Work
The tools, platforms and security research I've built over 15+ years.
A curated, real-time database of Known Exploited Vulnerabilities (KEVs). KEVIntel tracks vulnerabilities under active exploitation in the wild, enriched with honeypot telemetry and threat intelligence - often identifying and enriching KEVs faster than many government and commercial feeds.
The WordPress vulnerability scanner and database. Built from a side project in 2011 into a profitable business cataloguing tens of thousands of WordPress core, plugin and theme vulnerabilities. Acquired by Automattic in 2021.
The Damn Vulnerable Web Application - one of the world's most widely used security training platforms, used by students and professionals to learn and teach web application security in a safe, legal environment.
A selection of notable security disclosures credited to me. WPScan's database catalogues many thousands more across the WordPress ecosystem.
Affected a plugin with 1M+ installs; discovered and disclosed by Ryan Dewhurst.
Reported and disclosed by Ryan Dewhurst.
Co-credited with Tom Mackenzie (original finder); Ryan Dewhurst credited for PoC creation and analysis.
The main focus right now is KEVIntel - tracking the vulnerabilities that are actually being exploited in the wild.