Make sure it's us first. Red team operations, penetration testing, and AI security assessments — delivered by a practitioner, not a sales team.
Practical security testing with clear findings and actionable recommendations. No fluff, no checkbox compliance — real attack simulation.
We simulate a real adversary — not a checklist. Full-scope engagements that test your people, processes, and technology under realistic attack conditions.
Find exploitable weaknesses before attackers do. We cover internal networks, external perimeters, web applications, APIs, and wireless infrastructure.
Your AI systems are a new attack surface. We test LLMs, RAG pipelines, and agentic workflows for prompt injection, data exfiltration, and privilege escalation before you ship.
Tooling and TTPs from an authorized red team engagement. Real command chain, redacted data, running on loop. If you recognize this flow, we speak the same language.
// Commands recorded from an authorized engagement. Domain names, IP ranges, usernames, and hashes replaced with demo values. No real credentials displayed.
Every engagement follows the same four phases — end-to-end in about four weeks. Timelines scale with scope.
We define engagement boundaries, target scope, rules of engagement, and success criteria. A written scope agreement is signed before any technical work begins — stakeholders align on timelines, communication channels, and escalation paths.
Passive and active reconnaissance to map the full attack surface. We identify services, technologies, entry points, and likely weaknesses before any exploitation. For AI engagements, this includes model surface mapping and data-flow analysis.
Controlled, authorized exploitation to prove real impact — not theoretical risk. Every action is logged; nothing happens outside the written scope. Critical findings are reported immediately, not held for the final report.
Executive summary for leadership and a technical report for engineering — prioritized by CVSS severity, mapped to MITRE ATT&CK, with step-by-step remediation guidance. A live readout walks through findings; retest included within 30 days.
Table of Contents Outline EXEtoShellCode Shellcode Encoding ShellCode Loader Payload Obfuscatio...
Read →Table of Contents Outline Windows Defender Explanation LNK Proof of Concept - Bypassing 2023 Wi...
Read →Table of Contents Outline Domain and Server Setup Cloning and Setting Up NoPhish DNS and HTTPS Co...
Read →Table of Contents Outline Windows Defender Explanation Word Document VBA Macro Proof of Concept...
Read →Table of Contents Outline Antimalware Scan Interface Explanation Proof of Concept - Bypassing 2023...
Read →Offensive Privacy Engineer at a Fortune-500 U.S. tech platform · Red team operator, vulnerability researcher, and published author.
Every engagement is run by the same person you'll meet on the intro call. I currently work on the internal offensive privacy team at a major U.S. tech platform, and I take on a limited number of external engagements per quarter — each one hands-on, scoped in writing, and delivered with a report your team can actually act on.
My research has been acknowledged by NASA, the U.S. Department of Education, Harvard University, the Department of Homeland Security, and the United Nations through their formal vulnerability-disclosure programs. My writing on EDR evasion, payload development, and AI system security is published here and on conference circuits.
Written for technical leaders evaluating a red team or pentest engagement. If your question isn't here, reach out directly.
A pentest evaluates a defined asset — a web app, an API, a network segment — for exploitable vulnerabilities, measured by coverage and findings count. A red team engagement evaluates your organization's ability to prevent, detect, and respond to a goal-driven adversary ("achieve domain admin", "exfiltrate PII", "gain access to the wire transfer system"), measured by what we accomplished and what your security stack did about it. Red teams test people, process, and technology as a whole; pentests test a surface. If you've never had a pentest, start there — a red team on an untested surface produces findings you already knew.
You're ready when: (1) you have an established vulnerability management program and have remediated prior pentest findings, (2) you have a functioning SOC or MDR with defined detection and response processes, and (3) leadership is prepared to receive and act on findings about your team's response — not just your tooling. Earlier-stage organizations get more value from a targeted external network assessment or web app pentest first. I'll tell you honestly if I think a red team isn't the right engagement for you right now.
Detection is valuable — it's a data point, not a failure. When we're caught, we work with your designated "white cell" (a small internal group that knows the engagement is running) to decide: continue from a different angle, pivot to assumed-breach, or conclude and document the detection chain. Every action we take is logged with timestamps so your SOC can later reconstruct what triggered the alert and what passed undetected. The final report explicitly maps which TTPs were detected, which were not, and why.
Production testing is typical for red team engagements — that's where the threat lives. That said: no DoS testing, no destructive payloads, no data modification, and no exfiltration of real customer data beyond what's needed to prove access. All exploitation is contained to proving impact. For high-risk actions (credential spraying, lateral movement into finance systems, etc.) we coordinate a time window and maintain an emergency rollback contact throughout the engagement.
Success is measured on two axes: attacker outcomes (did we achieve the stated objectives, and how far did we get) and defender outcomes (which TTPs your controls caught, which they missed, how your response team performed). A "successful" engagement can look like a fast compromise with slow detection, or like a blocked attacker who revealed three detection-engineering wins. Both are findings worth paying for.
Minimum: a "white cell" of 2–4 people — typically the CISO, a senior security engineer who can authorize actions, and a legal/executive contact. Your SOC and broader security team should not be informed ahead of time — that's what makes the detection data meaningful. For engagements that include physical or social-engineering components, HR and physical security leadership are usually in the loop as well.
We adjust scope, not quality. If we discover during testing that the original objectives require more time (e.g., a new attack path emerges that's worth pursuing), I'll propose a written change order with added days and updated objectives — you approve or decline before any additional work. I won't extend engagements silently or leave work half-finished.
Optional, scoped separately. Phishing and pretexting campaigns can be added to a red team engagement; physical intrusion and vishing are available by request. For organizations with active awareness programs, we typically design multi-stage phishing simulations that measure both click-through and follow-on control performance (MFA bypass resistance, conditional access logging, response time). Social engineering is always run under written authorization and with a pre-defined abort criteria.
Every engagement includes: (1) an executive summary written for non-technical leadership with business impact framing, (2) a technical report with reproduction steps, screenshots, and CVSS-scored findings, (3) an attack timeline mapped to MITRE ATT&CK, (4) a remediation roadmap prioritized by effort and impact, (5) a live findings readout call with your engineering and security teams, and (6) a free retest within 30 days of report delivery to validate fixes.
Criticals don't wait for the report. The moment we identify something that poses immediate risk — active exposure of sensitive data, unauthenticated remote code execution, a credential leak — we pause exploitation, notify your white-cell contact within the hour, and include full reproduction details and a recommended immediate mitigation. You make the call on how to handle it. We continue the engagement around the finding.
Whether you need a pentest, red team engagement, or just want to understand your risk — reach out and we'll figure out the right scope together.