Our clientele - ranging from Facebook to DARPA - lead their industries. Their dedicated security teams come to us for our foundational tools and deep expertise in reverse engineering, cryptography, virtualization, malware, and software exploits. According to their needs, we may audit their products or networks, consult on the modifications necessary for a secure deployment, or develop the features that close their security gaps.
We’re especially well suited for the technology, finance, and defense industries.
After solving the problem at hand, we continue to refine our work in service to the deeper issues. The knowledge we gain from each engagement and research project further hones our tools and processes, and extends our software engineers’ abilities. We believe the most meaningful security gains hide at the intersection of human intellect and computational power.
Interested in a career with us? If you’re a scientist or an engineer with an interest in computer security, then we should talk.
Meet our team
Akshay Kumar Senior Security Engineer
Akshay brings deep expertise in binary analysis to his work researching and developing solutions to program-analysis problems. Since joining Trail of Bits, he has added capabilities to the second version of McSema to lift program variables and the exception-handling stack. In the first version of Mcsema, Akshay enabled the capabilities that lift 64-bit binaries. Prior to Trail of Bits, Akshay has worked at Intel and Samsung. At Intel, he worked on hardware prototype to enable reversible debugging in the QuickIA processor chipset. At Samsung, he worked on their in-house mobile handset platform and was responsible for enhancing event-handling capabilities to support multithreading. Akshay holds an MS in computer engineering from the University of Toronto (2013), and a B.Tech in electrical engineering from the Indian Institute of Technology, Kharagpur (2008).
Alessandro Gario Senior Security Engineer
As a member of our engineering team, Alessandro works on open-source projects implementing new functionalities, reducing technical debt and improving their performance overall. His primary tasks involve modern C++ development, but he’s also really good with CMake, the de-facto standard build system for modern C and C++ projects. He always lends a hand to improve the quality of the build systems used by our code (like mcsema, remill, and abigen) and the projects we contribute to (like osquery). Since joining Trail of Bits, Alessandro has made substantial contributions to osquery, which have improved the responsiveness and reliability of all the Linux event-based tables, increased the agent’s speed, and helped system administrators to take faster action on possible threat alerts. Prior to joining our team, Alessandro worked for Cerbero GmbH where he contributed to a cross-platform file analysis framework, and implemented several libraries dedicated to parsing file system formats such as Office documents and Flash movies (swf). Along the way, he fell in love with the CMake build system and rewrote the deprecated project files from scratch in order to make it more robust and easier to debug and update. He regularly resists the urge to convert into CMake every legacy build system he comes across.
Alex Sotirov Co-Founder & CTO
Alexander Sotirov has more than twenty years of experience with vulnerability research, reverse engineering, and advanced exploitation techniques. His past work includes exploiting MD5 collisions to create a rogue Certificate Authority, bypassing the exploitation mitigations on Windows Vista, and developing the Heap Feng Shui browser exploitation technique. His professional experience includes positions as a security researcher at Determina and VMware. He is a regular speaker at security conferences around the world, including CanSecWest, BlackHat, and Recon. Alexander served as a program chair of the USENIX Workshop on Offensive Technologies and is one of the founders of the Pwnie Awards.
Amelia Brummund Director of Operations
Amelia keeps our operations running. She sets up and maintains our HR, finance and contract management systems. She has kept our books in pristine order, set up and managed our 401k, and facilitated our moves between vendors as necessary. Prior to joining Trail of Bits, Amelia taught conversational English to middle schoolers in Shenzhen, China, and freelanced as a copywriter. She holds a BA in linguistics from the University of Illinois Urbana-Champaign (2008).
Ana Vivian Office Manager
Ana helps support the team’s day-to-day office needs. She has cultivated an array of skills—from launching a rebrand to facilitating a complete office renovation— while working in administration for various companies. Outside of work, she pursues interests in photography, illustration, jewelry making and acrylic painting. Ana holds a BA in Psychology and Studio Art from Queens College (2013).
Artem Dinaburg Principal Security Engineer
Artem helps set technical direction for our research and engineering projects and ensures that our projects surpass customer expectations. His work touches the complete project lifecycle, from discovery to project management to final delivery. Throughout, he maintains technical direction, contributes code, and communicates with the end customer. Artem first joined Trail of Bits to lead our Cyber Grand Challenge team. Our small, internationally distributed team started with a blank slate and created effective vulnerability identification tools that we still use. Since then Artem has led our port of Facebook’s osquery to Windows and the implementation of a secure software updater for a commercial client. He was also our PI for DARPA’s CFAR and multiple other research projects. Artem’s research interests include automated vulnerability identification, program analysis, and usable security tools. Prior to joining Trail of Bits, Artem worked as a security researcher in academia and companies both large and small. He holds an MS in computer science from Georgia Tech (2009) and a BS in computer science from Penn State (2007).
