I like to learn. Several years ago, I was learning how to attach myself to a Via Ferrata cable hiking through the Dolomites. While clipping in, I realized how lucky I’ve been to have unique experiences throughout my life.

When I returned home from my trip I created this website. I hope I can help you pursue your passions like I pursue mine.

Most of you are not here to learn how to clip into a Via Ferrata. You likely are more interested in my day job, computer hacking. But why should you trust a hacker you only know through the electric signals of the internet? Sounds sketchy. Let me start by telling you what I do, what I’ve done, and where I come from. Then you can decide if you want to trust what I’ve learned.

Currently I work for Meta as a Red Team Security Engineer.

On Meta’s Red Team Operations Group, we spend our time finding new ways to hack into Meta’s products and services. Once we do that, we help them fix the gaps we’ve discovered.

Prior to working for Meta, I was a staff security engineer at Praetorian.

At Praetorian, I conducted offensive security assessments for private companies. I executed Red Team engagements, created new service lines, wrote blog posts, and helped shape the direction of the corporate security practice.

A pivotal moment in my cybersecurity journey came when I started researching a new class of CI/CD attacks along with Adnan Khan. In the fall of 2023, we teamed up to scour the internet for open-source repositories that were vulnerable to these attacks, focusing on AI/ML repositories. The results shocked us, as we continuously identified critical supply chain vulnerabilities in the world’s most advanced technological organizations, including PyTorch, GitHub, Google, blockchains, and more.

Our research ignited the security world, leading to extensive coverage by news outlets, and culminated in an invitation to speak at Black Hat USA 2024 (Abstract, Slides)  and DEF CON 32 (Abstract, Slides, Video).

I’ve since performed further CI/CD security research for Praetorian, identifying critical vulnerabilities in OSS projects and implementing the lessons learned into Praetorian’s product.

Before joining Praetorian, I graduated from Cornell University in 2022 with a bachelor’s degree in Computer Science Engineering and a minor in Business. Throughout school, I taught myself hacking and received my OSCP certification the summer after graduation. 

During my last semester in college I designed and developed two security-focused research projects: a Domain Name System (DNS) analyzer that detected malicious DNS activity implemented in a distributed cloud application framework, and a WiFi Hacking Guide that can teach your Grandmother how to hack WiFi. Neither were very serious, but both helped introduce me to the security field.

My security origin story began with an internship at Praetorian, when I worked as a software developer and security engineer. During that time I helped design and develop GoKart. GoKart is a GoLang tool that finds vulnerabilities effectively, efficiently, and with a much lower false positive rate than every other code scanning tool I’ve seen. GoKart’s prowess earned it over two thousand stars on GitHub.

During my internship I also built SeAzure (read: seizure). SeAzure is a Malicious Azure App that finds, steals, and trojanizes every personal and corporate file in a victim’s environment. It is designed for Red Team engagements and even has a stealth mode.

Prior to the cyber world I worked at Fit2Excel, a strength and conditioning company back home in Essex, Vermont. As a personal trainer I specialized in helping serious athletes reach their full potential. I also ran the firm’s marketing and taught workout classes. Fitness is still a big passion of mine.

Ok you made it. Congratulations. Enough about John the professional. Let’s hear about John the person.

Growing up in northern Vermont shaped my interests. Without cities (the biggest city in the state has less than 50,000 people) and without phones (my parents banned phones until high school), we actually had to go outside to play. My two siblings and I would entertain ourselves by mountain biking, cliff jumping, hiking, snowboarding, and playing sports. These are the same things I love to do today. 

I prefer playing sports over watching. I will accept a pickup game invitation in anything, no matter how bad I may be. Growing up, I played soccer, football, wrestling, and lacrosse and wrestled Division I in college at Cornell University. Now that my athletic career is over I plan on making random men’s leagues a big part of my life.

As soon as I started making money I began to travel. Inspired by lifelong friend David Rosales, I wanted to take advantage of working remotely (David has been nomadic for years and writes frequently about his travels). My journey first led me to San Diego in 2021 for a summer surfing while I worked a virtual internship. The following summer found me hiking in Austria and Italy while taking a break from studying for the OSCP. Currently I am nomadic, picking one place and living there for several months before moving somewhere else. My long-term (>3 months) stays so far have included Burlington, Austin, San Diego, Salt Lake City, Austria, and Oahu.

So. Hopefully I am now less sketchy. If you want to get in touch, send me an email, connect on LinkedIn or message me on Instagram. I look forward to sharing what I have learned. Until then, enjoy.

Want to hear more? Subscribe to the official John IV newsletter to receive live, monthly updates of my interests and passions.