Marine Corps to Pentagon Red Teamer to Fortune 7 security executive. 25+ years of building, breaking, and defending — a CISO who never lost touch with the craft and is building toward an AI-governed security future.
"It's not a forklift driver's job to spot a phishing email. It's our job to make sure they never have to. I build security programs that protect people — not programs that punish them for not being security experts."
Every chapter built the next. Click to expand.
The Marines taught two things that no certification ever will: how to make decisions under pressure with incomplete information, and how to build teams where accountability is non-negotiable. Combat Engineers learn to think about both construction and destruction — a mental model that maps perfectly to security architecture.
Transitioning from MOS 1371 to MOS 0656 (Tactical Data Network Gateway) wasn't a career change — it was applying the same mindset to a different domain. Building and defending military network infrastructure meant understanding adversaries with nation-state resources and patience measured in years, not sprints.
This is where the foundation was poured. Everything since — the offensive work, the enterprise leadership, the board communication — sits on top of mission-first discipline and the understanding that security failures have consequences heavier than quarterly earnings.
At the US Senate, incident response meant defending one of the most symbolically and operationally significant networks in American government. Every alert was real. Every decision had political and national security implications.
At the Pentagon, the role flipped. Now I was the adversary — penetration testing the Engineering Services Network, finding the gaps that real threat actors would exploit. When you've tested the Pentagon's defenses, you bring a different perspective to every security conversation for the rest of your career.
These two roles — defender at the Senate, attacker at the Pentagon — created the dual perspective that defines how I approach security leadership today. You have to understand both sides of the equation.
This was the pressure cooker. At Rapid7, I was on the front lines of the penetration testing industry as it matured from niche service to enterprise essential. At GE, I spent four years as Senior Security Architect and Senior Red Team Analyst inside a global industrial conglomerate — understanding how security scales across business units, manufacturing, aviation, and healthcare. At IBM X-Force Red, I was part of the most recognized offensive security brand in the enterprise world.
Consulting forces a kind of breadth that in-house roles can't replicate. You see every kind of environment, every kind of failure, every kind of organizational dysfunction. You learn what works and what's theater. That pattern recognition — knowing what "good" looks like across industries — is what I bring to every architecture review, vendor evaluation, and risk assessment today.
The CTO role at National CyberWatch Center (2009–2023) ran in parallel — leading cloud migration to AWS, building the cybersecurity team from zero, and developing GRC frameworks for a national education initiative.
At Uber, I architected the SOAR (Phantom) detection and attack emulation platform — subsequently open-sourced — and led Red/Purple Team assessments while supervising audits across AD, IAM, PAM, and IGC controls including the Azure AD migration.
At Cruise Automation (GM's autonomous vehicle division), the stakes shifted from data to physics. When the software you're securing controls vehicles on public roads, "risk tolerance" takes on a different weight. I spearheaded SSO, MFA, and adaptive authentication architecture while leading Red/Purple Team assessments and CIS controls audits.
At Black Hills Information Security, I developed and led a comprehensive Purple Team program — roughly 30 assessments across SMBs and large enterprises — while mentoring junior practitioners and building CI/CD pipelines for offensive tooling.
McKesson — VP, Information Security at a Fortune 7 healthcare company ($300B+ revenue). I own security strategy across four functions — Red Team, Vulnerability Management, EDR Engineering, and Endpoint Strategy — protecting 1.5M+ endpoints serving one in three American patients. Built and led a 25-person security organization — the largest of several teams I've built from scratch — reduced critical/high vulnerability backlog by 40% in nine months through risk-based prioritization tied to business criticality, and transformed the Vulnerability Disclosure Program into a strategic asset processing 100+ monthly external researcher submissions (90% valid) feeding directly into the EASM program. Hands-on with generative AI — building with LLMs, agentic tooling, and AI-powered security workflows while advising on enterprise AI governance.
United Airlines — Director of Red Team, Cyber Threat Intel, and IAM across a global operation (160K+ workforce, 4,500+ daily departures). Drove strategic direction for the $25M IAM program, built the threat intelligence function operationalizing 60M+ monthly threat signals, and established partnerships with TSA, FBI, and industry ISACs — including detection and response to nation-state targeting. Directed application security "last mile" validation reviewing nearly 3,000 applications annually, and restructured audit preparation cutting findings 60% YoY across AOSSP, SOX, SOC2, PCI 4.0, ISO 27001, and NIST. Served on United's AI Security Review Board, evaluating AI/ML risks and establishing governance frameworks before most enterprises had the conversation. In 2023, briefed DHS on the cybersecurity and national security threats posed by AI — covering supply chain risks, data security, LLM manipulation, malicious model training, and prompt injection.