Artur Cygan Security Engineer
Artur audits projects for security and correctness on our assurance team, and has contributed fixes and improvements to Echidna. Previously, he designed and operated the backend for Teamweek (teamweek.com) and led Teamweek product development at Toggl, where he managed the technical roadmap and a team of developers. He also built products at various startups, honing his expertise in server side engineering with a focus on functional languages. Artur holds a BS in computer science from AGH University of Science and Technology (2016), and currently contributes to Elixir and Erlang/OTP in addition to his role at Trail of Bits.
Ben Perez Security Engineer
Ben brings expertise in formal methods and applied cryptography to his work on blockchain security tools, cryptography research, and software assessments. Since joining Trail of Bits, Ben has made significant contributions to Echidna, our EVM smart fuzzer, and audited a wide variety of blockchain and cryptographic codebases. Prior to working at Trail of Bits he wrote a master’s thesis on computationally efficient dimension reduction algorithms. Ben has held internships at Galois (binary lifting), JP Morgan (quorum engineering), and the Department of Defense (cryptography research). Coming from a very academic background, he likes working on audits and tools that benefit from mathematical or cryptographic research. Ben holds an MS in computer science from UC San Diego (2018), and a BA in mathematics from St. Olaf College (2014).
Brad Larsen Senior Security Engineer
A member of our Research Practice, Brad currently contributes to our LADS and SafeDocs projects. Prior to coming to Trail of Bits, he worked at Ab Initio Software, where he established a continuous delivery workflow for static code analysis of a large C++ codebase, and, through this, found and fixed hundreds of code defects.
Earlier, Brad worked for four years at Veracode on their core binary static analysis product. Among his projects there, he led the development of a symbolic execution system — built on top of the Z3 SMT solver — that was used in production to automatically suppress false positive reports from the static analyzer for memory-related issues in C and C++ code. Also of note, he developed a custom static analyzer for an internally-used domain-specific language, which allowed for the identification and remediation of more than 1,000 defects. He and his team integrated the custom static analyzer with the development workflow, preventing those sort of errors from being introduced again in the future.
Brad holds an MS in computer science from the University of New Hampshire (2010) and a BA in philosophy from the University of New Hampshire (2009). He also studied programming language theory at Tufts University.
Cara Pearson Senior Project Manager
Cara is a senior project manager at Trail of Bits. She joined the team from Prescient Security where she managed the delivery of security audits and application penetration tests. Prior to that she was a Penetration Testing Project Manager at Rapid7 where she managed a high volume of network, application, IoT, and social engineering assessments. She brings experience in product implementation projects and customer support to the team. Cara holds a BS in Integrated Science & Technology from James Madison University (2011).
Carson Harmon Security Engineer
Carson is a security engineer with a commitment to the practical. He is interested in automated vulnerability discovery, language based security, and building secure systems. Carson was previously an intern at Trail of Bits, where he focused on developing program transformation tools. Carson was also a co-op at Draper’s Breakerspace, where he focused on developing fuzzers for kernels and userspace applications, and performed other program analysis tasks at Purdue and The Federal Reserve Bank of Chicago. Carson holds a Bachelors Degree in Computer Science from Purdue University.
Chris Evans Senior Security Engineer
Chris conducts security assessments of software, contributes to the development of our engineering tools for vulnerability discovery and triage, and researches blockchain security. Prior to joining the company, Chris hopped around the NYC startup scene working in application development before digging into security with an emphasis in embedded security and IOT devices. Highlights from that time include the development of the persistent ARM Trustzone exploit targeting an OEM bootrom, and Van Eck phreaking a printer. In college, he divided his focus between translation of bhakti poetry from Southeast India, and systems and kernel programming in computer science. Chris holds a dual BA in computer science and religion from Columbia University (2015).
Dan Guido Co-Founder & CEO
Dan co-founded Trail of Bits in 2012 to address software security challenges with cutting-edge research. In his tenure as CEO, Dan has grown the team to 40 engineers, led their work on the DARPA Cyber Grand Challenge, built an industry-leading blockchain security practice, and refined open-source tools in the endpoint security market. In addition to his work at Trail of Bits, Dan serves as a director at hack/secure, an investment syndicate focused on seed stage cybersecurity firms. He’s active on the boards of four early-stage technology companies. Dan contributes to cybersecurity policy papers from RAND, CNAS, and Harvard. He runs Empire Hacking, a 1,000-member meetup group focused on NYC-area cybersecurity professionals. His latest hobby coding project – AlgoVPN – is the internet’s most recommended self-hosted VPN. In prior roles, Dan taught a capstone course on software exploitation at NYU as a faculty member and the Hacker in Residence, consulted at iSEC Partners (now NCC Group), and worked as an incident response analyst for the Federal Reserve System. Dan holds a BS in computer science from NYU Tandon.
