Sign in Subscribe

About

I'm Phil Guimond. I spent the last decade finding ways into systems that weren't supposed to let me in. Web applications, executable software, cloud environments, networks, devices - whatever companies paid me to break.

The methodology was always the same: enumerate what's actually there, test what the documentation claims, document what breaks. GraphQL endpoints that dump customer data, access controls that fail when you change a URL parameter, applications that let you download every private document by incrementing an ID, buffers that overflow and allow you to execute code remotely, and many other issues.

I also reverse-engineered malware and attack kill chains to understand how breaches actually happen versus how they're supposed to be prevented. Fileless malware that lives in memory, supply chain compromises that slip past detection, incident response processes that miss the actual attack vectors.

Most security problems aren't that sophisticated. They're basic assumptions that nobody bothered to verify.

Adversarial Review applies the same approach to non-technical claims. Instead of testing whether an API properly validates input (although I might do this from time to time with permission!), I test whether a policy paper's central argument holds up when you examine the underlying data. Same process: assume the system doesn't work as described, find the actual implementation, see what happens when you probe it.

As an Offensive Security-minded professional with OSCP, I treat everything as a Penetration Test using Digital Forensics, Open Source Intelligence (OSINT), and Data Science to examine contested claims about cybersecurity incidents, institutional conduct, and technical misrepresentations. The goal is to document what's actually there versus what people say is there. I'm also not afraid to use Artificial Intelligence as a force multiplier, but I do not rely on it.

This website is a collection of random investigations that I've put together. Some of them may be technical, some may be scientific or related to fraudulent practices, while others may be related to identity claims.