Drew Kirkpatrick

Senior Security Consultant


Drew has 20 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a Security Researcher at NopSec and Secure Decisions as well as a Senior Computer Scientist for the U.S. Navy.

Education & Certifications

  • M.S. Computer Science – Florida Institute of Technology
  • M.S. Computer Information Systems – Florida Institute of Technology
  • B.A. Psychology/Economics – St. Mary’s College of Maryland
  • Offensive Security Certified Professional (OSCP)
  • GIAC Web Application Penetration Tester (GWAPT)
  • GIAC Mobile Device Security Analyst (GMOB)

Professional Affiliations


Industry Contributions

Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector and various machine learning and penetration testing tool projects.

Passion for Security

Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.

Recent Blog Posts

Looting iOS App’s Cache.db

Insecure By Default Mobile application assessments diverge somewhat from normal web application assessments as there is an installed client application on a local device to go along with the backend server. Mobile applications can often work offline, and thus have a local store of data. This is commonly in the form of SQLite databases stored...

Scraping Login Credentials With XSS

Unauthenticated JavaScript Fun In prior blog posts I’ve shown the types of weaponized XSS attacks one can perform against authenticated users, using their session to access and exfiltrate data, or perform actions in the application as that user. But what if you only have unauthenticated XSS? Perhaps your client hasn’t provided you with credentials to...

Persisting XSS With IFrame Traps

XSS Iframe Traps Longer Running XSS Payloads An issue with cross-site scripting (XSS) attacks is that our injected JavaScript might not run for an extended period of time. It may be a reflected XSS vulnerability where we’ve tricked our user into clicking a link, but when they land on the page where we were able...
View all posts from Drew

Recent Webinars

Understanding What Burp Suite Brings to Your Application Assessment

You’ve heard it mentioned before. Now understand why it’s used in assessments. Whether you’re on a security team or a developer team, you’ve likely heard Burp Suite mentioned during an application assessment. Understanding the basics of the tool and how...

Popping Shells Instead of Alert Boxes: Weaponizing XSS for Fun and Profit

This webinar was recorded on Wednesday, December 18, 2019. XSS? What’s the big deal? Cross-Site Scripting (XSS) vulnerabilities are a longstanding issue that allow malicious actors to inject JavaScript into a web application. Penetration testers typically use a simple JavaScript...
View all webinars from Drew

Recent Podcasts

TrustedSec Security Podcasts

Report All The Things

March 27, 2023

See the World They Said

March 27, 2023

Want to work with Drew Kirkpatrick or someone like him?

The TrustedSec team is comprised of experienced and qualified security professionals. Contact us to learn more about our services, our team, and how we can help you.
Contact Us