Product Security and Penetration Testing · Toronto

Test the product before someone else does.

Senior security engineer focused on product security, cloud infrastructure testing, and vulnerability management. Define the methodology, own the pipeline, and make sure nothing ships with a hole in it. Use AI tooling because it actually makes the work better, not as a checkbox. 120+ bug bounty vulnerabilities on HackerOne.

120+
Validated vulnerabilities
5+
Years in security
10+
Conference talks
Conferences and Recognition
SecTor 2025
SecTor 2025, Toronto
DEF CON Vancouver
DEF CON Vancouver
TASK 2025
TASK Toronto 2025
InfoSec Hamilton
InfoSec Hamilton
Ontario Provincial Parliament
Ontario Provincial Parliament Recognition
Canadian Women in Cyber
Canadian Women in Cyber 2024
What I Do

Product security and penetration testing for enterprise environments. Web applications, APIs, cloud infrastructure, containers. The work is time sensitive because it sits in the release cycle. Test fast, find what matters, report it clearly, and move on.

The part most people skip is the pipeline. Findings come in from pentests, scanners, and external researchers. Someone needs to triage, validate, prioritize, and make sure product teams understand what to fix and why. That is where most of my value sits. Not just finding bugs, but running the process that turns findings into fixes.

120+ validated vulnerabilities on HackerOne. That research keeps me sharp on what real attack surfaces look like in production, not in a lab.

How I Work
01

Understand the product first

Before testing starts, develop deep technical understanding of the feature, the architecture, and the threat model. Testing without context is just scanning with extra steps.

02

Use AI where it helps

Claude and Gemini are part of the daily workflow. Recon automation, config analysis, attack vector generation, report drafting. Not a gimmick. Cuts hours off repetitive work so time goes to the findings that actually matter.

03

Own the pipeline end to end

Testing is half the job. The other half is making sure findings get triaged, prioritized, and communicated so product teams act on them before the next release window closes.

Where I Have Worked
White Tuque, Offensive Security Specialist
Toronto · Oct 2024 to Present
Own the penetration testing methodology for enterprise clients. Cloud control plane assessments (AWS, GCP, Azure, Cloudflare), container security on Kubernetes, web and API testing, Terraform HCL auditing. Integrate Claude and Gemini into the team workflow. Run the vulnerability pipeline: triage, validate, advise product teams. Build tooling in Python and Go that the team adopted as standard. Mentor junior testers. 30+ engagements delivered.
ASEC (team joined White Tuque), Penetration Tester
Toronto · May 2024 to Oct 2024
Web, API, and cloud security assessments for fintech and SaaS clients. 150+ vulnerabilities. Built Python automation that cut assessment time by 40% and became the team standard.
HackerOne, Security Researcher
Remote · Feb 2022 to Present
120+ validated vulnerabilities on PayPal, Sony, AT&T, Airbnb, Booking.com. Web and API targets. Full PoCs, root cause analysis. Know what good triage looks like from both sides of the bug bounty pipeline.
Tooling
Cloud Config Auditor
Python · Internal
Validates IAM policies, resource permissions, and service configurations across AWS, GCP, and Azure. Parses Terraform HCL to flag misconfigurations before deploy.
API Authentication Checker
Burp Suite Extension · Open Source
Automates auth testing and privilege escalation detection at scale.
View on GitHub
GraphQL SDL Generator
Python · Open Source
Schema reconstruction from introspection for attack surface mapping.
View on GitHub
Assessment Automation Suite
Python, Bash · Internal
Cloud config validation, API fuzzing, Terraform audit checks. Eliminates toil so time goes to findings that matter. Used across the team.
Speaking and Community
SecTor 2025
Toronto
Presented security research on offensive techniques against smart buildings and IoT attack surfaces.
DEF CON Vancouver
Microsoft
API attack chains and auth exploitation patterns in production applications.
DEF CON Toronto (DC416)
Co organizer
Run Toronto's DEF CON group. Monthly meetups, workshops, and talks.
TASK Toronto
Organizing committee
Toronto's Application Security and Knowledge conference.
Tools and Stack

Testing: Web apps, APIs (REST, WebSockets, GraphQL), cloud infra, containers, Terraform
Cloud: AWS, GCP, Azure, Cloudflare, Kubernetes (GKE, EKS, ECS)
Tools: Burp Suite Pro, Nuclei, Metasploit, Nmap, Wireshark
AI: Claude, Gemini, prompt engineering for security workflows
Languages: Python, Go, Bash
Frameworks: OWASP Top 10, MITRE ATT&CK, NIST, CVSS

Lets connect.

Product security engineer who owns the methodology and the pipeline.

Get in touch HackerOne GitHub