> initializing kernel
AAM // BOOT000%
AAM App Security
AppSec @ Disney

   

Application security engineer. I break software the way attackers would, then help build it back stronger. Pentesting, secure code review, and threat modeling from the dark, glowing edge of the marsh.

View Résumé PDF Get in touch 
   .-~~~~~~~-.
  .~ o o o o ~.
 ( o o o o o o )
(o o o o o o o o)
 ( o o o o o o )
 '~-._______.-~'
     | : : |
     | : : |
     | : : |
   .-| : : |-.
  (___________)

Field Report

SR-01 // ABOUT
[ DESIGNATION ]
AppSec Engineer
[ FOCUS ]
Offensive + Defensive
[ TEAM ]
AppSec @ Disney
[ STATUS ]
Operational 365

I’m Aaron — an application security engineer who treats every codebase like an ecosystem. Most bugs aren’t loud; they grow quietly in the dark, in the gaps between trust boundaries. My job is to go in with a light and find them before anyone else does.

I work across the whole lifecycle: adversarial testing of web, mobile, and API surfaces, line-level secure code review, and threat models that bake security into the design instead of bolting it on. I like clear write-ups, reproducible findings, and fixes that actually hold.

Off the clock you’ll find me in CTFs, poking at auth flows, and collecting good security writing.

Reads as — METHODICALCURIOUSLOW-EGORELENTLESS

Capabilities

05 VECTORS // READY
01

Penetration Testing

Adversarial assessment of web, mobile, and API surfaces. I find the path attackers would take — and document exactly how to close it.

[ STACK ]
> WEB
> API
> MOBILE
> NETWORK
02

Secure Code Review

Line-level audit of source for injection, broken auth, and logic flaws. Manual depth, backed by static analysis where it earns its place.

[ STACK ]
> SAST
> MANUAL
> CI/CD
03

Threat Modeling

Mapping trust boundaries and abuse cases early, so security is designed into the system rather than bolted on after launch.

[ STACK ]
> STRIDE
> DESIGN
> RISK
04

App Hardening

Turning findings into durable fixes — auth, headers, input handling, and defense-in-depth that survives the next refactor.

[ STACK ]
> REMEDIATION
> DEVSECOPS
05

Vuln Research

Digging into how things actually break, for sport and for signal. Disclosure handled responsibly, every time.

[ STACK ]
> FUZZING
> 0DAY
> CVE
Tooling & Tech
Burp SuitePythonGoSemgrepNucleiGhidraDockerTerraformAWSKubernetesFridaJavaScript

Selected Work

PORTFOLIO // SPECIMENS
PRJ-01 ● LIVE 
  .-~~~-.
 ( o o o )
( o o o o )
'-._____.-'
   | | |
  (_____)

Attack-surface mapper that renders subdomain and service exposure as a living, glowing fungal network.

TOOLING OPEN →
PRJ-02 ● WIP 
  .-~~~~~-.
 ( o o o o )
(o o o o o o)
 '~-.___.-~'
    | : |
    | : |
   (_____)

Notes and proof-of-concepts from teardowns of common authentication flows across modern SaaS.

RESEARCH OPEN →
PRJ-03 ● LIVE 
   .-.
  .~o~.
 ( o o )
( o o o )
 '-._.-'
   |:|
   |:|
  (___)

Write-ups and tooling from CTF seasons — web and pwn focused, with reproducible solve paths.

CTF OPEN →
06 // ESTABLISH CONNECTION

Let’s talk
security.

Pentest, code review, threat model, or just trading notes on the latest fungal bloom of CVEs — my inbox is open.

aam@zangarmarsh:~$ echo $EMAIL
aam.sol@protonmail.com
GitHubLinkedInEmail