red team, vuln research, adversary emulation

Break systems the way real attackers do, then harden them for the real world.

I work across web, cloud, firmware, ICS, and AI. When it matters, I operate like a nation-state, document like an auditor, and deliver like a product team.

request an engagement view services

20+ yrs

offensive security

zero-days

firmware, mobile, PKI

remote-first

air-gapped friendly

ops-console

$ whoami
operator

$ mission
adversary emulation + exploit research + fix guidance

$ scope
web | cloud | k8s | firmware | scada/ics | automotive | ai

$ deliverable
evidence + reproduction + mitigation + exec briefing

$ status
ready

MITRE ATT&CK mapped

OWASP aligned

NIST-friendly outputs

supply-chain aware

Services

Work packages that mirror how advanced operators actually compromise environments, then convert that reality into measurable risk reduction.

Red Team Operations

Objective-based intrusion, lateral movement, and impact simulation with clean reporting and defensible evidence.

adversary emulation plans
phishing or pretexting (optional)
operator tradecraft with safety rails

Vulnerability Research

Deep technical discovery in complex targets where scanners stop working.

firmware, RF, and embedded analysis
cloud and identity edge cases
coordinated disclosure support

AI and LLM Security

Attack and harden AI systems, pipelines, and assistants, including on-prem or restricted environments.

prompt injection and data egress testing
agent and toolchain abuse
guardrails and SDLC integration

Cloud, Web, and CI/CD

Assessment and remediation guidance for modern delivery stacks, from nginx to Kubernetes.

authn/authz breaks
secrets and build pipeline risks
security headers and TLS posture

ICS and Automotive

Specialized work in environments where safety, uptime, and physical impact matter.

SCADA lab style testing
CAN/UDS and embedded systems
controls for segmented networks

Executive Briefings

Board-ready narratives without removing the technical truth.

threat story and impact
prioritized roadmap
risk acceptance artifacts

Approach

A repeatable loop that keeps the work safe, measurable, and useful to engineering and leadership.

Define outcomes

Pick objectives, constraints, and “stop conditions” before testing starts.

Operate like an adversary

Use real TTP patterns, not just checklists, then capture evidence with minimal disruption.

Convert findings into fixes

Repro steps, root cause, and practical mitigations, mapped to frameworks when needed.

Prove closure

Validate remediations, retest key paths, and provide a closure statement you can defend.

Signal

Short, sharp points that set expectations and filter serious clients from tire-kickers.

Operational security matters

No tracking pixels, no third-party analytics, no CDN dependencies. This site is designed to be boring for attackers.

Evidence over ego

Findings include reproduction steps, impact, and fix guidance. “Cool hacks” that do not drive risk reduction are noise.

Remote-first delivery

Secure access patterns, tight scoping, and clear comms. Air-gapped work is fine, if the rules are clear.

Background snapshot

20+ years across offensive security, vulnerability research, red team leadership, SCADA and ICS, automotive targets, and AI security tooling.

Contact

Use email for first touch. For sensitive details, request PGP.

Engagement request

hello@blackbagsecurity.com

If you are ready, include scope, timeline, and environment constraints.

Security

Vulnerability disclosure details live in /.well-known/security.txt.

view security.txt

Blog

Long-form writeups and technical notes.

open blog