Hi. We’re breakers, builders, and the people in between.
We do this because we love it, and we stick around to help you fix what we find.
The disciplines on the bench.
Software doesn’t find zero-days. People do. These are the disciplines you’re hiring, and the kind of work each one does.
Red Team
Full-scope adversary simulation across cyber, physical, and human, chained to a named objective.
Reached global data access at a $100B+ retailer in 12 days, undetected.
Vulnerability Research
Original research and novel exploitation: the zero-days a scanner has no signature for.
Hardware / Firmware
Embedded, firmware, and device security down to the silicon and the bus.
Firmware implants and supply-chain tampering, demonstrated on real devices.
Cloud & AI / LLM
Identity-graph attack paths in the cloud, and the security of the AI you ship.
Agent tool-abuse and prompt-injection chains against production-style AI stacks.
OT / ICS
Industrial and control systems, tested with uptime and safety as hard constraints.
Plant-floor reachability from corporate IT, proven without stopping a line.
Application Security
Business-logic and authorization flaws: the bugs that require understanding the app.
Broken object-level authorization and workflow abuse past clean scanner runs.
Purple Team
Detection engineering. Every technique either gets caught or earns a new detection.
ATT&CK coverage lifted measurably across live SOC stacks.
The people on this bench came up in operations: government, defense, finance, and frontline security work, in environments where the testing was real and a mistake carried consequences. That’s the experience behind every engagement. Years spent in demanding places, doing this work when it counted.
The people who run OSec never left the work.

Mark Stamford
Mark started playing with computers at age 8 and grew up to gather over 25 years in cybersecurity, operations, and more. Before founding OSec he worked at UBS and KPMG.

Erin Murtha
Erin brings over 20 years in organizational performance, growth, and client success. Her prior work includes Homeland Security, running projects of critical national importance.

Cayce Mahon
Cayce leads the CTI team. With over a decade in offensive security operations, he heads threat intelligence and vulnerability research at OSec.

Christian Kimball
Christian has over 20 years in IT, security, risk management, and building security risk programs. He runs offensive engagements and specializes in physical security and threat intelligence.

Dayse Morales
Dayse is a startup operator with a decade in operations, growth, and customer success across tech, edtech, and cannabis. She co-founded and exited the e-commerce startup Medly NYC.

Jimmy Fisher
Jimmy is a cybersecurity practitioner and U.S. Army veteran with multiple certifications, including the OSCP, specializing in offensive security and penetration testing.

Matt Landers
Matt’s career spans over 20 years discovering and researching security vulnerabilities. He is happiest finding unintended uses for common technology stacks.

Mike Jaworski
Mike is a full-stack developer working across front-end, back-end, and cloud: Angular, .NET, Python, SQL, and AWS. Before OSec he built advisor-facing planning tools at LPL Financial.

Spencer Lindgren
Spencer’s background is healthcare technology, encryption, security, and compliance. He has held roles at the telemedicine provider Vigilint and Patronus Medical, and was an assistant adjunct professor at UNC Chapel Hill.
They’ve defended what we go after.
Neil Bryden
Neil has over 35 years in IT risk and security, including CISO roles at KPMG and other global enterprises. He has advised CISOs across industries, with depth in governance, architecture, and strategy.
Robert Hayes
Robert holds board, director, and advisory roles at public and private organizations, mitigating security risk through complex business transformations. A recognized cybersecurity expert and former Microsoft senior fellow.
Philip Niedermair
Philip has over 35 years helping companies expand through corporate development, strategic alignment, and relationship building. He is a Senior Advisor to the Cyberspace Solarium Commission.
John Quigg
John is a senior staff member at the Johns Hopkins University Applied Physics Laboratory, supporting the DoD’s work in cloud, 5G, and cyber situational awareness. His background runs from the Airborne Rangers to the DoD.
Chris Reid
Chris is Chief of Staff for Elastic’s US Public Sector. He retired after 36 years in the US Army, where he served as a Brigadier General across Cyber and Special Operations assignments at home and overseas.



























