Application Security · Toronto

I break financial platforms before someone else does.

I'm a penetration tester focused on FinTech. I spend most of my time inside payment platforms, neobanks, and investment applications, finding the things scanners miss and working with engineering teams to actually fix them. Not just write reports about them.

110+
Validated vulnerabilities
$95K+
Bug bounty earnings
20+
Enterprise clients tested
5+
Years in application security
Conferences & Recognition
SecTor 2025
SecTor 2025, Toronto
DEF CON Vancouver
DEF CON Vancouver
TASK 2025
TASK Toronto 2025
InfoSec Hamilton
InfoSec Hamilton
Ontario Provincial Parliament
Ontario Provincial Parliament Recognition
Canadian Women in Cyber
Canadian Women in Cyber 2024
What I Do

Most of my work is with financial services companies. Payment processors, neobanks, investment platforms. I do penetration testing, secure code reviews, and threat modeling across their web applications, APIs, and cloud environments.

I also do bug bounty research. I've reported over 110 validated vulnerabilities to companies like PayPal, Sony, AT&T, Airbnb, and Alibaba through HackerOne. The focus is always application security: access control, authentication, API flaws, business logic issues in financial workflows.

What I care about most is making sure the things I find actually get fixed. I work directly with engineering teams to trace root causes, help write patches, build unit tests, and set up regression checks so the same class of bug doesn't come back next quarter.

How I Approach Testing
01

Start with threat modeling

I lean towards software centric threat modeling. For financial platforms, I need to understand how the application can be abused through its own logic and data flows before I touch anything. The threat model drives the test plan.

02

Layer automated and manual

I write custom Nuclei templates for patterns specific to each platform and run those alongside manual testing in Burp Suite. Secure code review happens in parallel. Scanners alone miss the things that actually matter in a financial application.

03

Fix it, don't just report it

Findings include observed behavior, root cause in the code, reproduction steps, and a specific fix. When I can, I sit with the team and help write the patch and the unit test. Reports that collect dust are a waste of everyone's time.

Where I've Worked
White Tuque, Offensive Security Specialist
Toronto · Oct 2024 to Present
Penetration tests, secure code reviews, and threat models for 20+ enterprise clients, mostly financial services. Helped design and build a red team program and pentest pipeline for a major insurance enterprise. Build custom Nuclei templates and Python tooling to automate scanning. PCI-DSS boundary testing across financial platforms. Work recognized by the Ontario Provincial Parliament for protecting critical digital infrastructure.
ASEC (team joined White Tuque), Penetration Tester
Toronto · May 2024 to Oct 2024
Pentested FinTech platforms under Nick Aleks, former Senior Director of Security at Wealthsimple and current Head of Security at Robinhood. Focused on financial services. Ran application security assessments across web, API, and mobile. Built Python and Bash automation that cut manual assessment effort by 40%.
HackerOne, Security Researcher
Remote · Feb 2022 to Present
110+ validated vulnerabilities across Fortune 500 platforms with over $95K in bounties. PayPal, Sony, AT&T, Airbnb, PlayStation, Alibaba, Booking.com. Focused on access control bypasses, authentication flaws, API security, and GraphQL endpoint issues.
Projects
API Authentication Checker
Burp Suite Extension · Open Source
Tests authentication and authorization flaws across API endpoints. Built it because I was doing the same manual checks on every engagement and got tired of repeating myself.
View on GitHub
GraphQL SDL Generator
Python · Open Source
Pulls and reconstructs GraphQL schemas from introspection endpoints. Useful for mapping out the full attack surface before diving into manual testing.
View on GitHub
Osintgram Fixed
Python · Open Source
Forked the original Osintgram OSINT framework, fixed broken dependencies, and added functionality. Maintained because the original was abandoned and people still use it.
View on GitHub
AppSec Testing Framework
Private Repository
Automated pentesting toolkit for web apps, GraphQL APIs, and cloud environments. Custom Nuclei templates, regression testing, CI/CD hooks. Built from patterns I kept seeing across engagements.
Speaking & Community
SecTor 2025
Toronto
Presented offensive security research on adversarial techniques and security control exploitation at one of Canada's largest security conferences.
DEF CON Vancouver
Microsoft
Talked about application security and attack chain research. Got to break things in front of people who also like breaking things.
DEF CON Toronto (DC416)
Co Organizer
Help run Toronto's DEF CON group. I like building community as much as I like breaking into things.
TASK Toronto
Organizing Committee
On the organizing committee for Toronto's Application Security and Knowledge conference. Helping bring the local appsec community together.
Tools & Stack

Testing: Web applications, GraphQL APIs, REST APIs, mobile, network, cloud (AWS)
Languages: Python, Go, Bash, PowerShell
Tools: Burp Suite, Nuclei, httpx, subfinder, Nmap, Wireshark, Metasploit
Frameworks: NIST SP 800 115, OWASP, PCI DSS
Application Stacks: Ruby on Rails, React, GraphQL

Let's talk.

If you're looking for someone who breaks financial platforms for a living, I'd like to hear about it.

Get in touch HackerOne GitHub