Senior information security engineer, CIRT responder, and the person behind Penumbra Forge — an independent studio building privacy-first security tools and open source software.
Everything I build runs locally, collects nothing and respects your privacy.
Gate — The first secret scanner that fixes what it finds. 148 detection rules, credential verification, auto-remediation across 9 languages, incident response workflows, and compliance reports. Free, open source, runs 100% on your machine.
vexes — Cross-ecosystem dependency security scanner with a 4-layer behavioral analysis engine. AST code inspection, typosquat detection, behavioral fingerprinting, and pre-install guarding across 9 ecosystems. Catches supply chain attacks that vulnerability databases miss. Zero dependencies.
mcp-librarian — Intelligent MCP skills server for AI coding agents. BM25 search, Ed25519 integrity, progressive disclosure, zero dependencies. Works with Claude Code, Ollama, and anything that speaks MCP.
penumbraforge.com — 78 privacy-first developer and security tools, 12 hands-on offensive and defensive security labs, and a technical blog. All tools run client-side with no tracking, no accounts, no data collection.
Umbra — A 100% local AI development environment. Full IDE with chat, agent mode, codebase RAG, inline completion, knowledge packs, and a plugin system. No cloud, no telemetry, no accounts — your code never leaves your machine.
- Expanding Gate's detection rules and adding SARIF integration for GitHub Advanced Security
- Expanding vexes ecosystem coverage and hardening the behavioral analysis engine
- Building community skill packs for mcp-librarian
- Writing new red team and blue team security labs (IDOR, race conditions, SSRF, SOAR playbooks)
- Writing about security engineering: JWT pitfalls, log analysis from an attacker's perspective, security headers
- Site: penumbraforge.com
- Twitter/X: @penumbraforge
- Location: Arizona