David Pokora Security Engineer
As a member of our blockchain working group, David helps to improve Slither, performs assessments on blockchain-related projects, and contributes to projects that require reverse engineering. Prior to joining Trail of Bits, he worked at Hosho Group, a smart contract auditing firm. There, David worked on tooling that would improve the group’s auditing practices, including the creation of a fast cross-platform .NET alternative to Truffle suite featuring build-time C# interface generation for Solidity smart contracts, MSTest Unit Test Framework integration with coverage report generation, and Solidity breakpoint debugging with Visual Studio Code. Outside of his work, he’s happy to have found and disclosed a symbolic path traversal vulnerability affecting the Microsoft’s Xbox One gaming console. David holds an BS in computer science from the University of Toronto (2017).
Dominik Czarnota Security Engineer
Dominik audits low-level code and smart contracts for our clients, and supports the development of our in-house tools like Manticore. Since joining Trail of Bits, he has helped to release Slither and add its plugin architecture, extended compiler mitigations recommendations, and given an internal Python tools training. Prior to joining, Dominik has worked at IGE+XAO and Investio as a developer (C#/C++ and Python backend, respectively), and Comarch and Collective Sense as a security specialist. Outside of work, he captains the CTF team Just Cat The Fish (previously JHTC, where he gave workshops) and moderates Gynvael Coldwind’s livestreams. He’s an active contributor and speaker at Krakow’s Python meetup (Pykonik). Earlier, he served as president of Kernel Scientific Circle, a student group dedicated to applied computer science and computer physics. He holds an MS and BS in applied computer science from AGH University of Science and Technology (2017 and 2016, respectively).
Eric Hennenfent Security Engineer
Eric builds software tools for binary analysis and symbolic execution that support our research. He’s the technical lead for Sienna Locomotive, a project he joined as an intern and has since shepherded through several major deadlines. When he isn’t working on SL, he’s a regular contributor to our research on LADS. Prior to joining Trail of Bits, Eric built dynamic analysis tools for Binary Ninja at NCC Group, and contributed to a research project at UIUC that looked for bugs in SSL libraries via large-scale differential testing. Outside of work, he helps with the Cyphercon and THOTCON Biohacking villages, and periodically checks in on the CTF he resurrected at UIUC’s security club (SIGPwny). Eric holds a BS in computer science from the University of Illinois at Urbana-Champaign (2018).
Eric Kilmer Security Engineer
Eric works on our research and development team to enhance and apply our tools to government contracts sponsored by DARPA and other U.S. agencies. Before joining Trail of Bits he worked at MIT Lincoln Laboratory where he made significant contributions in developing a test harness and deployment infrastructure focused on extending the usable, secure life cycle of resource-adaptable software systems. After that project, he transitioned to the research and development of compiler features for source code transformations of the C programming language. Prior, Eric researched and wrote his thesis on vulnerability discovery techniques related to the combination of fuzzing and symbolic/concolic execution and how to migrate the results achieved during DARPA’s Cyber Grand Challenge to traditional binaries. Aside from college internships related to malware analysis (Symantec) and network security (Army Research Lab), Eric participated in a class-action lawsuit and another legal case where he acted as an assistant expert witness/consultant to his professor, Patrick McDaniel, by performing reverse engineering and computer system forensics. He holds an MS and BS in computer science and engineering from Penn State University (2017).
Evan Sultanik Senior Security Engineer
Evan has contributed to our security engineering, assessment, and research practices. Today, he spends most of his time in the assessment practice on software audits, both blockchain-related and not. He contributes to Manticore and recently developed a new tool for automating advanced smart contract testing: Etheno. Evan began his career as a software engineer. Later, he attended university and spent a decade in academia (Drexel University and Johns Hopkins University APL) before settling in cybersecurity R&D. Outside of work, Evan occasionally teaches courses in artificial intelligence as an adjunct professor. He’s an editor of and frequent contributor to the offensive security journal Proof of Concept or GTFO. Evan holds a Ph.D. (2010), MS (2006) and BS (2006) in computer science and a BS (2006) in mathematics from Drexel University.
Felipe Manzano Security Engineer
Felipe helps to maintain our program analysis tools. Since joining the company, he has made substantial contributions to Manticore and its predecessor, PySymEmu, and our efforts in the Cyber Grand Challenge. Felipe brings a deep background in exploit development. In the past, he has published exploits browsers and PDF readers on iOS, OSX, Linux, and Windows. These exploits made it into all major exploits packs – Canvas, Impact and Metasploit. Prior to joining Trail of Bits, Felipe performed security research at Binamuse, wrote exploits at Core Security Technologies, and advised on security architecture design at Flowgate Consulting. He holds a BS in computer science from the Universidad Nacional de Rosario (Argentina), a five-year curriculum (2004).
