About me - (in)security

About me

Security researcher, vulnerability hunter, tool builder.

Hi there!
I’m Alessio — a Senior Application Security Engineer with a decade of experience breaking, securing, and rethinking complex systems.

I currently work as a Senior Application Security Engineer on the EC2 Security team at Amazon Web Services, where I lead security reviews and build automation tooling to drive the secure expansion of AWS Edge infrastructure — including Outposts and Local Zones — across the globe.

Before AWS, I was a Senior Product Security Engineer at Trade Republic in Berlin, where I designed and implemented a company-wide Secure Software Development Lifecycle (SSDLC) from the ground up. Before that, I helped secure the mobile, web, and API ecosystems at N26 — where I also launched the Security Champions Program, training engineers on Threat Modeling, Secure Development, and the OWASP Top 10.

My career started in the trenches as a penetration tester at Horizon Security in Milan, where I assessed web, mobile, hardware, and IoT systems for leading Italian companies across banking, insurance, automotive, and energy sectors. That hands-on offensive background is still at the core of how I think about security today.

Outside of my day job, I hunt for bugs, do vulnerability research, and build open-source tools to automate security work. I also write on this blog to share what I learn.
You can find my contacts at the bottom of this page, along with a summary of my main achievements below.

Timeline

  • February 2026 - Achieved the GIAC Exploit Researcher and Advanced Penetration Tester (GXPN) certification
  • December 2022 - Joined Amazon Web Services (AWS) as Senior Application Security Engineer
  • October 2021 - Joined Trade Republic (Berlin) as Senior Product Security Engineer
  • November 2019 - Joined N26 (Berlin) as Product Security Engineer
  • October 2018 - Became an Offensive Security Certified Professional (OSCP)
  • July 2017 - Presented filewatcher at the MacAdmins Meeting at the University of Utah
  • April 2017 - Joined Horizon Security as Security Consultant / Penetration Tester

My CVEs

  • CVE-2022-2903 - PHP Object Injection in the NinjaForms WordPress plugin.
  • CVE-2018-20122 - Remote code execution in the Fastweb FASTgate router.
  • CVE-2018-17172 - Command injection in the Xerox AltaLink web application.
  • CVE-2018-7064 - Reflected cross-site scripting (XSS) in the Aruba Instant web interface.
  • CVE-2017-17663 - Buffer overflow in the thttpd and mini_httpd web servers.

Main Projects

  • filewatcher - A simple real-time auditing utility for macOS using OpenBSM
  • shcheck - A basic tool to check HTTP security headers on web applications
  • pihole-dashboard - A minimal and clean dashboard to visualize Pi-Hole stats on an E-Ink display