I break systems to build better ones.
Pentester. Bug bounty hunter. Solo builder.
Years of disclosed vulnerabilities. Five shipped products.
The ghost that finds what no scanner ever will.
The last line of defense — built by a hacker who knows exactly how they get in and how to stop them. Born from years of offensive research and responsible disclosure.
Most WAFs are built by engineers who’ve never done a bug bounty. Shibuya was architected from the attacker’s perspective — every rule, every filter, every threshold informed by real-world exploitation techniques.
If I found the attack vector, I built the countermeasure. It’s institutional knowledge from thousands of hours of ethical hacking, compiled into protection.
The anti-algorithm social network. No shadowbans, no surveillance capitalism. Ghost Mode. 1500 guaranteed views. Kill the feed — own your reach.
Offline-first photo manager for macOS & Windows. Import, organize and classify photo collections locally — no cloud, no tracking, total control.
Business management system built for speed and clarity. Operations, tracking and workflow — designed to disappear into your process.
Private wealth management for UHNW individuals. Vehicles, yachts, multi-jurisdiction tax residency — offline-first, zero cloud, maximum privacy.
Verified, fresh Italian business leads — sourced, filtered, and ready to convert. No stale databases. No recycled contacts. Real prospects, real results.
I don’t read about vulnerabilities. I find them. Years on HackerOne and Intigriti taught me that the only real education is getting your hands dirty in the dark — legally. Every report filed is a lesson no course can teach.
The attacker’s mindset without the criminal intent. I operate inside the rules — bug bounty programs exist for a reason. Responsible disclosure is what separates a hacker from a criminal. Power without integrity is chaos.
A loon dev doesn’t follow the playbook. The playbook was written by people who never found a critical CVE at 3am. Build strange. Ship fast. Ship real. The best tools are the ones nobody thought to build yet.
Active hunter on HackerOne and Intigriti with years of disclosed vulnerabilities across real production systems. I find what automated scanners miss — because I think like the attacker, not the tool.
Shibuya WAF was born from frustration — watching companies get hit with attacks I’d already found and reported elsewhere. I build defensive tools with an attacker’s blueprint. If you know how they enter, you know where to build the wall.
Bug bounty is where I find bugs. Pentesting is where I weaponize the methodology. Full-scope engagements — web apps, APIs, auth systems, network perimeters. I follow the chain until I know the real blast radius.
Every vulnerability I find goes through proper channels — not because I’m forced to, but because responsible disclosure is what gives this work meaning beyond the bounty. Real patches on systems used by millions.
Full deployment pipeline — CI/CD, containerization, reverse proxies, cloud provisioning. Infrastructure shouldn’t be magic. It should be code you can read at 3am and still understand.
TCP/IP isn’t abstract theory — it’s the foundation of every attack and defense I’ve built. I understand how packets move, how protocols fail, and how to exploit the gaps.
You can’t protect what you can’t see. I instrument everything — logs, metrics, anomaly detection, real-time alerting. When something probes, I know before the damage is done.
Five products shipped. Alone. No co-founder, no funding, no permission. Shibuya WAF, LOST, PICOS, GES, AURA — each built from a blank file to production by one person. I write code the way I think about security: layered, intentional, always asking how this could be broken.
Interfaces that feel as precise as the systems underneath. Performance is a feature. Dependencies are attack surface. Clean HTML, modern CSS — no bloat unless it earns its weight.
APIs, auth flows, rate limiting, session management — every backend decision is a security decision. Assume the client is malicious. Validate everything. Trust nothing.
From native iOS (AURA — SwiftUI + SwiftData) to cross-platform Electron desktop (PICOS), web backends, and WAF infrastructure. One developer, every layer of the stack.
Public work, tools, experiments, explorations. The code is the resume — read it, fork it, critique it. A developer who doesn’t ship publicly isn’t a developer. They’re a theory.
I BREAK TO BUILD.
I GHOST TO STRIKE.
A loon dev doesn’t follow the playbook — the playbook was written by people who never found a critical CVE at 3am, running on cold coffee and pure instinct.
Years on HackerOne and Intigriti gave me something no course can teach: the attacker’s mindset — the ability to see systems the way predators do, and then build walls they can’t cross.
Ethical hacking isn’t a limitation. It’s a superpower with rules. Responsible disclosure is what separates hackers from criminals. Power without integrity is just chaos.
LOST, Shibuya WAF, PICOS, GES, AURA — not just products. Manifestos written in code.