Garret Reece Senior Security Engineer
Garret helps to develop our tools, from open-source projects to adding new features to software analysis applications. He has added new capabilities to osquery, including a forensics extension for NTFS, implemented Thumb mode support for Manticore, and added access control list capability to Confidant. Prior to joining Trail of Bits in 2016, Garret developed program analysis tools at Raytheon, and developed software for unmanned aircraft systems at Northrop Grumman Corporation. He holds an MS (2006) and BS (2005) in computer science from Florida State University.
Gustavo Grieco Security Engineer
Gustavo works on our research and development team to improve our tools’ ability to detect vulnerabilities in software. In addition, he assesses code from our clients’ computer programs and smart contracts to identify security issues and flaws. Since joining Trail of Bits, he has added experimental features and improvements to Echidna, and made contributions to Manticore. Prior, he worked for a small startup in San Francisco researching and developing a machine learning technique to detect websites selling counterfeit products. Gustavo has spent most of his career pursuing his PhD, with security-related research internships in France (Grenoble, INRIA and VERIMAG), Spain (Madrid, IMDEA Software) and the U.S. (Pittsburgh, Carnegie Mellon University, CyLab). During that time, he helped to develop QuickFuzz, an experimental grammar fuzzer in Haskell using QuickCheck, and VDiscover, a large-scale vulnerability discovery tool using state-of-the-art machine learning techniques. He has reported a substantial number of security issues related to many high-profile open-source projects, including Mozilla Firefox, Webkit and LibXML. Gustavo earned his PhD (2018) and MS (2012) in computer science from the University of Rosario, Argentina.
Jay Little Principal Security Engineer
Jay analyzes and understands software to find vulnerabilities and determine their impact. Of his contributions since joining Trail of Bits, he’s proudest of maintaining the evm-opcodes wiki, a collection of information about Ethereum virtual machine instructions. Before Trail of Bits, Jay worked on Raytheon SIGOVS’s as a Senior Software Engineer. There, he analyzed and reverse-engineered software, created debuggers and fault injection tools, and maintained hundreds of servers in the pre-cloud era. Outside of work, Jay ran and organized the Shmoocon conference’s Ghost in the Shellcode CTF from 2010 to 2015. He has played CTF on teams including Vedagodz, HatesIrony, and Marauders, and competed with the winning Defcon CTF finals team in 2009. Jay holds a BA in Mathematics from the University of South Florida (2014).
Jim Miller Security Engineer
Jim is a Security Engineer and member of the Cryptography team, where he applies his knowledge of cryptography into exciting, cutting-edge research projects and assurance projects with advanced cryptographic protocols. Jim received a BS in mathematics and physics from the University of Notre Dame in 2016. After that, he received a Masters in mathematics from Cambridge University in 2017. He then spent the next two years in a Ph.D. program at Yale University. At Yale, Jim researched lattice-based verifiable computation and other lattice-based cryptographic research problems.
John Foley Senior Software Engineer
John works on the iVerify iOS app and helps develop our product offerings and practices from the early stages and onward. Previously, John built his career as a consultant, instructor, and platform engineer at Pivotal Labs. In one of his favorite Pivotal projects, he helped build the backend for a wifi-connected kitchen tool, which involved tens of thousands of simultaneously connected devices controlled by an iOS app. John also holds a BS in Computer Science from the University of Colorado at Boulder (2014).
Josh Hofing Security Engineer
Josh joined us after studying at NYU, and currently audits code for security issues. Previously he ran CSAW CTF, a major college-level capture-the-flag competition, and was part of the OSIRIS lab at NYU.
Josh Watson Senior Security Engineer
Josh spends most of his time auditing software and developing our program analysis tools. As our resident expert in Binary Ninja, he develops and delivers training materials for our privately offered courses on the reversing platform. He has published numerous articles about reverse engineering with the Binary Ninja APIs–-which remain some of the most detailed documentation available on the internet–-and released several related open-source plugins and tools. He has made a considerable contribution to Ethersplay, our EVM disassembler plugin for Binary Ninja.
Josh began his career surveying a diversity of techniques and ideas in the state of the art of the industry as a network security patent examiner for the U.S. Patent and Trademark Office. From there, he sought and found more hands-on work in the Department of Defense where he developed tools to support network exploitation operations, and even deployed overseas for a time in support of the DOD mission. In late 2013, Josh entered the private industry as a vulnerability researcher for Raytheon. He joined Trail of Bits in 2017 as a Senior Security Engineer. Josh holds a BS in computer science from Florida State University (2006).
