I grew up in Luxembourg and spent the last 25+ years building, breaking and safeguarding technology. My career spans leadership, security engineering, software development, people management, governance, risk & compliance, product management and deep-dive information security work.
Along the way, I’ve held senior roles at Amazon, J.P. Morgan, HSBC, Julius Baer, Verizon Enterprise and Proximus— and supported many Fortune 100 organisations as a trusted advisor.
I’m currently Executive Director and Head of Technology Risk Control at Julius Baer.
My previous roles span the full breadth of security leadership: Head of Technology Risk and Compliance (CISO) at J.P. Morgan Mobility Payment Solutions, CISO at Amazon Payments, EMEA Head of Security Risk & Compliance at Amazon, Head of Country Risk for HSBC Luxembourg, and EMEA Threat & Vulnerability Management Practice Lead at Verizon Enterprise. Before that, I worked as a Senior Offensive Security Engineer at n.runs, a Security Engineer at Telindus/Proximus, and later founded my own security software startup.
I’m a proud founding father and subject matter expert for the ISC2 CSSLP certification, a (former) board member at OWASP Benelux, and an Advisory Board Member for the C|ASE programme at EC-Council (Certified Application Security Engineer). I have also started Mentoring at the Luxembourg School of Business and Women4Cyber.
I’ve always believed that openly sharing knowledge is one of the best ways to raise our global security baseline, make the field more accessible, and inspire people just starting out. I’ve volunteered with multiple organisations and published research throughout my career — sometimes privately, sometimes professionally, always with the goal of contributing back.
It is therefore only natural that over the years, I’ve published a range of security research and presented my work at conferences around the world.
This blog has been my home for over 20 years, and many of my publications have been cited in academic journals, papers, PhD thesis and academic conference presentations.
Academic References & Citations
Link: Academic References & CitationsI maintain a curated archive of academic works — peer-reviewed journal articles, conference proceedings, PhD dissertations, Master's theses, and technical reports from 2004 to 2024 — that reference my Publications, Presentations and Proof of Concept. It spawns data privacy and regulation, threat modeling, Bluetooth and Wireless security, Cryptography, online payment vulnerabilities. The full list is available at: Academic References & Citations.
Books
Software and Proof of Concepts
You can find the full list of tools, whitepapers, and proof-of-concepts I’ve published over the years right here.
Vulnerabilies
Get in touch
If you want to connect, I’m active on X and LinkedIn — and there’s also an online form if you prefer reaching out directly.
How I started in the field of Information Security
As a teenager I was captivated by technology. My self-taught journey began with dabbling in BASIC development on the Atari 1024ST— yes, the one with cassette decks! The thrill of watching a machine come alive with my commands and logic was nothing short of magical.
I'm grateful to my parents for nurturing my tech inclinations and later transitioned to the iconic IBM x68 architecture. This shift allowed me to delve into the world of 3D modeling and animations with 3D Studio, which later evolved into 3DS Max. I also happen to explore the realm of music production using "Fast Tracker II", a music tracker with roots in the Demo Scene (Example).
The advent of the Internet was a game-changer for me. It opened doors to a universe of free knowledge, introducing me to the intricacies of networks, protocols, and the intriguing world of cyberattacks.
My deep dive into the Infosec realm began when I stumbled upon an article about a Remote Access Tool named BO (cDC) in the German magazine "ct". At 15, my curiosity was piqued. I was eager to understand its mechanics and the technology that facilitated remote access. This led me to explore the intricacies of IP, TCP, UDP, and the inner workings of operating systems. I dedicated years to building a solid foundational understanding.
By the late 90s, I had analyzed and reverse-engineered a vast number of malicious codes. Back then, the tools for analysis were rudimentary compared to today's standards. To the best of my recollection, there weren't any publicly accessible ones. I took it upon myself to curate what might have been the world's most extensive repository of malware analysis, possibly pioneering the first centrally maintained list of indicators of compromise.
My work gained recognition, with mentions by the SANS Institute, citations in various books, and integration into both commercial and non-commercial IDS rules, as well as AV vendors. Reflecting on it now, I'm struck by the realization that some IDS systems still carry my original signatures.
Much of my personal time was dedicated to learning, reading, and hands-on practice. As I delved into multiple programming languages, explored both binary and dynamic reverse engineering, and immersed myself in an information security environment, significant breakthroughs began to emerge.
During this period, my passion for Information Security truly crystallized. After parting ways with n.runs in mid-2009, I established G-SEC. My vision was to create a local non-profit organization aimed at fostering interest and awareness, especially for those still contemplating their career paths.
My research led me to uncover hundreds of vulnerabilities, including critical defects in key tech components. I pioneered the first Bluetooth cryptographic attack and made the code open-source. I take particular pride in identifying high-profile vulnerabilities in software from giants like Microsoft, Oracle, Google, and Apple. This body of work culminated in IBM X-Force recognizing me as one of the Global Top Vulnerability Discoverers of 2009.
.png)
.png)
