Reinaldo A. Moodey

×

Web App Penetration Testing

As a Web Application Penetration Tester, I specialize in identifying and safely exploiting security flaws in modern web technologies to help organizations secure their digital assets. My engagements have supported local government infrastructures, financial institutions, and HR-compliant web platforms, with a strong focus on real-world threat emulation, regulatory alignment, and actionable remediation.

Threat Modeling and Attack Surface Analysis: I perform an in-depth review of application architecture, data flow diagrams, third-party integrations, and potential user roles to develop targeted threat models. This includes assessing the application’s trust boundaries, privilege zones, and threat agents to map exploitable entry points in line with STRIDE and OWASP threat categories.

Hands-on Testing of OWASP Top 10 and Business Logic Flaws: Using both automated scanning and deep manual testing, I evaluate the application for critical vulnerabilities such as SQL Injection, Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), Broken Access Control, and Insecure Deserialization. I also identify less obvious business logic flaws—such as privilege escalation via predictable object references or bypassing multi-step workflows—to simulate what an informed adversary might discover.

Use of Leading Tools Like Burp Suite, Nmap, and Custom Scripts: I rely on professional-grade tools like Burp Suite Pro (for intercepting and manipulating HTTP traffic), Nmap (for endpoint discovery and service enumeration), Nikto and ffuf (for directory brute-forcing), along with custom Bash, Python, and JavaScript payloads crafted to bypass WAFs and filters. Additionally, I leverage extensions like Autorize and Turbo Intruder for access control and fuzzing at scale.

Manual Exploitation for Precision and False-Positive Reduction: Rather than depending solely on scanners, I manually validate all findings—such as exploiting authentication bypasses, chainable misconfigurations, and custom API abuses—to confirm real-world impact. This results in reports that are 100% actionable, free from noise, and tailored to dev, ops, and executive audiences.

Reporting with Reproducible Proof-of-Concepts and Risk Ratings: Every engagement includes detailed documentation with proof-of-concept steps (screenshots, HTTP requests, payloads), CVSS-based risk scoring, business impact analysis, and tailored remediation advice. Where needed, I also support teams with developer-focused fix sessions and retesting cycles.

×

Email Security & Phishing Simulation

I specialize in assessing, simulating, and securing enterprise email environments through a dual lens: offensive phishing simulation and defensive email security management. My engagements support a full-spectrum email threat strategy, from mimicking advanced phishing attacks to fortifying defenses with industry-leading security tools like Proofpoint.

Designing Threat-Realistic Phishing Campaigns: I craft and execute tailored phishing simulations that reflect real-world adversarial TTPs (tactics, techniques, and procedures), including credential harvesting, payload-based lures, business email compromise (BEC), and QR phishing. Campaigns are aligned with the organization’s threat model and compliance boundaries, and are built to test both users and technical defenses.

Proofpoint Deployment and Administration: I lead the deployment, configuration, and ongoing administration of Proofpoint Email Protection, including:

• Policy creation for anti-spam, malware, impostor detection (BEC), and data loss prevention (DLP)
• Tuning of URL Defense, Attachment Defense, and Threat Response Auto-Pull (TRAP)
• Custom rule sets for domain spoofing protection using SPF, DKIM, and DMARC
• Integration with SIEMs and SOC playbooks for incident response enrichment
• User education and quarantine handling workflows using TAP dashboards and end-user digests

Email Security Posture Assessment: I evaluate email delivery pipelines to identify misconfigurations and bypass opportunities, including header manipulation, weak filtering rules, insufficient DMARC enforcement, and threat feed blind spots. I also conduct controlled tests to validate Proofpoint’s filtering efficacy against evasive payloads and phishing techniques.

User Behavior Analysis and Risk Metrics: Post-campaign analysis includes click-through rates, data entry metrics, repeat offender trends, and departmental breakdowns. This provides insights into human risk posture, feeding into targeted security awareness strategies and training reinforcement programs.

