If you’ve realised or you already know CTUS.IO is a one-person outfit, you might want to understand a little bit of my work history that might help you make your decisions to work with me.

Below is a reflection of what you might consider a CV, where there are clients that I wouldn’t want to name on here, I’m happy to share whom I’ve worked with over the phone or a coffee.

In short I’ve worked in Luxury retail, government, aviation, medical, fin-tech,FX, finance, charity, church and ‘white labelled’ at many partner security companies.

They all want the same thing, visibility of the problems known and new, validation, recommendations, support and confidence, I’ve broken down the common criteria for all the work I’ve done over the past 8 years in the main menu to try and highlight areas that are familiar to organisations, but if I’ve missed something, I’m sure I can bring value.


yeah, yeah, Give me the CV

Independent Security Contractor.

CTU Security Limited, London

July 2015 – Present

Working as a security provider across a range of companies as diverse as the technology in use, the best way to generalise the tasks employed for are essentially problem-solving and problem prevention.

Since 2015 I have delivered all kinds of work for my modest client base so far, roughly the usual consultant type work but more recently moving further away from technical testing and into head of/ C level roles for SMB’s that don’t quite have that security vision carved out yet, such as…

  • Appsec
    • Web Apps
    • API
    • Threat Modelling
  • Enterprise security
    • Assessments
    • Defence rollouts
    • Vulnerability management implementations
    • Security sense reviewer
    • Resource
  • vCISO / Interim head of Infosec

Principle Security Consultant

Investec Bank (UK), London

August 2013 – July 2015

An average month at Investec would consist of threat modelling and penetration testing of services, systems and processes.

Issues broken down to the point of conception,  language prepared for the different layers of the business based on how far the issue reached, while not actively penetration testing or sometimes in parallel I would be optimising vulnerability scanning, build quality ingress-egress concerns and how we action them short term and long term.

Third party security became a large part of my role, with small microsites from marketing purposes to integrations, ensuring good security and creating baseline acceptance and tolerance criteria was a recurring exercise.


Senior Penetration Tester

CHECK Team Leader / CHECK Team Member Via Tiger Scheme

Various Security Companies, UK Wide

January 2010 – August 2013

Over this period I had conducted penetration testing, vulnerability scanning and security reseachfor Pentura, Digital Assurance, Information Risk Management  (IRM) and Sapphire in a permanent team member and contractor capacity

Responsibilities common to a CHECK Team security consultant are to deliver effective penetration and security testing, along with confidence in remediation.


VRP/BugBounty & Notables:

  • eBay
  • Portswigger
  • Tennable
  • Netsparker
  • Facebook
  • Apple
  • Recorded Future
  • Adobe
  • Atlassian
  • Splunk
  • Cloudflare
  • VMWare
  • Detectify


  • Ecava (SCADA)
  • Bromium
  • Symentec
  • Yandex
  • ZScaler
  • Barracuda
  • Bugcrowd
  • meraki

Training and Posts:


In 2019 I was invited to participate on the Blackhat EU Review Board, a very welcomed privilege to participate in.