Years Experience
CVEs Discovered
Public Speaking
Press Mentions
BREAKING
TO DEFEND
Senior security researcher working across vulnerability research, threat intelligence, and AI security. I break systems the way real attackers do, from core internet infrastructure like DNS and glibc to browsers, web platforms, and LLMs, and turn those findings into practical defenses, threat reports, and education so organizations can stay ahead of attackers.
Core Expertise
HIGHLIGHTS
HashJack Research
First known indirect prompt injection technique weaponizing URL fragments to manipulate AI browser assistants. Covered by Forbes, The Register, and The Hacker News.
Apple WebKit Vulnerabilities
Two flaws in Apple WebKit (CVE-2026-28917, CVE-2026-28962): a memory-safety crash and an information disclosure issue, both fixed in Safari 26.5.
Operation Poisson
A 33-day French-speaking cybercrime operation captured command-by-command, revealing how a junior operator used Tailscale and OpenSSH to keep access after his C2 went offline. Covered by The Hacker News.
MongoDB Hall of Fame
Pre-authentication denial of service in MongoDB Server (CVE-2026-25611, High severity) and induction into the MongoDB Security Researcher Hall of Fame.
Core Infrastructure CVEs
A 2026 run of vulnerability discoveries across the internet's backbone: BIND 9, PowerDNS, Jenkins, WordPress, and Google Chrome.
RECOGNITION & CVE DISCOVERIES
PRESS
RESEARCH21
Cato CTRL Threat Research: Operation Poisson - Analyzing a Cybercriminal's Entire Operation
Post-incident analysis of Operation Poisson, a 33-day campaign by a junior French-speaking threat actor against four individuals and a French automotive business. Captured command-by-command after the operator left SSH keys and a playbook in an open bucket, it shows how free-tier Havoc C2, a Python keylogger, and Tailscale plus OpenSSH built persistence that survived the C2 going offline.
SPEAKING11
HashJack: Exploiting URL Fragments to Hijack AI Browser Assistants
An indirect prompt injection technique that hides malicious instructions in URL fragments to hijack AI browser assistants, with real attack scenarios and defensive guidance.
MY BLOG12
glibc wordexp() Memory Initialization Flaw - CVE-2025-15281
A 26-year-old Use-After-Free vulnerability in glibc's wordexp() function when using WRDE_REUSE and WRDE_APPEND flags together, affecting versions 2.0 through 2.42.
Get in touch
Lectures, interviews, or collaborations?
Always open to discussing new opportunities, interesting projects, or just chatting about security and AI.




