About me: background & experience

I’m an independent offensive security specialist with 19+ years of hands-on ethical hacking experience, focused on web application security. I combine deep, manual testing with practical AppSec experience from fast-moving product teams and real production environments.

I work directly with clients and keep engagements straightforward: clear scope, attacker-driven testing, and findings prioritized by real-world exploitability and impact. Below you’ll find a short overview of my recent experience, certifications, and selected highlights.

Curriculum vitae

For additional details, see my LinkedIn profile.

Recent professional experience

Jan 2026 - Present

Independent offensive security expert @ AppSecAudit.cz (Freelance)

Jan 2026 - Present

Product Security Architect @ CVEalert.io (Founder)

Jan 2025 - Dec 2025

Founder, Initial Full-Stack Engineer @ CVEalert.io (Earlier role)

Jul 2023 - Dec 2024

Senior Application Security Engineer @ Printify.com (Contract)

Aug 2022 - Jul 2023

Application Security Engineer @ Printify.com (Earlier role)

May 2023 - Present

Czech Chapter Leader @ OWASP.org (Volunteer)

Jul 2020 - Present

Senior Penetration Tester @ TunaSec.com (Non-profit organization)

Aug 2022 - May 2023

Offensive Security Researcher @ Synack.com (Bug Bounty)

Jun 2019 - Jun 2022

Application Security Engineer @ Kiwi.com (Full-time)

Jun 2020 - Nov 2020

Lector of Ethical Hacking course @ Engeto.cz (Seasonal)

Oct 2018 - May 2019

IT Security Assessment Specialist @ Homecredit.net (PPF Group)

Burp Suite Certified Practitioner

This certification, created by PortSwigger's Web Security Academy, demonstrates that I have the ability to:

  • Detect and prove the full business impact of a wide range
    of common web vulnerabilities.

  • Adapt attack methods to bypass broken defences,
    using knowledge of fundamental web technologies.

  • Quickly identify weak points within an attack surface,
    and perform out-of-band attacks to attack them.

This certification focuses on advanced, real-world web exploitation and is widely regarded as one of the most practical web security certifications.

Reported vulnerabilities (CVEs)

Courses & certifications

  • Advanced Web Attacks and Exploitation (AWAE)
  • Code Review Badge, PentesterLab
  • English C1/C2

Skills (in no particular order)

  • Web Application Penetration Testing & Bug Bounty
  • Application Security Testing (SAST, DAST, SCA)
  • Advanced Web Application Security Audits
  • CI/CD Security Assessments & Supply Chain Risk
  • Secure Code Review (Web, APIs, Backend & Android)
  • Threat Modeling & Real-World Attack Surface Analysis
  • Web Application Firewall & Rate Limiting (Cloudflare)