Hola, I’m Miguel Llamazares (/miˈɣel ʎamaˈθaɾes/¹) a hacking manager with 13+ years of technical experience currently working remotely from the green edge of northern Spain. ⛰️🐄

I’m obsessed with appsec, web pentesting, and the growing role of AI in hacking. That’s why I started this blog, which currently has 20,640 words distributed in 18 posts.

Below are some highlights of my profile, but if you want the boring details, you can always check out my linkedin.

stuff I broke

Publicly recognized for *ethically* reporting web vulns to the following orgs and institutions²:

• Apple
• NASA
• United Nations (UN)
• UK Ministry of Defence (MoD)
• Dutch Government
• Singapore Government
• Luxembourg Government
• World Health Organization (WHO)
• US Department of Education (DoEd)
• UK Government
• Dutch Tax & Customs Administration (Belastingdienst)
• City of Amsterdam
• CERN
• Ferrari S.p.A.
• Siemens
• BAYER
• BOSCH
• Red Bull
• Adyen
• British Broadcasting Corporation (BBC)
• Deutsche Telekom

certs

Some of the cybersecurity certifications I’ve earned over time³:

• Offensive Security Experienced Pentester (OSEP) - Offensive Security (review)
• Offensive Security Web Expert (OSWE) - Offensive Security (review)
• GIAC Certified Forensic Analyst (GCFA) - SANS Institute
• Practical Network Penetration Tester (PNPT) - TCM Security
• API Security Certified Professional (ASCP) - APIsec University
• Certified Threat Modeling Professional (CTMP) - Practical DevSecOps
• Certified DevSecOps Leader (CDL) - Practical DevSecOps
• see more…

teaching & training

• lecturer at UNIR (Universidad Internacional de La Rioja), teaching AI applications in offensive security in the Advanced AI Cybersecurity Program.
• lecturer at UCAM (Universidad Católica San Antonio de Murcia), teaching the module on advanced WAF evasion techniques in the country’s first Bug Bounty MSc.
• created appsec CTFs for more than +400K students at Secure Code Warrior.

projects

• vulncov: correlate Semgrep scans with Python test coverage to prioritize SAST findings and get bug fix suggestions via a self-hosted LLM⁴.
• gitpaths: lists the folder structure of a GitHub repo without cloning it to create ad hoc fuzzing wordlists.
• STRIDE-vs-ASVS: equivalence table between OWASP ASVS standard and STRIDE threat modeling methodology⁵.
• webnose: modular, concurrent web scanner to sniff out smells like security traits, interesting tech, or potential vulns and ranks the output.
• see more on my github…

r4nd0m

Here’s some random stuff about me so you can create the *ultimate wordlist* and crack all my passwords:

• entp
• debian zealot
• spaces > tabs
• solarpunk fanboy
• privacy enjoyer
• jazz guitar player
• aspiring professional kite flyer
• my pug’s name is Lady Di 🐶👑
• strongly believe Vin Diesel is the best actor of all time⁶
• fluent in COBOL, JCL and PL/I
• low-poly video games apologist
• pre-llm⁷
• mr tickle diehard

1. I know it’s challenging to pronounce for non-native spanish speakers, kek ↩

2. apart from these, I also participate in a bunch of private programs ↩

3. currently prepping for the OSED ↩

4. featured in tldr;sec #252 ↩

5. featured in tldr;sec #145 ↩

6. I’m not going to argue about that ↩

7. learned to think before to prompt ↩