< back

about

Hey, I’m Miguel Llamazares (/miˈɣel ʎamaˈθaɾes/ ¹) an Offensive Security Manager working remotely from the green edge of northern Spain. ⛰️🐄

I’m obsessed with appsec, web pentesting, and the growing role of AI in hacking. That’s why I started this blog.

Here are some highlights of my profile, but if you want the boring details, you can always check my linkedin.

stuff I broke

Publicly recognized for *ethically* reporting web vulnerabilities to the following organizations and institutions ²:

NASA
United Nations (UN)
UK Ministry of Defence (MoD)
Dutch Government
Singapore Government
Luxembourg Government
World Health Organization (WHO)
US Department of Education (DoEd)
UK Government
Dutch Tax & Customs Administration (Belastingdienst)
City of Amsterdam
CERN
Ferrari S.p.A.
Siemens
BAYER
BOSCH
Red Bull
Adyen
British Broadcasting Corporation (BBC)

certs

Some of the cybersecurity certifications I’ve earned over time ³:

Offensive Security Web Expert (OSWE) - Offensive Security (review)
GIAC Certified Forensic Analyst (GCFA) - SANS Institute
Practical Network Penetration Tester (PNPT) - TCM Security
API Security Certified Professional (ASCP) - APIsec University
Certified Threat Modeling Professional (CTMP) - Practical DevSecOps
Certified DevSecOps Leader (CDL) - Practical DevSecOps
see more…

teaching & training

lecturer at UNIR (Universidad Internacional de La Rioja), teaching AI applications in offensive security in the Advanced AI Cybersecurity Program.
lecturer at UCAM (Universidad Católica San Antonio de Murcia), teaching the module on advanced WAF evasion techniques in the country’s first Bug Bounty MSc.
created appsec CTFs for more than +400K students at Secure Code Warrior.

projects

vulncov: correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM. (featured in tldr;sec #252)
gitpaths: lists the folder structure of a GitHub repo without cloning it to create ad hoc fuzzing wordlists.
STRIDE-vs-ASVS: equivalence table between OWASP ASVS standard and STRIDE threat modeling methodology. (featured in tldr;sec #145)
see more on my github…

r4nd0m

Here’s some random stuff about me so you can create the *ultimate wordlist* and crack all my passwords:

entp
debian zealot
spaces > tabs
solarpunk fanboy
privacy enjoyer
jazz guitar player
aspiring professional kite flyer
my pug’s name is Lady Di 🐶👑
strongly believe Vin Diesel is the best actor of all time ⁴
fluent in COBOL, JCL and PL/I

I know it’s challenging to pronounce for non-native Spanish speakers, lol ↩
apart from these, I also participate in a bunch of private programs ↩
currently preparing for the OSEP cert ↩
I’m not going to argue about that ↩