Career & Security Expertise¶
Staff Security Engineer @ Polymarket¶
Current Focus: Exchange Security Architecture, Key Management & Supply Chain Integrity
At Polymarket, the world's largest prediction market, I work within the security team defending a hybrid on-chain/off-chain exchange where markets settle real-world outcomes with real money at stake. The attack surface spans the full spectrum — non-custodial smart contract infrastructure on Polygon (CTF Exchange), operational key material, a high-traffic web frontend, and the vendor ecosystem behind it — and my focus is helping make every layer of it hostile territory for an attacker, from the signing ceremony to the browser.
- Cryptographic Key Management: Architecting HSM-backed signing infrastructure for operational wallets — hardware-enforced key custody, policy-based transaction approval, wallet segmentation by blast radius, and quorum controls so no single compromised credential can move funds.
- Frontend & Supply Chain Integrity: Hardening the web delivery pipeline against client-side attacks — Subresource Integrity, strict Content Security Policy, third-party JavaScript governance, dependency pinning with provenance verification, and CI/CD integrity controls.
- On-Chain Threat Detection: Building monitoring for the CTF Exchange architecture — order settlement correctness, atomic swap invariants between outcome tokens and collateral, operator key behaviour, and oracle-resolution integrity for market settlement — correlating on-chain signals with infrastructure telemetry to separate real exploit activity from noise.
- Nation-State Threat Research: Reverse engineering malware campaigns from actors targeting the crypto space, prioritising behavioural analysis over short-lived static indicators. Findings become durable detection logic: SIEM correlation rules (Sumo Logic) and Custom IOAs in CrowdStrike that break the threat chain at execution time.
- Incident Response & Vendor Risk: Contributing to detection engineering and response operations tuned to the current Web3 threat landscape, and helping establish security review gates for every external dependency that touches production — because in Web3 your perimeter includes everyone you trust.
- Certifications: I hold the CW3H (Certified Web3 Hacker) and Certified Smart Contract Auditor designations.
Professional Journey¶
With over 18 years in software development and 13 years dedicated to the Secure Software Development Lifecycle (SSDL), I have built a career at the intersection of engineering and elite-level security.
Web3 Protocol Security & Defensive Operations¶
- Aave Labs (previous role): Owned the full security perimeter of a leading DeFi protocol — smart contract invariant monitoring (Tenderly, across V3 solvency guarantees and V4's Hub-Spoke architecture), behavioural anomaly detection (Hypernative), and a Sumo Logic SIEM correlating on-chain and infrastructure signals to distinguish real exploit activity from false positives. Bridged offensive tradecraft — deep-dive audits and penetration tests on web3 apps and smart contracts — with high-fidelity defensive operations.
Offensive Security & Threat Simulation¶
- AttackIQ (6 years ago): Focused on offensive security and Breach & Attack Simulation (BAS). I specialized in automating threat actor scenarios under the MITRE ATT&CK framework, providing customers with actionable intelligence on their security control effectiveness, mastering controls like Splunk and Crowdstrike.
Security Engineering & Operations¶
- Qustodio (10 years ago): Transitioned to a Blue Team operations role, where I spearheaded security architecture and engineering projects.
- Telefónica R+D (13 years ago): Early career focused on SSDL and web development, laying the foundation for my expertise in secure coding and systems design.
Core Security Pillars¶
1. Security Architecture & Hardening¶
- Cloud & Infrastructure: Expert-level knowledge of AWS, with deep experience in Azure, GCP, and OpenStack. I design secure network, compute, and storage architectures.
- Container Security: Orchestrating secure environments using Docker and Kubernetes.
- Distributed Systems: Applying patterns like Saga, CQRS, and Sharding within a security-first framework.
- Protocols: Low-level mastery of TCP/IP, TLS, HTTP/S, and specialized protocols like SPICE.
2. Web3 & Smart Contract Security¶
- Languages: Expert in Solidity and EVM opcodes, Python, and NodeJS.
- Auditing: Comprehensive smart contract exploit development and auditing (EVM).
- Cryptography: Deep understanding of DLP, Factorization, and primitives (SHA, AES, RSA, ECC). Currently preparing for new Post-Quantum Cryptography (ML-KEM/Lattice-based).
3. Engineering & Research¶
- Low-Level & Performance: Development in Assembly x86-64, C, Rust, and Go.
- AI/Agentic: Implementing Secure Architectures for agents to use wallets without compromising the private key with HSM, and securing the rest of the secrets.
- Data Analysis: Leveraging Python (Pandas, TensorFlow, Jupyter) for security data science and alerting automation.
Featured Security Research¶
- Golang Memory Injection - Techniques for process memory manipulation.
- Rust/Go Fast Blind SQLi - High-performance exploitation tools.
- Python Buffer Overflows - Research on legacy memory corruption.
- Assembly Integration (Rust/Go) - Low-level optimizations and security-focused implementations.