Josselin Feist Senior Security Engineer
Josselin builds tools to review smart contracts and then applies them in our assessments for clients’ platforms. He also provides help and feedback on other blockchain-related projects. Since joining Trail of Bits, Josselin has led the development of Slither and made substantial contributions to Ethersplay. Prior, Josselin received his PhD from Grenoble (France, 2017). There, he combined static analysis and symbolic execution to find heap-related vulnerabilities on binary code, and built gueb, a static analyzer that detects use-after-free in binary code.
JP Smith Senior Security Engineer
JP contributes an array of skills to our cryptography and blockchain practices. He’s proficient in program analysis, cryptography, software reverse engineering, and abstract mathematics. Since joining Trail of Bits, JP has written Echidna (our next-generation EVM smart fuzzer), led an assessment of Project Callisto’s novel threshold cryptography, audited formally verified smart contracts, and mentored a high school intern to perform RSA fault analysis with Manticore. Prior to joining the team, JP led a team to design and fabricate low-cost transcranial direct current stimulation machines, won the underhanded crypto contest in 2017, took second place at the 2017 CSAW’s CTF, implemented backdoored Dual EC DRBG for a CTF challenge, and implemented a custom-ISA CPU for another CTF challenge. He earned his BS in mathematics from University of Illinois Urbana-Champaign in 2017.
Kaisa Filppula Software Engineer
Katherine Teitler Head of Marketing
Katherine writes content for Trail of Bits, refining messaging for Binary Ninja Training, writing content for iVerify, and promoting Crytic. Previously, Katherine worked for 14 years in technology sales before moving over to content in 2011, and has managed, written, and published content for two research firms, a cybersecurity events company, and a security software vendor. She also co-authored “Zero Trust Security for Dummies,” managed content and speakers for InfoSec World, and started the syndicated research program at IANS Research, a boutique cybersecurity advisory firm. In addition to her role at Trail of Bits, Katherine is a Senior Research Analyst for TAG Cyber. She holds a BA in Music from the University of Rochester/Eastman School of Music, and an MA in Music and the University of Minnesota.
Kristin Mayo Security Engineer
Kristin focuses on assurance and web security. Before joining Trail of Bits, Kristin honed her skills as a software developer for an education management software company, and developed command line tools using Python to automate administrative functions, including an interface for GoPhish to facilitate phishing awareness training. She earned a BA in International Relations and an MS in computer science from the State University of New York at New Paltz (SUNY), where she interned under the CISO as a Special Projects Assistant. As a grad student, Kristin also contributed to research and development of the initial curriculum for the university’s first security course, Intro to Cybersecurity, and taught lab classes in Cybersecurity, Assembly Language & Computer Architecture, Data Structures, Web Programming, and more. Currently, in addition to her role at Trail of Bits, Kristin is an adjunct lecturer on Web Design at SUNY New Paltz.
Lauren Pearl Director of Strategy & Finance
Lauren analyzes our business to answer strategic questions and helps us grow in a smart, sustainable way. She’s in charge of the business’s finances, including financial planning and analysis, budgeting, and corporate financing. The rest of her time divides between strategic projects, marketing, recruiting, business development, and the management activities of projects, people, contracts and clients. Among her many contributions, she has helped us restructure our organization to scale leadership while maintaining our flat culture, spearheaded our diversity and inclusion initiatives, and conducted a user study and three-part blog post series on user perspectives for osquery, now an industry reference for the tool. Prior to joining Trail of Bits, Lauren worked for Deloitte Consulting in their strategy and operations practice. Prior to that, she tried and failed to save her family’s 184-year-old shoe retail company - an experience that remains her most valuable business lesson to date. She holds an MBA from New York University (2015) and a BA in philosophy and psychology from Boston University (2009).
Michael Colburn Security Engineer
Michael works on the assurance team conducting audits of blockchain applications, with a focus on Ethereum smart contracts. He joined us as a security intern while he was earning his Master’s degree. For his Master’s thesis, he applied proof of work algorithms to digital signatures to produce signatures that expire after some amount of time. For his undergrad thesis, he broke a then-recently proposed block cipher using linear cryptanalysis. Michael holds an MS in Information Systems Security from Concordia University (2018), and a BS in computer science from Mount Allison University (2010).
