Security Consulting · Toronto

Security consultant who tests like an attacker and reports like an advisor.

Most of my work is offensive security assessments for enterprise clients. Web apps, mobile apps, external networks, cloud environments, source code. The part that matters most to me is making sure the findings actually change something, whether that means sitting with a dev team or presenting to a CISO.

120+
Validated vulnerabilities
30+
Client engagements delivered
5+
Years in offensive security
4
Conference talks
Conferences & Recognition
SecTor 2025
SecTor 2025, Toronto
DEF CON Vancouver
DEF CON Vancouver
TASK 2025
TASK Toronto 2025
InfoSec Hamilton
InfoSec Hamilton
Ontario Provincial Parliament
Ontario Provincial Parliament Recognition
Canadian Women in Cyber
Canadian Women in Cyber 2024
What I Do

Offensive security consulting for enterprise clients, mostly in financial services and SaaS. Web application assessments, mobile app testing on iOS and Android, external network pentests, cloud security reviews, and source code audits. I handle the full engagement from scoping through the final readout.

On the side, I do bug bounty research on HackerOne. 120+ validated vulnerabilities on companies like PayPal, Sony, AT&T, Airbnb, and Booking.com. Most of my best finds are multi-step attack chains on web and mobile targets.

The thing I care about most in consulting is the report. Not because I love writing, but because a finding that doesn't change anything was a waste of everyone's time. I write differently for a developer than I do for a CISO, and I've gotten good at making both of them act on the same issue.

How I Work
01

Understand the target first

Before testing starts I want to know what the client actually cares about protecting. Threat model the business, not just the app. Use real threat intel to figure out who would target this client and how.

02

Go deeper than scanners

Scanners find the easy stuff. Source code review, manual testing, and understanding how the app actually works is where the real findings come from. Business logic, auth design, trust boundaries.

03

Make findings stick

A report that sits in a drawer is useless. Frame findings so the dev team knows what to fix and the executive knows why to fund it. Follow up. Make sure something actually changed.

Where I've Worked
White Tuque, Security Consultant
Toronto · Oct 2024 to Present
30+ engagements for enterprise clients. Web, mobile, network, cloud, source code review. Juggle 3-4 at a time. Write reports for CISOs and legal counsel. Build offensive tooling the rest of the team reuses. Mentor junior consultants. Recognized by the Ontario Provincial Parliament for protecting critical digital infrastructure.
ASEC (team joined White Tuque), Penetration Tester
Toronto · May 2024 to Oct 2024
Application security assessments for fintech and SaaS. Web, mobile, API, cloud. Found 150+ vulnerabilities. Built Python automation that cut assessment effort by 40% and became the team standard.
HackerOne, Security Researcher
Remote · Feb 2022 to Present
120+ validated vulnerabilities on PayPal, Sony, AT&T, Airbnb, Booking.com. Web and mobile targets. Full PoCs with business impact. Multi-step chains, not just single bugs.
Projects
API Authentication Checker
Burp Suite Extension · Open Source
Automates auth bypass and privilege escalation testing. Built it because I was doing the same manual checks on every engagement.
View on GitHub
GraphQL SDL Generator
Python · Open Source
Reconstructs GraphQL schemas from introspection endpoints. Map the full attack surface before diving into manual testing.
View on GitHub
Speaking & Community
SecTor 2025
Toronto
Presented on red teaming smart buildings. How physical security and IoT attack surfaces intersect.
DEF CON Vancouver
Microsoft
Talked about API attack chains and auth exploitation patterns found in production applications.
DEF CON Toronto (DC416)
Co-Organizer
Help run Toronto's DEF CON group. Monthly meetups, workshops, and talks.
TASK Toronto
Organizing Committee
On the organizing committee for Toronto's Application Security and Knowledge conference.
Tools & Stack

Testing: Web apps, mobile (iOS/Android), APIs, external networks, cloud (AWS, Azure, GCP), source code
Tools: Burp Suite Pro, Frida, MobSF, Objection, Nuclei, Metasploit, Cobalt Strike, Bloodhound, Nmap
Languages: Python, Go, JavaScript, Java, Swift, Bash, C, C++, Rust
Frameworks: OWASP Top 10, OWASP MASVS, MITRE ATT&CK, NIST, PTES, CVSS

Let's talk.

If you need a security consultant who can test it and explain it, let's connect.

Get in touch HackerOne GitHub