EXPERIENCE
Andrew is energetic and driven, with strong technical knowledge and experience in defensive and offensive security, vulnerability management, and the development of transformational strategies, which help clients enhance their security postures to detect and stop adversaries.
EDUCATION & CERTIFICATIONS
- BA, Justice, American University, Washington, D.C.
- Offensive Security Certified Professional (OSCP)
- GIAC Network Forensic Analyst (GNFA)
- GIAC Reverse Engineering Malware (GREM)
- GIAC Penetration Tester (GPEN)
- GIAC Certified Incident Handler (GCIH)
- GIAC Certified Intrusion Analyst (GCIA)
- GIAC Security Essentials (GSEC)
PASSION FOR SECURITY
Andrew’s security passion started at a young age and stemmed from his love of classic action, crime, and spy movies. He also always showed a particular interest in the history of global security agencies and current events. His family still jokes about how he would spend countless hours glued to the weekly issues of Time and Newsweek magazines, reading every detail from cover to cover. These interests led Andrew to pursue a post-collegiate career in various investigative roles supporting both federal and local law enforcement agencies. Andrew’s love for the InfoSec industry is demonstrated by his eagerness to constantly grow and educate himself. Whether it’s reading a book, following a blog, keeping up to date on Twitter, taking a training course, or connecting with colleagues in the community, he makes sure to stay on top of the latest tools, threats, and research.
Featured Blogs And Resources
Discover the blogs, analysis, webinars, and podcasts by this team member.
What is Hackvertor (and why should I care)?
1.1 What’s Hackvertor and why should I care?Years ago, Gareth Heyes created a Burp Suite (Burp) extension called Hackvertor. It’s an extension with a lot…
Clickjacking: Not Just for the Clicks
tl;dr versionYou can trick users into "typing" inputs in a clickjacking attack.YouTube demo: https://www.youtube.com/watch?v=VIEZ1aByFvUPoC GitHub Repo:…
Book Review - The Definitive Guide to PCI DSS Version 4
As a PCI QSA, I have answered numerous questions about the new PC DSS Version 4. With over 500 total controls, and at least 100 of them unique to this version,…
The Triforce of Initial Access
LootWhile Red Teamers love to discuss and almost poetically describe their C2 feature sets, EDR evasion capabilities, and fast weaponizing of N-day exploits,…
JS-Tap: Weaponizing JavaScript for Red Teams
How do you use malicious JavaScript to attack an application you know nothing about?Application penetration testers often create custom weaponized JavaScript…
A Hitch-hacker's Guide to DACL-Based Detections (Part 3)
This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIn this third and final…
A Hitch-hacker's Guide to DACL-Based Detections (Part 2)
This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionThis is a continuation of A…
A Hitch-hacker's Guide to DACL-Based Detections (Part 1B)
This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIn this continuation to our first…
A Hitch-hacker's Guide to DACL-Based Detections (Part 1A)
This blog series was co-authored by Security Consultant Megan Nilsen and TAC Practice Lead Andrew Schwartz.1 IntroductionIf you were to collectively ask any…
Basic Authentication Versus CSRF
I was recently involved in an engagement where access was controlled by Basic Authentication. One (1) of the findings I discovered was a Cross-Site Request…
Empower your business through better security design.
Talk directly with our experienced advisory consultants to learn how we can help.