Mike Myers Engineering Practice Lead
As the Engineering Practice Lead, Mike manages the security engineering team, and works with customers to improve, extend, and integrate with the best available open-source security tools. While at Trail of Bits, Mike has helped increase the coverage of the x86 instruction set in our Remill binary lifting library, security audited kernel-mode code for Microsoft, and represented the company’s continuing commitment to osquery endpoint agent development. He has contributed his unique perspective of application security and technical risk modeling to our blockchain security services practice, advising large financial firms on deployment strategy, and has led application security assessments of both Bitcoin and Ethereum client implementations. Mike began his career as a system-level security researcher and engineer in the national security community. He has previously led or been a key contributor at multiple small companies in information security, in roles up to and including CTO. Mike holds a BS in computer engineering from Virginia Tech (2000).
Nick Sellier Senior Security Engineer
Prior to joining Trail of Bits, Nick worked at Raytheon SIGOVS as a software engineer. He’s stared at IDA Pro and gdb for longer than he cares to admit. Nick holds a BS in computer and information science from the University of Florida (2006).
Nicole Hoffman Bookkeeper
Nicole focuses on accurately and efficiently providing financial data for company reporting and strategy. In addition to maintaining our financial records, she has mastered Enterprise Resource Planning (ERP) software programs and successfully implemented procedures to assist the team in reaching overall company goals. Before joining Trail of Bits, Nicole led accounts receivable and assisted with accounts payable and financial reporting for a student housing company. Nicole received a BA in business management from Brigham Young University—Idaho in 2017. Outside of work she enjoys spending time with family, music, photography, and decorating.
Paul Kehrer Principal Security Engineer
Paul audits codebases that have significant cryptographic implementations to find both code-level vulnerabilities and architectural issues. He draws upon those engagements to write educational blog posts, tools and libraries for cryptographers. Before joining Trail of Bits, Paul helped design and implement a key management service for RackSpace’s OpenStack cloud project and helped to build the engineering organization for the managed security product. Earlier, he designed and built both the technical and governance-related infrastructure for a globally trusted certification authority at Trustwave. A founding member of the Python Cryptographic Authority, Paul has played a major part in the development of three major cryptographic libraries in Python since 2013, acquired significant experience with public key infrastructure, and written a production certificate authority including registration authority and revocation infrastructure. He holds a BS in physics from the University of Texas at Austin (2007).
Peter Goodman Senior Security Engineer
As the resident expert and technical lead for all our binary-translation solutions, Peter delivers novel and efficient solutions to highly technical and challenging program-analysis problems. Since joining Trail of Bits, Peter has made many significant contributions to the field of information security. He created GRR, a high-throughput emulation-based fuzzer that was the backbone of our bug-finding system in DARPA’s Cyber Grand Challenge. Following that, Peter created Remill, a library for translating machine code instructions into the LLVM compiler toolchain’s intermediate representation. He used Remill to create the second version of McSema, our whole-program, static binary translator. Finally, he created a novel unit testing framework, DeepState, which enables everyday developers to take advantage of powerful bug-finding techniques, like symbolic execution and coverage-guided mutational fuzzing. Before joining Trail of Bits, Peter has worked at Google and BlackBerry. At Google he worked on tools that helped to diagnose long-tail latencies in production code. At BlackBerry, he worked on the code responsible for scheduling over-the-air messages in layer 1 of an LTE protocol stack. Peter holds a BS in computer science from Western University (2011) and an MS in computer science from the University of Toronto (2013).
Phil Marquardt Senior Security Engineer
Phil audits C/C++ software for vulnerabilities. Prior to joining Trail of Bits, Phil audited software at Raytheon SI for about five years. He reverse engineered and analyzed malware and ran research programs at MIT Lincoln Laboratory for about three years. There, he developed a malicious Firefox extension to show a customer how easily their website could be compromised. Earlier, he developed mobile security solutions at Georgia Tech Research Institute for about three years. Phil’s Master’s thesis at Georgia Tech involved developing a technique to take accelerometer output from an iPhone and use it to decode keystrokes on a desktop keyboard oriented next to the iPhone. Leveraging machine learning and dictionary attacks, he and his collaborators gained ~80% accuracy in decoding those keystrokes in a controlled environment. This work led to mobile manufacturers adding permission requirements for applications using accelerometer data where such requirements did not previously exist. Phil holds a BS and MS in computer science from the Georgia Institute of Technology (2009, 2010).
Robert Tonic Security Engineer
Robert performs audits and assessments of blockchain and web-related technologies in our assurance practice. He most enjoys client interactions, especially those that help clients uncover deep-rooted design flaws and correctness issues. Prior to joining Trail of Bits, Robert worked at various smaller startups in roles that involved application development and security. Later, he decided to concentrate on roles focused in security. He has a passion for building and maintaining clean, clear, and concise infrastructure, especially those based on Vagrant and other “software-defined infrastructure” stacks. Robert is working towards a BS in psychology, with a focus (certificate) on behavioral forensics. Outside of work and school, he is a member of the operations team for the University of Central Florida’s Collegiate Cyber Defence Club (Hack@UCF).
