Technical writing, research notes, and selected experience.
Staff engineer building modern Windows endpoint security systems.
Staff software engineer with more than a decade of experience across Windows kernel development, endpoint detection, CNO tooling, malware development, vulnerability research, and agentic AI workflows.
Featured Security Work
ObfTypes
A C++26 header-only library providing compile-time polymorphic variants of standard integral types for signature evasion and anti-analysis.
DirectSyscallDetector / Nirvana v2
A native x64 Visual Studio project for return-provenance detection of raw and gadgeted direct syscalls using process instrumentation callbacks, ThreadLastSystemCall, and PHNT-backed signature metadata.
Selected Experience
2025 - Present
IRU
Staff Engineer
Leading the development of a greenfield EDR product, focusing on the Windows Agent and Driver components.
- Architecting a greenfield Windows kernel-mode telemetry driver designed for low-overhead endpoint visibility at production scale.
- Developing the user-mode agent component in modern C++ for resilient threat detection.
- Implementing agentic AI workflows to accelerate driver validation and EDR feature development.
- Establishing foundational engineering and testing paradigms for the new platform.
2022 - Present
Real American Security
Founder / Software Engineer
Independent consultancy and product development focusing on DoD consulting, C++ obfuscation research (ObfTypes), and building a scalable video game analytics platform.
- Built production backend APIs and data-intensive web services in Python and .NET for analytics-driven applications.
- Designed scalable data infrastructure with ClickHouse, Redis, and PostgreSQL to support high-volume ingestion, low-latency access, and large-scale analytical querying.
- Developed data pipelines and backend workflows powering user-facing analytics and application features, with end-to-end ownership across architecture, implementation, deployment, and iteration.
2024 - 2026
Sophos / SecureWorks
Principal Software Engineer
Leading Windows agent and EDR platform work across kernel and user mode, with a focus on exploit-aware telemetry, defensive hardening, and practical platform modernization.
- Architected enterprise EDR capabilities across kernel and user mode
- Established AI-assisted workflows and engineering standards across a large legacy codebase
- Built crash-dump and behavioral-analysis utilities for production defense
2022 - 2024
Raytheon Cyber
Senior CNO Software Engineer
Developed advanced CNO tooling and led research into evasion, anti-analysis, and validation infrastructure across multiple operating systems.
- Built implants, loaders, and supporting command-and-control infrastructure
- Researched hypervisor-based and hardware-assisted evasion techniques
- Introduced automated testing and CI patterns inside constrained environments
2020 - 2022
National Security Agency
Software Engineer / Systems Vulnerability Analyst
Worked across red- and blue-team assessments, supply-chain research, vulnerability analysis, and technical reporting for senior stakeholders.
- Contributed to work referenced in senior-level cyber policy discussions
- Researched SolarWinds-class attack paths and defensive replication strategies
- Performed reverse engineering, application security audits, and tool evaluation
Technical Writing
View AllJune 30, 2026
Nirvana v2: Electric Boogaloo
A kernel-grounded detector for raw and gadgeted direct syscalls using process instrumentation callbacks, runtime syscall catalogs, ThreadLastSystemCall, and return-provenance matching.
May 3, 2026
The Shape of an Operation Is a Signature: Inside ObfTypes
How compile-time equivalence classes, seeded operator variants, SIMD backends, and Z3 proofs can shift brittle static signatures without pretending behavior disappears.
June 3, 2026
WerFault Internals Part I: Why WerFault.exe Is Late Crash Telemetry
A reverse-engineering walk through normal user-mode crash reporting, from kernel exception dispatch through in-process WER state, service coordination, and crash-vertical worker creation.
March 23, 2026
Firmware Bring-Up Is the Hard Part: AI-Assisted Router Emulation and 3 0-Days
A disclosure-safe look at using rootless Podman, QEMU user-mode, proot, and AI-assisted triage to build an evidence-preserving firmware lab before trusting router vulnerability findings.