Offensive security for organizations that want more than scan output
Deep manual engagements, not scanner reruns. Clear reports, direct access, walked through every fix with your engineers.
Penetration testing
Web apps, APIs, mobile, cloud, internal infrastructure. Every engagement is hands-on: reading code, chaining findings, validating impact. Scanners run in the background; the real work is the parts they miss.
What's included
- Written scope and rules of engagement
- Manual testing backed by bug-bounty methodology
- Findings report with severity, reproduction, business impact
- Retest of fixes included
- Debrief call with your engineering team
Good fit if
- Preparing for ISO 27001, SOC 2, or PCI audit
- Shipping a new product and want a second opinion before launch
- Previous pentests felt like scanner output with a cover page
- You need NDA + signed SoW before engaging
Full-scope pentest
A broader engagement than a single-app pentest: I test the whole company's external attack surface end to end. Think of it as a smaller, time-boxed red team, real attacker behaviour and realistic paths in, but weeks instead of months.
What's included
- External perimeter: all public-facing assets
- Web apps + APIs across subdomains
- Cloud configuration review (AWS / GCP / Azure)
- Chained-attack narrative: how an attacker would actually get in
- Executive summary + technical report + debrief
Good fit if
- You want a company-wide picture, not a single-app report
- A multi-month red team is overkill or out of budget
- You want a priority list mapped to business impact, not CVSS
- Previous pentests covered one asset at a time and missed the chains
LLM / GenAI red team
If you're shipping a customer-facing LLM assistant, agent or RAG pipeline, the attack surface includes prompt injection, system-prompt leakage, unauthorized tool calls, data exfiltration via outputs, and PII disclosure from training or retrieval context. I test all of those against real production systems.
What I test
- Prompt injection (direct, indirect, tool-mediated)
- System-prompt extraction
- Unauthorized function / tool calls
- Cross-user data leakage in multi-tenant deployments
- Input / output filter bypass
Credentials
- Certified AI/ML Pentester (The SecOps Group)
- Red Teaming LLM Apps (DeepLearning.AI)
- Active research on production GenAI systems
Mentoring & private training
200+ students trained, 9.5/10 average rating. I work with junior bug bounty hunters, career changers moving into offensive security, and internal teams who want to shift from scanner-driven to manual testing.
1:1 mentoring
- Bug bounty methodology + report writing
- Career guidance, CV and LinkedIn review
- Real-time code review of findings
- Monthly or ad-hoc sessions
Private team training
- Tailored curriculum for your team's stack
- Live sessions, hands-on labs, homework between
- Topics: recon, web, APIs, cloud, LLM red teaming
- Outcome: your devs start finding bugs before I do
Conference talks & speaking
Available for talks at conferences, universities and meetups. Topics: offensive security, bug bounty methodology, CVE research, LLM red teaming, careers in security. Bilingual (English / Spanish). In-person in Spain, remote everywhere else.
Frequently asked
Do you sign NDAs?
Always, before any scoping call that touches sensitive info. I have a standard mutual NDA I can send, or I sign yours.
Do you work directly with clients or through security companies?
Both. Most engagements are direct, but I also collaborate with security consultancies that outsource specific pentests when they need extra hands or a specialist profile. Either way you get the same person doing the work.
How much does a pentest cost?
Depends on scope and duration. A focused web-app or API engagement typically ranges from a few days to a few weeks. I give a fixed quote after a free 30-min scoping call.
Do you work with small companies or only enterprises?
Both. Scope and pricing adapt. A small SaaS with 10 engineers gets as much attention as a 10,000-employee enterprise — just with narrower scope.
When are you available?
Independent work is my spare-time practice, so scheduling is more limited than at a full-service firm. I typically book 4-8 weeks out. For urgent engagements, ask — I sometimes have slots sooner.
Let's scope something
Email for a detailed inquiry, or book a free 30-min scoping call to see if we're a fit.