Veteran-owned boutique penetration testing. One senior operator. Zero checkbox theater.
I spent 11 years in the U.S. Air Force as a Cyber Operator, learning how to break things in environments where the stakes were real. After transitioning out, I took that experience into the private sector β doing penetration testing, bug bounty, and red team work across web applications, APIs, mobile platforms, and cloud environments.
JEAA Infosec is the natural extension of that work: a small, focused operation where every engagement gets my direct attention. No junior analysts running automated scans. No bloated reports full of scanner output. Just manual testing, real findings, and clear guidance on how to fix them.
I've seen how the big consulting firms operate. You sign a contract with impressive names on the letterhead, then your actual test gets handed off to whoever's available β sometimes someone fresh out of training running Nessus and copying the output into a template.
That's not how I work. When you engage JEAA, you get me. Twelve years of offensive security experience. Active Synack Red Team member. Someone who's still in the trenches finding vulnerabilities, not managing a pipeline.
I'm an active member of the Synack Red Team β a vetted community of security researchers who test some of the most hardened targets in the world. That means I'm constantly sharpening my skills against real applications with real defenses, not just training environments.
The bug bounty mindset matters. It keeps you honest. If you can't find real vulnerabilities on targets that have already been tested by other skilled researchers, you're not as good as you think you are.
11 years in Air Force cyber operations taught me more than just technical skills. It taught me how to operate under pressure, communicate clearly with people who don't speak "security," and deliver results on a timeline.
Mission focus. Clear reporting. No excuses. That's the standard I bring to every engagement.
Automated scanners are tools, not testers. They assist my work but don't replace thinking. Every finding in your report comes from hands-on testing.
You'll know what I'm doing and what I'm finding throughout the engagement. Critical issues get flagged immediately, not buried in a report.
Reports are written for humans, not compliance checkboxes. You'll get clear descriptions of what's broken, why it matters, and how to fix it.
I don't pad reports with informational findings to make them look impressive. You get what matters: real vulnerabilities that real attackers could exploit.
Let's have a technical conversation about your security needs. No sales pitch, just a scoping discussion.
Get In Touch β