joaovicdev@sec:~$

$ whoami

João Victor

Security researcher. I break things and write about it — CVEs, vulnerability research, and offensive security notes.

## 01. about

I started breaking things at fourteen, web hacking basics, mostly — and that curiosity pulled me into programming, by fifteen I was working professionally as a web developer, and I never left: I have spent years inside large multinational companies, shipping software in global environments with strict security and compliance requirements.

Today I work as a tech lead, and that builder's background shapes how I do security: application security, reverse engineering, and vulnerability research across different languages and stacks — reading code the way the people who wrote it do, then finding where it fails. This site is where the writeups land.

## 02. skills

[security]

  • > AppSecimplementing SAST and DAST pipelines, code review, threat modeling, and secure design, shaped by years shipping software under global compliance requirements.
  • > Vulnerability researchfinding and reporting bugs across different languages and stacks, the target picks the toolchain, not the other way around.
  • > Reverse engineeringtaking apart binaries and undocumented systems to understand how they actually behave.
  • > Pentestingweb and application-focused offensive testing, from recon to reproducible, reported findings.

[engineering]

  • > TypeScript / JavaScriptmy professional languages since day one, product code, security tooling, and exploits alike.
  • > Reactyears of production apps at scale; now leading teams that build them.
  • > Node.js / NestJSdesigning and shipping production backend services and APIs, TypeScript on both sides of the stack.
  • > Pythonscripting, automation, and tooling,from security research to production services.
  • > Javaenterprise backends in multinational environments, and a frequent target when auditing.
  • > PHPproduction web backends, from legacy monoliths to modern stacks.
  • > Leadershipleading global engineering teams, turning roadmaps into value delivered to stakeholders.
  • > CI/CDbuilding and maintaining pipelines for production software, security tooling, and research automation.
  • > CloudAWS, GCP, and Azure, designing and shipping production services in the cloud.
  • > Kubernetes & Dockercontainerized production services, from local development to global deployments.

[ai]

  • > AI & LLMsapplying models to security workflows — triage, tooling, code analysis, and studying where AI systems themselves break.
  • > Claude Codecurrently running automated vulnerability research campaigns, agentic workflows that map attack surface, generate hypotheses, and validate findings end to end.

## 03. exploits

→ view all exploits

## 04. recent writeups

→ view all posts

## 05. contact