$ whoami▊
João Victor
Security researcher. I break things and write about it — CVEs, vulnerability research, and offensive security notes.
## 01. about
I started breaking things at fourteen, web hacking basics, mostly — and that curiosity pulled me into programming, by fifteen I was working professionally as a web developer, and I never left: I have spent years inside large multinational companies, shipping software in global environments with strict security and compliance requirements.
Today I work as a tech lead, and that builder's background shapes how I do security: application security, reverse engineering, and vulnerability research across different languages and stacks — reading code the way the people who wrote it do, then finding where it fails. This site is where the writeups land.
## 02. skills
[security]
- > AppSec — implementing SAST and DAST pipelines, code review, threat modeling, and secure design, shaped by years shipping software under global compliance requirements.
- > Vulnerability research — finding and reporting bugs across different languages and stacks, the target picks the toolchain, not the other way around.
- > Reverse engineering — taking apart binaries and undocumented systems to understand how they actually behave.
- > Pentesting — web and application-focused offensive testing, from recon to reproducible, reported findings.
[engineering]
- > TypeScript / JavaScript — my professional languages since day one, product code, security tooling, and exploits alike.
- > React — years of production apps at scale; now leading teams that build them.
- > Node.js / NestJS — designing and shipping production backend services and APIs, TypeScript on both sides of the stack.
- > Python — scripting, automation, and tooling,from security research to production services.
- > Java — enterprise backends in multinational environments, and a frequent target when auditing.
- > PHP — production web backends, from legacy monoliths to modern stacks.
- > Leadership — leading global engineering teams, turning roadmaps into value delivered to stakeholders.
- > CI/CD — building and maintaining pipelines for production software, security tooling, and research automation.
- > Cloud — AWS, GCP, and Azure, designing and shipping production services in the cloud.
- > Kubernetes & Docker — containerized production services, from local development to global deployments.
[ai]
- > AI & LLMs — applying models to security workflows — triage, tooling, code analysis, and studying where AI systems themselves break.
- > Claude Code — currently running automated vulnerability research campaigns, agentic workflows that map attack surface, generate hypotheses, and validate findings end to end.
## 03. exploits
→ view all exploits## 04. recent writeups
→ view all posts## 05. contact
- github: github.com
- email: send an email