Ryan Stortz Principal Security Engineer
Ryan focuses on software audits and program analysis tooling. Additionally, he runs our winternship program. Since joining Trail of Bits, Ryan has made many significant contributions, including Tidas and Rattle. Tidas was a prototype biometric identification service using Apple’s TouchID and the first public project to use TouchID for digital signatures. It now serves as a reference to developers looking to implement and use TouchID’s (and FaceID’s) cryptographic primitives. Rattle is a binary static analysis framework for Ethereum EVM. Rattle analyzes Ethereum EVM, recreating the control flow graph, recovering variables, lifting the control flow graph into a single-static-assignment form, and optimizing the output. The output can then be checked for specific properties, such as upgradeability. Prior to Trail of Bits, Ryan worked at Raytheon SIGOVS for six years where he was a vulnerability researcher and reverse engineer. Ryan holds a BS in computer networks and systems (aka computer engineering) from Ferris State University (2008).
Sahil Suneja Senior Security Engineer
Sahil draws on a deep background in systems monitoring, and contributes his expertise to our OSquery instrumentation work. At Trail of Bits, he has written a connector that talks to TAXII servers to pull security feeds for CarbonBlack; performed a Terraform system upgrade for Airbnb’s StreamAlert service; and upgraded Python testing for the OSquery monitoring framework evolved by Facebook, Linux Foundation, and Trail of Bits. Previously, Sahil worked on agentless VM and container monitoring at IBM, and on energy-aware video players for smartphones at Microsoft. He holds a BA and an MA in Computer Science and Engineering from the Indian Institute of Technology Kanpur (2010). Sunil also earned a PhD in Computer Science from the University of Toronto (2016), where he developed multiple techniques to monitor VMs non-intrusively, using VM introspection and VM cloning + code injection for his PhD thesis.
Sam Sharps Senior Security Engineer
Sam audits low-level C/C++ software for vulnerabilities. Of his contributions, he is especially proud to have identified memory corruption vulnerabilities in the macOS kernel driver of a prominent endpoint protection product. Before joining our team in 2015, Sam worked as a vulnerability researcher at Raytheon SIGOVs for three years. He has been quite active in the CTF circuit. Sam used to play with team Marauders. He wrote challenges for Ghost in the Shellcode CTF in 2014 and 2015. In 2012 he played in Defcon’s CTF finals with team V&.
Samuel Moelius Senior Security Engineer
Sam analyzes blockchain implementations with an eye toward their security. Prior to joining our team, he spent nine years as a Research Staff Member at the IDA Center for Computing Sciences. Before that, he completed some interesting theoretical work in graduate school. There, he was tasked with characterizing the programming systems (an abstraction of the notion of programming language) that allow program self-reference. Sam produced several such characterizations, along with numerous additional results concerning such programming systems. Prior to attending graduate school, he served in the U.S. Army as a Military Intelligence Officer for four years. Sam holds a PhD in computer science from the University of Delaware (2009), an MS in computer science from Drexel University (2004), and a BS in computer science from Drexel University (1998).
Scott Cohen Senior Security Engineer
Scott performs security audits of clients’ C++ source code to ensure the software is safe to use. Before joining Trail of Bits, Scott was an engineer at Raytheon where he performed security audits of software and reverse engineered software of many different architectures and for many different platforms. Prior to working at Raytheon, he made a hobby out of reverse engineering online games and then writing server emulators and cheats for them.
Stefan Edwards Assurance Practice Lead
Stefan performs assurance work across a variety of verticals, from blockchain to IoT to Defense. In addition, he’s heavily involved in our infrastructure and architecture review work, and makes discerning comments in our reports. Prior to Trail of Bits, Stefan worked at nVisium, and prior to that, Aspect Security. In both roles, he conducted systems administration and development, with experience in large Java, XQuery, and C code bases. Earlier, he was an independent software consultant, mainly working in scientific publishing. Stefan spent several years developing code for large publishers like American Institute of Physics, American Physical Society, and Knovel. His research interests focus on programming language theory, formal modeling, and designing security into the base of languages. In his spare time, Stefan focuses on compiler optimization, symbolic execution, reading and agronomy.
