
01Des Moines, Iowa
When the target isn't a website
Attack surfaces that don't live in a browser. Stepping outside familiar ground is the fastest way to find what nobody has looked at.

Security researcher · Software engineer
I'm Javier Corral. I hunt vulnerabilities by hand in some of the best-defended platforms on the internet, and I write the software I'd rather not have to break later.
OWASP WSTG · ASVS
Live hacking events
Edge-first engineering
Vulnerabilities reported and accepted at
Plus other Fortune 500 companies and global leaders in their sector, through their bug bounty programs.
See the record on HackerOneThe attacker and the engineer aren't two different people. They're the same one, who has seen what happens when software is built badly.

Live hacking event · Singapore
Bug bounty and manual pentesting. No scanners: business logic, chained flaws, and a reproducible proof of concept for every finding. If it can't be exploited, it doesn't get reported.
Real products, not prototypes: multi-tenant SaaS, critical payment integrations, and applications built for your team to maintain — not me. Security goes into the design, not into the final report.
Measure before touching anything. Performance, database and cloud-cost optimisation, deployed at the edge — where your users are, not where the server happens to be.
On the ground

01Des Moines, Iowa
Attack surfaces that don't live in a browser. Stepping outside familiar ground is the fastest way to find what nobody has looked at.

02Team Spain
Competing with the Spanish team. Offensive security is far more of a team sport than it looks from the outside.
Work
I work with companies through Crackonce. You always talk to the person who finds the bugs and writes the code — no sales rep in front, no junior behind.
Web and API pentesting, security audits and continuous security. OWASP methodology and real bug bounty techniques.
Web development, custom SaaS and integrations. Senior engineering with security built in from the first design.
Performance, database and cloud-cost optimisation. Measured before touching anything, and proven with numbers.
Crackonce
My consultancy: offensive security and software engineering for companies that need both and don't want two vendors blaming each other.
A pentest, an audit, a digital product — or just to talk about bugs. Write to me and I'm the one who answers.