Reporting for All Stakeholders: I deliver:

• Executive Summaries with engagement metrics, risk levels, and organizational recommendations
• Technical Reports with phishing indicators, bypass methods, Proofpoint policy gaps, and SIEM enrichment suggestions

Continuous Tuning and Training Support: In partnership with client IT and security teams, I continuously tune Proofpoint policies, onboard domains, optimize rulesets, and align technical controls with NIST, CIS, and industry-specific compliance frameworks. I also provide hands-on training for security admins and awareness teams to maintain operational readiness.

×

Cloud Security Architecture

(Agile Certified | PMP | Offensive & Defensive Security Expertise)

As a Cloud Security Architect, I specialize in designing and implementing secure, scalable, and compliant cloud architectures across AWS, Azure, and hybrid environments. I bring a unique blend of technical depth, offensive security insight, and agile leadership, supported by industry-recognized certifications in Agile project management and PMP (Project Management Professional).

With a proven track record across government, financial, and enterprise environments, I align cloud security with business goals while enabling innovation, speed, and resilience.

Key Capabilities:

• Secure Cloud Architecture & Governance: I architect multi-tiered, defense-in-depth cloud environments with secure IAM models, network segmentation, encryption policies, and least privilege access. My work ensures compliance with frameworks like NIST, CIS Benchmarks, ISO 27001, and FedRAMP while supporting fast-moving DevOps pipelines.
• Threat Modeling and Cloud Risk Assessment: I perform threat modeling and risk assessments for cloud-native and hybrid applications, focusing on misconfigurations, lateral movement paths, insecure API endpoints, and privilege escalation vectors. My red team background strengthens my ability to predict attacker behavior in cloud environments.
• Cloud Security Automation and Infrastructure as Code (IaC): Using Terraform, CloudFormation, and ARM templates, I enforce security-by-design through automated guardrails, policy-as-code (via tools like Sentinel and OPA), and CI/CD-integrated compliance checks. I also build automated detection and response pipelines using native tools like AWS GuardDuty, Security Hub, Azure Sentinel, and CloudTrail.
• Cross-Team Collaboration in Agile Environments: As a PMP-certified project manager and Agile practitioner, I lead cross-functional security initiatives with sprint-based planning, backlog grooming, and incremental delivery of security features. I foster DevSecOps culture and embed security champions across product teams.
• Cloud Security Tooling & Platform Hardening: I deploy and manage enterprise-grade security solutions such as:
  - Cloud-native WAFs, SIEM/SOAR integrations, workload protection platforms
  - Zero Trust Network Access (ZTNA) and identity federation
  - Data loss prevention (DLP) in SaaS/IaaS/PaaS environments
  - SAST/DAST/SCA tools within CI/CD pipelines
• Leadership, Compliance, and Stakeholder Engagement: I translate technical cloud security risks into business impacts for C-level executives, auditors, and non-technical stakeholders. I drive secure digital transformation initiatives while aligning with industry regulations such as HIPAA, PCI-DSS, GDPR, and SOC 2.

×

About Me

I’m a cybersecurity professional with a versatile background spanning technical execution and strategic leadership. With specialized expertise in email security, I’ve advised organizations on protecting their communications infrastructure from phishing, spoofing, and business email compromise. I have hands-on experience deploying and managing secure email gateways, implementing SPF, DKIM, and DMARC protocols, and providing guidance on threat intelligence and security awareness programs.

In addition to email security, I have a strong foundation in penetration testing — identifying vulnerabilities through simulated attacks, assessing risks, and delivering actionable remediation strategies. My approach combines both offensive and defensive security techniques to strengthen overall security posture.

What sets me apart is my ability to bridge technical execution with cross-functional team leadership. As a Certified ScrumMaster (CSM) and Certified Scrum Product Owner (CSPO), I’ve led agile teams, driven security-focused product development, and fostered collaboration between technical and non-technical stakeholders. I bring a product mindset to security work, ensuring that initiatives not only meet compliance standards but also align with business goals and user needs.

Whether I’m hardening email defenses, uncovering vulnerabilities through testing, or leading teams to deliver secure solutions, I bring a proactive, adaptable, and business-driven approach to cybersecurity.

×

Schedule a 60-Minute Call

×

My Resume