Hey, I’m Miguel Llamazares (/miˈɣel ʎamaˈθaɾes/¹) an Offensive Security Manager working remotely from the green edge of northern Spain. ⛰️🐄

I’m obsessed with appsec, web pentesting, and the growing role of AI in hacking. That’s why I started this blog, which currently has 8,212 words.

Here are some highlights of my profile, but if you want the boring details, you can always check my linkedin.

stuff I broke

Publicly recognized for *ethically* reporting web vulnerabilities to the following organizations and institutions²:

• NASA
• United Nations (UN)
• UK Ministry of Defence (MoD)
• Dutch Government
• Singapore Government
• Luxembourg Government
• World Health Organization (WHO)
• US Department of Education (DoEd)
• UK Government
• Dutch Tax & Customs Administration (Belastingdienst)
• City of Amsterdam
• CERN
• Ferrari S.p.A.
• Siemens
• BAYER
• BOSCH
• Red Bull
• Adyen
• British Broadcasting Corporation (BBC)

certs

Some of the cybersecurity certifications I’ve earned over time³:

• Offensive Security Web Expert (OSWE) - Offensive Security (review)
• GIAC Certified Forensic Analyst (GCFA) - SANS Institute
• Practical Network Penetration Tester (PNPT) - TCM Security
• API Security Certified Professional (ASCP) - APIsec University
• Certified Threat Modeling Professional (CTMP) - Practical DevSecOps
• Certified DevSecOps Leader (CDL) - Practical DevSecOps
• see more…

teaching & training

• lecturer at UNIR (Universidad Internacional de La Rioja), teaching AI applications in offensive security in the Advanced AI Cybersecurity Program.
• lecturer at UCAM (Universidad Católica San Antonio de Murcia), teaching the module on advanced WAF evasion techniques in the country’s first Bug Bounty MSc.
• created appsec CTFs for more than +400K students at Secure Code Warrior.

projects

• vulncov: correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM⁴.
• gitpaths: lists the folder structure of a GitHub repo without cloning it to create ad hoc fuzzing wordlists.
• STRIDE-vs-ASVS: equivalence table between OWASP ASVS standard and STRIDE threat modeling methodology⁵.
• see more on my github…

r4nd0m

Here’s some random stuff about me so you can create the *ultimate wordlist* and crack all my passwords:

• entp
• debian zealot
• spaces > tabs
• solarpunk fanboy
• privacy enjoyer
• jazz guitar player
• aspiring professional kite flyer
• my pug’s name is Lady Di 🐶👑
• strongly believe Vin Diesel is the best actor of all time⁶
• fluent in COBOL, JCL and PL/I
• low-poly video games apologist
• pre-llm⁷
• mr tickle diehard

1. I know it’s challenging to pronounce for non-native Spanish speakers, lol ↩

2. apart from these, I also participate in a bunch of private programs ↩

3. currently preparing for the OSEP cert ↩

4. featured in tldr;sec #252 ↩

5. featured in tldr;sec #145 ↩

6. I’m not going to argue about that ↩

7. learned to think before to prompt ↩