Experience

Last Updated: Jun 27, 2025

Senior Web Application Penetration Tester

Virtue Security | June 205 - Present

tbd… :)

Citibank | Total Tenure of 4+ years (July 2021 - June 2025)

These are tasks I performed regularly, regardless of position at Citibank.

Performed white and grey box penetration tests with DAST tools including Burp Suite Pro, AppScan, ReadyAPI, SQLmap, and Kali Linux on web applications, APIs, databases, thick clients, and Android apps.
Conducted code reviews and vulnerability assessments on web applications, APIs, thick clients, and SaaS applications using tools such as Checkmarx, Qualys, Metasploit, and Nessus.
Performed infrastructure scanning to identify vulnerabilities and ensure robust security measures.
Created reports and collaborated with application teams to address reported issues and provide actionable remediation guidance.

Led VA’s pentesting anlysis of different API DAST solution providers in an effort to empower developers to shift left and improve the security of their applications.
Automated the triage tracking process for the Private Bug Bounty program and Vulnerability Disclosure Program using Python, significantly reducing manual effort and improving efficiency.
Succesfully managed the Skybox platform after it imploded until we could transition to ServiceNow for systemic vulnerability management on internally tracked softwares and systems.
Onboarded Citi to HackerOne for an additional Private Bug Bounty program, enhancing the security testing capabilities and expanding the scope of vulnerability discovery.

Identified most Priority risk issues in NAM AVA for 2024.
Helped identify and develop scan checks for CVE-2024-36459.
Established a process for triaging issues for Citi’s invite-only Private Bug Bounty program and Vulnerability Disclosure Program through BugCrowd.
Continued to develop the internal Burp Suite extension for the team (JAVA).
Started to support development for internal reporting software (C#/.NET).
Completed volunteering for Static Code Analysis team.

Discovered 10% of the total High-Impact Priority vulnerabilities globally at Citi in 2023 and surpassed all other testers in the NAM region in both quantity and severity of the identified issues.
Presented several vulnerabilities found during testing and held “tech talks” for NAM Application Vulnerability Assessment teams.
Developed several custom Burp Suite extensions using the new Montoya API to improve testing capabilities and efficiency, including integration with ChatGPT.

Citibank | July 2021 - July 2022

Led a successful migration from Solr to Elasticsearch for an internal search engine, leveraging Java and Angular technologies.
Managed a Red Hat Linux VM within Citi’s internal cloud, which hosted an ELK stack instance for the Elasticsearch migration.
Provided security consultancy, leveraging expertise to guide the team’s developers in implementing effective cybersecurity best practices.

The University of North Texas | Jan - May 2021

Developed a C++ program that:
- Stored social networks as a matrix in a compressed format.
- Used matrix multiplication to find the centrality of a given matrix to help identify super-spreaders of infectious diseases.

Citibank | July - August 2020

Gained a high level of understanding of the positions within Citi’s EO&T 2-year rotational program.
Acquired hands-on experience in:
- Analyzing data from production applications.
- The life cycle of a scrum project.
- The workflow of developing an application at a financial institution.