionally flying Jetlevs…