BlackHat USA Instructor (2012–2026) and Review Board Member. Not a one-time speaker — fourteen consecutive years teaching at the industry's most rigorous conference. Every session means original research, verified results, and content scrutinized by the most critical audience in cybersecurity.
HBO's Silicon Valley — Senior Technical Advisor (2015–2019), Seasons 2 through 6. Technical review of hacking and cybersecurity concepts, including writing lines for Gilfoyle and Mia. Translating deeply technical concepts for non-technical audiences in a way that's accurate and compelling — a skill every CISO needs.
Hak5 — Technical Architect & Host (2006–Present). A 20-year partnership with the leading offensive security hardware company. Co-architect of industry-standard tools including the WiFi Pineapple (evolved from my early Jasager/Karma research on Fonera routers) and the Bash Bunny, a multi-vector attack platform where I designed the functional requirements — devices used by red teams at enterprises worldwide. Hosted Metasploit Minute and Practical Exploitation, security education series that provided an accessible pathway for thousands to enter the industry.
Active research includes hypervisor persistence techniques, covert C2 channels (AF_VSOCK), Active Directory attack primitives, and vulnerability risk modeling. Twenty years of public tool releases — from Metasploit modules and NetView to SolarFlare, a SolarWinds Orion audit tool built in 2015 that became a critical defensive utility when the SolarWinds breach hit in 2020. Founded SecurityTitles.com to standardize cybersecurity job titles. Chair of the VMRG, leading VRM 3.0 development.
Emerging Technology & Quantum Readiness. Peer reviewed the Foundation for Defense of Democracies quantum readiness roadmap (Dr. Georgianna Shea, 2024), providing technical analysis on the practical challenges of Quantum Resilient Cryptography (QRC) adoption — including performance constraints on modern hardware, use cases where speed requirements conflict with cryptographic migration, and a realistic assessment of quantum computing timelines that cuts through the hype. Briefed DHS in 2023 on AI-specific national security threats including supply chain risks, LLM manipulation, and prompt injection.
Security is a talent problem first and a technology problem second.
Student Competitions (2012–Present) — Core red team member at National CCDC and Southwest Regional CCDC, plus ISTS. Stress-testing the next generation of defenders through adversarial simulation.
NoVA Hackers (2009–Present) — Co-founded and run through EPI Events LLC. A recurring security meetup for the Northern Virginia community.
RestInCode.com — In Memoriam for the InfoSec Community. Some contributions matter because they're not about you.
Marine Corps Cyber Auxiliary (Founding Member, 2019–Present) — Bridging private sector expertise and military cyber operations.
SkillBit Advisory Board (2024–Present) — Advising on next-generation cybersecurity training platforms.
30+ conference appearances across four continents. 20+ podcast episodes since 2007. Named venues — not "various conferences."
Trusted advisor across industry, government, media, and the next generation
What I bring to the table — and why it matters now
I've built and fixed security programs across military, government, consulting, big tech, aviation, and healthcare. The through-line: the organizations that win are the ones that stop treating users as the first line of defense and start engineering security into the fabric. I bring multi-industry pattern recognition to build programs where the forklift driver never has to think about phishing — because we've already solved it for them.
Served on United Airlines' AI Security Review Board and briefed DHS on AI-specific national security threats. Hands-on with LLMs, agentic tooling, and AI-powered workflows. Peer reviewed the Foundation for Defense of Democracies quantum readiness roadmap, providing practical analysis on QRC adoption challenges and realistic timelines. The next CISO needs to separate hype from risk across AI, quantum, and whatever comes next — I bring the technical fluency to evaluate what's real and the governance perspective to ensure it's deployed responsibly.
Too many security programs are stuck in reactive mode, accepting breaches as inevitable. I don't subscribe to the "it's not if, but when" defeatism. I build programs that find and fix root causes — risk-based prioritization, architecture-level controls, and automation that eliminates entire classes of problems instead of triaging individual alerts forever.
Boardroom Certified QTE, MBA, and CMU CISO credentials with deep technical range — positioned to advise boards on cyber risk governance and AI oversight. Simultaneously committed to teaching at the university level and continuing the BlackHat instruction, VMRG leadership, and community investment that keeps the pipeline strong.