Skip to Main Content

Drew Kirkpatrick

Principal Security Consultant

Drew Kirkpatrick has 25 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days, he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a security researcher at NopSec and Secure Decisions as well as a senior computer scientist for the U.S. Navy.


  • Bachelor of Arts, Psychology/Economics, St. Mary’s College of Maryland
  • Master of Science, Computer Science, Florida Institute of Technology
  • Master of Science, Computer Information Systems, Florida Institute of Technology
  • Offensive Security Certified Professional (OSCP)
  • GIAC Web Application Penetration Tester (GWAPT)
  • GIAC Mobile Device Security Analyst (GMOB)



Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector, JS-Tap, and various machine learning and penetration testing tool projects.

Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.

Featured Blogs And Resources

Discover the blogs, analysis, webinars, and podcasts by this team member.

Blog February 08 2024

Content Security Policy: Mitigating Web Vulnerabilities by Controlling the Rules of the Game

Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a…

Read about this article
Blog January 23 2024

ProxyHelper2: The Sequel

TL;DR VersionHak5 Pineapples changed their module system in Mark VII's, breaking module compatibility.ProxyHelper2 is a reimplementation of TrustedSec's…

Read about this article
Blog November 16 2023

Clickjacking: Not Just for the Clicks

tl;dr versionYou can trick users into "typing" inputs in a clickjacking attack.YouTube demo: GitHub Repo:…

Read about this article
Blog November 02 2023

JS-Tap: Weaponizing JavaScript for Red Teams

How do you use malicious JavaScript to attack an application you know nothing about?Application penetration testers often create custom weaponized JavaScript…

Read about this article
Webinars November 01 2023

JS-Tap: Weaponizing JavaScript for Red Teamers

During this webinar, Senior Security Consultant, Drew Kirkpatrick will introduce a new open source tool, JS-Tap, that is designed to allow Red Teamers to…

Read about this article
Webinars December 18 2019

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

In this webinar, we will walk through the development of XSS payloads against a WordPress administrator and test that payload against a live WordPress server.

Read about this article
Webinars September 14 2022

Understanding What Burp Suite Brings to Your Application Assessment

Join Senior Security Consultant Drew Kirkpatrick as he demonstrates the core functionality of Burp Suite and learn how to get the most out of your engagements…

Read about this article
Training Resources November 07 2024

Actionable Purple Team Simulation Online Training (November 7-8)

Learn how to create specific detections to identify early Indicators of Compromise (IOCs) in our online course. Designed for those looking to improve their…

Read about this article
Training Resources August 03 2024

Black Hat USA Training - Applied Threat Hunting and Detection Engineering

Registration is now open for our Black Hat training on August 3-6, 2024

Read about this article
Events TrustedSec HQ | June 25 2024

ISC2 Cleveland Chapter Member Meeting June 2024

ISC2 Cleveland Chapter June MeetupCome join us for our April Meetup! Our Cleveland Chapter is hosting an exciting in-person event for all cybersecurity…

Read about this article

Empower your business through better security design.

Talk directly with our experienced advisory consultants to learn how we can help.