Skip to Main Content

Drew Kirkpatrick

Principal Security Consultant

EXPERIENCE
Drew Kirkpatrick has 25 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days, he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a security researcher at NopSec and Secure Decisions as well as a senior computer scientist for the U.S. Navy.

EDUCATION & CERTIFICATIONS

  • Bachelor of Arts, Psychology/Economics, St. Mary’s College of Maryland
  • Master of Science, Computer Science, Florida Institute of Technology
  • Master of Science, Computer Information Systems, Florida Institute of Technology
  • Offensive Security Certified Professional (OSCP)
  • GIAC Web Application Penetration Tester (GWAPT)
  • GIAC Mobile Device Security Analyst (GMOB)

PROFESSIONAL AFFILIATIONS

  • OWASP
  • TOOOL

INDUSTRY CONTRIBUTIONS
Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector, JS-Tap, and various machine learning and penetration testing tool projects.

PASSION FOR SECURITY
Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.

Featured Blogs And Resources

Discover the blogs, analysis, webinars, and podcasts by this team member.

Blog February 08 2024

Content Security Policy: Mitigating Web Vulnerabilities by Controlling the Rules of the Game

Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a…

Read about this article
Blog January 23 2024

ProxyHelper2: The Sequel

TL;DR VersionHak5 Pineapples changed their module system in Mark VII's, breaking module compatibility.ProxyHelper2 is a reimplementation of TrustedSec's…

Read about this article
Blog November 16 2023

Clickjacking: Not Just for the Clicks

tl;dr versionYou can trick users into "typing" inputs in a clickjacking attack.YouTube demo: https://www.youtube.com/watch?v=VIEZ1aByFvUPoC GitHub Repo:…

Read about this article
Blog November 02 2023

JS-Tap: Weaponizing JavaScript for Red Teams

How do you use malicious JavaScript to attack an application you know nothing about?Application penetration testers often create custom weaponized JavaScript…

Read about this article
Webinars November 01 2023

JS-Tap: Weaponizing JavaScript for Red Teamers

During this webinar, Senior Security Consultant, Drew Kirkpatrick will introduce a new open source tool, JS-Tap, that is designed to allow Red Teamers to…

Read about this article
Webinars December 18 2019

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

In this webinar, we will walk through the development of XSS payloads against a WordPress administrator and test that payload against a live WordPress server.

Read about this article
Webinars September 14 2022

Understanding What Burp Suite Brings to Your Application Assessment

Join Senior Security Consultant Drew Kirkpatrick as he demonstrates the core functionality of Burp Suite and learn how to get the most out of your engagements…

Read about this article
Webinars December 18 2024

The Lost Underground

Join TrustedSec Principal Security Consultant Mike Felch for an eye-opening journey into the lost underground, where ingenuity, disobedience, and complexity…

Read about this article
Webinars December 04 2024

BEC Basics: Your First Step to Thwarting Email Scams

Join Senior Security Consultant Steven Erwin and Security Consultant Caroline Fenstermacher as they cover the basics of BEC analysis, providing participants…

Read about this article
Blog December 03 2024

Discovering a Deserialization Vulnerability in LINQPad

Like most red teamers, I spend quite a lot of time looking for novel vulnerabilities that could be used for initial access or lateral movement. Recently, my…

Read about this article

Empower your business through better security design.

Talk directly with our experienced advisory consultants to learn how we can help.