Offensive Security · Pentest Team Lead

I build offensive security teams and I stay on the keyboard.

I built an offensive security program from zero for a major insurance enterprise and I still spend 70-80% of my time testing. Web apps, APIs, mobile, cloud, IoT. I run purple team exercises with SOC teams and translate what I find into TTPs that blue teams can use. Currently looking to do this full-time for one company instead of twenty.

110+
Validated vulnerabilities
$95K+
Bug bounty earnings
20+
Enterprise clients tested
5+
Years in offensive security
Conferences & Recognition
SecTor 2025
SecTor 2025, Toronto
DEF CON Vancouver
DEF CON Vancouver
TASK 2025
TASK Toronto 2025
InfoSec Hamilton
InfoSec Hamilton
Ontario Provincial Parliament
Ontario Provincial Parliament Recognition
Canadian Women in Cyber
Canadian Women in Cyber 2024
What I do

I run offensive security engagements for enterprise clients, mostly in fintech and insurance. Penetration testing across web applications, APIs, mobile apps, cloud environments (AWS, Azure, GCP), and IoT/OT systems. I also do secure design reviews, security code reviews, and threat modeling.

The part I care about most is making the defensive side better. I lead purple team exercises with SOC and blue teams, simulate real attack scenarios, and work with security operations to tune SIEM and EDR rules based on what actually works. I map findings to TTPs and write detection recommendations so the things I find can be caught next time.

I've reported over 110 validated vulnerabilities to companies like PayPal, Sony, AT&T, and Airbnb through HackerOne. The focus is always on critical attack paths: access control, authentication, API flaws, business logic in financial workflows.

How I approach it
01

Build the function first

I've built an offensive security program from scratch: methodology, tooling pipeline, reporting standards, hiring plan. I think about how the work scales before I start testing. A good program runs without me watching it.

02

Stay hands-on

I spend 70-80% of my time doing actual testing. Custom Nuclei templates, manual testing in Burp Suite, security code reviews in parallel. I write Python and Go tooling to automate what can be automated and spend my time on the things that need a human.

03

Feed the blue team

Pentest findings should make the SOC better. I run purple team exercises, validate detection coverage, and translate attack paths into TTPs and threat-hunting recommendations. If the defensive team can't catch what I did, the engagement isn't done.

Where I've worked
White Tuque, Offensive Security Specialist
Toronto · Oct 2024 to Present
Built the offensive security program for a major insurance enterprise from zero: methodology, tooling pipeline, reporting standards, hiring plan. Pentest 20+ enterprise clients across web, API, mobile, internal networks, cloud, and IoT/OT. Lead purple team exercises with client SOC teams. Coordinate teams of 2-4 testers. Wrote a Burp extension for authZ testing the team uses on every engagement. Work recognized by the Ontario Provincial Parliament.
ASEC (team joined White Tuque), Penetration Tester
Toronto · May 2024 to Oct 2024
Pentested fintech platforms under Nick Aleks, former Senior Director of Security at Wealthsimple and current Head of Security at Robinhood. Payment processors, neobanks, investment apps. Ran web, API, mobile, and network assessments. Worked with SOC teams to validate detection coverage against my attack paths. Built Python/Bash automation that cut manual effort by 40%.
HackerOne, Security Researcher
Remote · Feb 2022 to Present
110+ validated vulnerabilities across Fortune 500 platforms with over $95K in bounties. PayPal, Sony, AT&T, Airbnb, Booking.com. Focused on critical attack paths: access control bypasses, authentication flaws, API security, business logic in complex applications.
Projects
API Authentication Checker
Burp Suite Extension · Open Source
Tests authentication and authorization flaws across API endpoints. Built it because I was doing the same manual checks on every engagement and got tired of repeating myself.
View on GitHub
GraphQL SDL Generator
Python · Open Source
Pulls and reconstructs GraphQL schemas from introspection endpoints. Maps out the full attack surface before manual testing.
View on GitHub
Osintgram Fixed
Python · Open Source
Forked the original Osintgram OSINT framework, fixed broken dependencies, and added functionality. Maintained because the original was abandoned and people still use it.
View on GitHub
Offensive Security Toolkit
Private Repository
Custom Nuclei templates, automation scripts, and recon playbooks built from patterns across 20+ enterprise engagements. Includes purple team exercise frameworks and detection validation tooling.
Speaking & Community
SecTor 2025
Toronto
"When Hackers Meet Burglars: Red Teaming the Smart Building." IoT/OT firmware reverse engineering, embedded system exploitation, and attack path identification in smart building infrastructure.
DEF CON Vancouver
Microsoft
Real-world API attack chains and kill chain analysis from bug bounty research. Got to present to a room full of people who also enjoy breaking things.
DEF CON Toronto (DC416)
Co-Organizer
I help run Toronto's DEF CON group. Manage speakers, sponsors, venue logistics, and outreach for 200+ monthly attendees.
TASK Toronto
Organizing Committee
On the organizing committee for Toronto's application security community.
Tools & Stack

Testing: Web apps, APIs, mobile (iOS/Android), internal networks, cloud (AWS, Azure, GCP), thick-client, IoT/OT
Languages: Python, Go, Bash, PowerShell, Java, .NET/C#
Tools: Burp Suite Pro, Metasploit, Cobalt Strike, Nmap, Wireshark, Bloodhound, Nuclei, Frida, Ghidra
Infra: Docker, Kubernetes, Terraform, Linux, Windows, CI/CD
Frameworks: OWASP Top 10, SANS Top 25, MITRE ATT&CK, NIST 800-53, PCI-DSS, PTES

Let's talk.

If you're building an offensive security team and want someone who stays hands-on, I'd like to hear about it.

Get in touch HackerOne GitHub