I’m John Patota. I write about cloud security, incident analysis, and the hands-on research I do between day jobs, usually somewhere at the intersection of application architecture, operational reality, and things I want to understand better. Some posts start with a primary source like a post-incident report or a penalty notice, and work backward to the engineering decisions that made a bad outcome possible. Others start by questioning conventional wisdom like how good the RockYou wordlist really is, or improve on common procedures like WiFi reconnaissance on Raspberry Pi.
I’ve spent roughly a decade building security programs at startups and the last several years conducting third-party risk assessments at a global financial institution. I hold CISSP, CISM, CISA, CCSP, and a handful of AWS certifications (Solutions Architect Professional, Security Specialty, DevOps Engineer Professional), and I’m currently studying for OSCP. I’m also preparing a talk on password cracking for a future DEFCON.
Everything published here is based on publicly available information and reflects my opinions alone, not those of any employer, client, or collaborator. I don’t run ads, I don’t track visitors with client-side analytics, and I don’t take sponsorships. The goal is to think carefully in public about the kinds of problems I find interesting.
If you want to get in touch about a post, a consulting engagement, a correction, or anything else, you can reach me at john@patota.io.