Merging Offensive Security with GRC

Primarily offensive security—web apps, infrastructure, Active Directory. I also do GRC because understanding how controls fail makes the testing sharper. Most practitioners pick one. I started with the technical side and built the governance layer on top of it. That order matters.

Email me LinkedIn
  • Certified: eJPTv2 · eCPPTv3 · eWPTXv3 (soon) · ISO/IEC 27001 Lead Auditor · ISO/IEC 42001 Lead Auditor & Implementer

What I do

I work with teams that actually care about security—not the ones collecting certifications for the sales deck—and with companies building programs that have to hold up when someone real comes testing.

  • Web Application Penetration Testing

    Full OWASP Top 10 coverage, working manually with Burp Suite. Scope is built around what's actually reachable and exploitable. Findings are prioritized by real attack likelihood and impact. Retesting included once you've patched.

    • SQL injection, command injection, LFI
    • Authentication flaws and business logic abuse
    • XSS, IDOR, and access control issues

  • Infrastructure & Active Directory Testing

    End-to-end methodology: enumeration → initial access → privilege escalation → post-exploitation. You get a clear picture of how far an attacker actually gets, not just what's theoretically possible.

    • Network enumeration, lateral movement, post-exploitation — Linux and Windows
    • Kerberoasting, AS-REP Roasting, Pass-the-Hash, Pass-the-Ticket
    • SMB relay, LLMNR poisoning, DCSync, Golden/Silver Ticket
    • ACL abuse, ADCS misconfigurations (ESC1, ESC8)

  • ISO/IEC 27001 Implementation

    From scope definition through certification readiness. Built for your environment, not copied from a template. The goal is a program that holds up after the audit, not one designed just to pass it.

    • Policies, risk treatment plan, and Statement of Applicability
    • Evidence model and control documentation
    • Internal audit preparation and corrective action tracking

    Note: I implement or I audit—not both for the same client.

  • ISO/IEC 42001 AI Governance

    If your organization uses AI systems and has nothing on paper to show for it, regulators and enterprise buyers are starting to notice. I help you build something you can actually put in front of an auditor or your board.

    • AIMS scope definition and risk workflows
    • Accountability structures and role documentation
    • Audit-ready evidence and policy documentation

  • GRC & Security Advisory

    Risk assessments, IT general controls, gap analysis—approached from how attackers actually think, not from how a questionnaire is structured. Findings written so your team can act on them, not file them away.

    • Control gap analysis and risk treatment
    • Threat modeling grounded in real attack paths
    • Audit reporting and corrective action verification

Let's talk

Write me in English or Spanish. If I'm not the right fit, I'll say so.

Email me :) LinkedIn →