Stefano Bonicatti Software Engineer
As a part of the engineering team, Stefano makes sure our code and contributions to open-source software are reliable and high quality. Stefano always performs in-depth analysis with best practices in software development, and state-of-the-art techniques and tools when triaging issues. He’s a huge supporter of software testability. Since joining Trail of Bits, Stefano has supported the Trail of Bits fork of Facebook osquery: osql. He helped redesign the build system in CMake, added better support for Windows and Linux, and restored other functionality that was lost in the transition. Before joining our team, Stefano worked in a small Italian company as a Software Engineer. There, he maintained and developed a Solaris in kernel virtual filesystem and part of its userspace utilities. When the company was acquired by Cloudian, Stefano became a Senior Software Engineer. Back in 2015, he contributed to an open-source digital painting application named Krita, which is under the KDE foundation. Beyond fixing several memory leaks, crashes and in general making the product more stable, Stefano fixed a long outstanding bug with the OpenGL accelerated canvas not rendering when using AMD proprietary drivers on Linux.
Steve L Principal Security Engineer
When Steve joined our team in early 2019, he brought deep experience in security audits of C, and C++ source code, as well as reverse engineering compiled software for clients that had lost their source code. We were especially impressed with the diverse system architectures he’d learned during his career. Before joining Trail of Bits, Steve worked independently on projects involving software development and analysis. He started out in this discipline completing crackmes on crackme.de with OllyDbg. Steve holds a BA in mathematics from the University of Cincinnati (2011).
Trent Brunson Research Practice Lead
Dr. Trent Brunson leads our Research and Development Practice. He’s responsible for evaluating the state of the art in computer security, anticipating from where the most efficient advancements will come next, and collaborating with others to push those ideas into applied research projects. To encourage collaboration between Trail of Bits researchers and partners in academia, industry, and government, Dr. Brunson hosts a public virtual study group every other Friday. There, authors of academic publications are invited for productive and friendly discussion of their research. When ideas gain traction, he articulates them as proposals for research funding, and then ensures that the projects are carried out thoughtfully, responsibly, and ethically. Prior to joining Trail of Bits, Dr. Brunson worked for Assured Information Security in Rome, NY, and the Georgia Tech Research Institute in Atlanta developing technologies for a broad range of topics in software and information security. Dr. Brunson received his PhD in computational physics from Emory University in Atlanta (2014).
Weston Hopkins Senior Security Engineer
Weston blends novel technique, intuition, and measured employment of research to hone the edge of vulnerability discovery. He has a long history of fascination with, and diverse exposure to, all things tech. Prior to joining Trail of Bits, Weston founded the security company Xentao LLC, performed vulnerability discovery for Accenture Federal Services and Endgame, and spent 9 years at the DoD. He is a member of the winning DEFCON CTF team Samurai (俘) and enjoys fuzzer and vulnerability discovery tool development. Weston holds an MS in computer science from the University of Texas at Dallas (2003) and a BS in electrical engineering from the University of Texas at Austin (2001).
William Mason Senior Security Engineer
William has over 10 years of experience reviewing software for security flaws. Most of his projects takes place on C/C++ written software. In addition to finding vulnerabilities and helping secure software, he has developed and delivered a class that took students through the internals of iOS and what it takes to develop a jailbreak. Prior to joining Trail of Bits, he was a Principal Software Engineer at Raytheon SIGOVS. His experience includes vulnerability research, reverse engineering, and advanced exploitation techniques. He was a member of the HatesIrony CTF team in 2011 and 2012 when the team went to the DEFCON CTF finals. William holds a BS in computer engineering from the University of Massachusetts Dartmouth (2010).
Will Song Security Engineer
Will uses his extensive general knowledge of pure mathematics and its applications to cryptography to audit our client’s cryptographic code and protocols. Proficient in cryptography, reverse engineering, functional programming, and pure mathematics, he wishes to put his skills to use after being hired shortly after Trail of Bits announced its new crypto division. Despite joining in February 2019, he has already written a major unit testing patch for Echidna during his first week. Prior, he has conspired with JP in writing a DUAL_EC_DRBG CTF challenge, winning the 2017 underhanded crypto contest, and placing 2nd at the 2017 CSAW CTF finals. He has also participated in prestigious mathematics contests such as the Harvard-MIT Math Tournament, USA Math Olympiad, and the Putnam Competition. He earned his BA in Mathematics and Computer Science from the University of Illinois of Urbana-Champaign in 2018. During his spare time, he coaches young students in contest mathematics.
William Woodruff Security Engineer
William contributes to our engineering and research practices in work for corporate and governmental clients. In his time with us, he has developed several of our open-source projects (e.g., twa, winchecksec, and pe-parse with Alessandro). He’s currently one of the developers working on Sienna Locomotive, our integrated fuzzing and crash triage platform. Outside of the company, William helps to maintain the Homebrew project, the dominant macOS package manager. Before joining Trail of Bits, he was a software engineering intern at Cipher Tech Solutions, a small defense subcontractor. He has participated in the Google Summer of Code for four years (two as a student, two as a mentor) and taught a class in ethical hacking as a college senior. William holds a BA in philosophy from the University of Maryland (2018).