Cody Richard — CRTO-certified red team operator. Authorized engagements only.
I model the adversary end to end: recon, initial access, privilege escalation, lateral movement, and a clean exit — then I hand the blue team a map they can act on. Member of ISP1337Hackers, ranked #1 in the U.S. on the HTB business benchmark.
$ operator --scope authorized --crto --team isp1337hackers --quiet
whoami // 0x00000400
Red team operator specializing in adversary emulation and full-lifecycle penetration testing across Active Directory, web, API, and cloud. CRTO-certified, with an attacker mindset sharpened by years inside global security operations — including Google’s GSOC — and a track record competing against the world’s top corporate security teams.
The fun is the break-in. The value is the fix.
tradecraft // 0x00000800
Kerberoasting, DCSync, ADCS ESC, RBCD, ACL chains, AS-REP roasting — full AD kill-chain from foothold to DA.
0x10 .activedirectoryCobalt Strike, Sliver, Mythic, Havoc. AMSI bypass, ETW patching, sleep masking, and callback obfuscation.
0x18 .c2Direct/indirect syscalls, API unhooking, reflective DLL injection, process hollowing, module stomping, stack spoofing, BYOVD.
0x20 .maldevOWASP Top 10 and deeper: SSRF, IDOR, insecure deserialization, broken access control — the flaws scanners miss.
0x28 .webappEntra ID, Azure privesc, M365. AWS: IAM abuse, KMS, S3 enum, Lambda, GuardDuty bypass. GCP identity chains.
0x30 .cloudPython, PowerShell, Bash, C#, C/C++, JavaScript. Shellcode loaders, automation pipelines, custom offensive tooling.
0x38 .languagescompetition track record // 0x00001000
ISP1337Hackers · Member
Invitation-only corporate benchmark events against the security teams of Microsoft, Cisco, Nvidia, Walmart, Cobalt, and other top firms — adversary emulation under live, defended conditions.
Hack The Box · Operation Nightfall · Business Benchmark
Full adversary-simulation campaign against the world’s leading corporate security teams. ISP1337Hackers ranked #1 in the United States and Top-5 globally as a hacking business on the HTB business benchmark.
Hack The Box · Operation Global Blackout
Realistic adversary simulation and attack-chain emulation under time-constrained conditions against elite corporate teams worldwide.
Hack The Box · Holmes CTF 2025 · First Blue CTF
Sherlock-style investigations spanning threat intelligence, SOC analysis, DFIR, and malware reversing — HTB’s inaugural defensive competition format.
Google · Invitation-Only CTF · Upcoming 2026
Invited to Google’s invitation-only CTF — competing in 2026.
security research & disclosure // 0x00001800
Reported · 2026
Tauri 2 · Rust · TypeScript · 58.6k★ open-source project
Identified unsafe inter-process command surface between the application’s frontend and backend, allowing unintended command execution across the IPC boundary.
Mapped privilege and trust weaknesses across the renderer and Node.js sidecar boundary, revealing paths where the renderer could influence privileged sidecar operations.
Uncovered a credential-injection vector in the network fetch-patching layer where attacker-controlled inputs could be smuggled into credentialed requests.
certifications // 0x00002000
Red team & offensive development
Pentest, appsec, cloud & network
write-ups — memory regions // 0x00003000
A stripped ELF64 hiding a 16-32-8-1 MLP whose dead-code path emits the flag. Conventional reversing finds nothing — solved by reasoning about L2 activations quantized to exact n/256 values and snapping FP rounding back to the build-time input.
A satellite Link Budget Processor ELF hiding its flag in a dead store. Three layers: an .init_array LCG Fisher-Yates shuffle, Doppler-themed FP arithmetic as a table index, and a stack value the printed output never reads.
A stripped ELF64 running a 99-opcode custom virtual machine against a 666-byte bytecode. Recovered the full ISA, disassembled the flag-check routine, and extracted the passphrase via symbolic execution of the KV-store logic.
RSA with e=3 and a predictably structured plaintext. Expressed the message as a linear polynomial in the unknown flag, made it monic via substitution, exploited the SDG{} format to shrink the unknown to 256 bits, and recovered the flag with SageMath small_roots() in ~10 seconds.
contact — export table // 0x00004000