Application & IA Security Specialist · CEH · CHFI · CCZT
16+ years across offensive security, GRC, SecOps, AppSec, and AI-driven defenses.
// work experience
Before launching my own consultancy, I built my security foundations inside two of Venezuela's
most important state-owned banks: Banco de Venezuela (2006–2009) and
Banco del Tesoro (2009–2012). Both roles carried the title
Especialista de Seguridad de la Información — but the responsibilities
were far from basic.
Working in a regulated financial environment meant high stakes from day one.
I implemented network security controls, managed server hardening,
conducted vulnerability assessments, and participated in compliance audits under
Venezuelan financial regulation. This is where I first learned that
security is never purely technical — it demands alignment with
institutional processes, regulators, and risk appetite.
These six years in Venezuelan banking are the bedrock of everything that followed:
disciplined thinking under regulatory pressure, hands-on infrastructure security,
and an early appreciation for what it means to protect critical systems at scale.
My career began in Caracas with a double life: I founded
EntreClicK.com (2010–2016), a security consultancy focused on online reputation
and penetration testing, while simultaneously climbing to Manager of Server &
Network Security at Banco Bicentenario del Pueblo (2014–2017).
The bank was where I first designed an ISMS from scratch — policies,
standards, risk management, incident response, and a full security awareness program.
The consultancy was where I stayed sharp offensively. Both together built the
rare combination of governance depth and technical teeth that I still carry today.
My first Argentine role: senior consulting at BTR Consulting,
one of the most respected security firms in the region. This was the
technical sharpening period — pure offensive and defensive consulting
for multiple clients simultaneously.
I worked cloud security assessments on AWS and Azure before cloud security was a job title.
I did web & mobile pentests, phishing campaigns, forensic analysis, and server hardening audits.
I also started using security automation (CloudFormation, Ansible, Jenkins)
to scale assessments — my first taste of the DevSecOps world I'd soon embrace fully.
Two back-to-back SecOps roles that shaped my Blue Team depth.
At Despegar.com (Latin America's largest travel platform), I fine-tuned
a Big Data SIEM handling alerts from AV, NIDS, HIDS, and EDR systems —
reducing noise and improving signal. I built IR playbooks and participated in
Red Team vs Blue Team exercises.
At gA I pivoted to cloud IR automation: designing and implementing
automated response solutions across AWS and Azure, plus pentesting the
Navigate platform. This year-and-change proved I could operate
at scale, under pressure, with measurable outcomes.
Naranja X — one of Argentina's largest fintech companies — gave me
the most complete security role of my career: leading both Red and Blue Team
simultaneously. This wasn't a checkbox exercise. It meant running
real offensive operations (mobile, API, web pentests, cloud audits)
while building the defensive controls to stop exactly what I was attacking.
This is the role where I went full DevSecOps — integrating SAST, DAST, and IAST
into CI/CD pipelines, automating asset discovery and vulnerability scanning,
and training developers to be the first line of security defense.
I also ran Red vs Blue evaluations to continuously measure and improve
the security posture of the entire platform.
Two consecutive leadership roles that took me from fintech startup
to global open-source. At Pomelo (2021–2022) — an Argentine
fintech building card issuing infrastructure — I led the cybersecurity team:
code review, team building, and securing a fast-growing product in a regulated space.
Then Wazuh, Inc. (2022–2023) — the world's leading open-source
security platform with millions of deployments. As Cybersecurity Engineer Leader
I led security engineering reviews, drove code quality, and worked at the intersection
of security research and product development. This was where I fully embraced
engineering-first security as my operating model.
ueno bank — a digital bank where I had my first
dedicated AppSec Lead title, 100% remote. This role crystallized everything:
all the offensive knowledge, the GRC experience, the SecOps instincts, and
the engineering leadership skills converged into a pure application security program.
I led the secure SDLC, managed the team, and drove the application security
strategy for a digital banking product. This was also the period where I started
building AI-assisted security tooling — automating the parts of AppSec
that don't scale with human effort alone. That experimentation would evolve into
SpecIA and eventually my current focus on IA Security.
Veritran powers digital banking for the largest financial institutions
in Latin America — security here isn't optional, it's product-critical.
As Application & IA Security Specialist, I sit at the intersection
of two disciplines that are becoming inseparable: traditional AppSec
and AI security.
On the AppSec side: security assessments, secure SDLC oversight, and the
Security Champions program that builds security-aware engineers
across product teams. On the IA side: defining how AI systems are developed,
deployed, and evaluated from a security standpoint — a frontier most organizations
are still figuring out.
In parallel, SpecIA — my open-source AI framework for
security-aware spec-driven development — is in active use. It's the
automation of everything I've learned about AppSec across 16 years.
Most security professionals come from one direction. I've been both attacker and defender, consultant and employee, individual contributor and team leader. I've governed risk at a bank, broken apps as a red teamer, built SIEM playbooks at scale, embedded security in CI/CD pipelines, and now lead IA Security at a global fintech. The full arc makes the leader.