Rob Ragan
I've spent 18+ years building security products and breaking the systems they're supposed to protect. Started by writing the dynamic analysis engine for WebInspect and the static analysis engine for DevInspect at SPI Dynamics, commercial security products used by thousands of enterprises. SPI Dynamics was acquired by HP in 2007 on the strength of that product line.
After the acquisition I moved to Bishop Fox (originally Stach & Liu) and never left. Went from web app pentester to principal researcher to technology strategist. Along the way I created the Google Hacking Diggity Project and shipped SmogCloud, an open-source tool for discovering internet-facing AWS resources that's used by security engineers worldwide.
Now I build AI-powered cybersecurity products. I designed and shipped Cosmos, Bishop Fox's AI-driven application security testing platform where autonomous agents test entire application portfolios at scale. I work directly with enterprise customers to understand their security workflows and iterate on the product. I also build agentic systems that attack web applications autonomously, teaching AI to think like a pentester and find things humans miss.
I care about AI safety from the offensive side. My research on prompt injection defense, PII leakage from language models, and adversarial robustness comes from actually attacking these systems in production. I've contributed cybersecurity evaluation tasks to METR(Model Evaluation & Threat Research) to help measure what autonomous AI agents can actually do when pointed at real vulnerability classes. Finding a single vulnerability matters less than understanding the class of problem it represents, and building the tooling that finds the next ten automatically.
Contributing author to Hacking Exposed Web Applications, 3rd Edition (McGraw-Hill). Spoken at Black Hat, DEF CON, RSA, BSides, and a bunch of enterprise security summits. Recent projects include Arbiter, an AI judge agent that scored 25 live hackathon demos using a multi-model ensemble (Claude + Gemini + Groq), and Starlog, a Claude-powered publication that turns GitHub stars into deep dives on offensive security tools and AI agents.
When I'm not breaking AI systems I'm building cyber decks, DNS sinkholing via Pi-hole, cooking with donabe, or driving Porsches.
What I Work On
AI-Powered Security Products
- Agentic Application Architecture
- Multi-Model Orchestration (Claude, Gemini, Groq)
- AI/LLM Integration Testing
- Prompt Injection Defense & AI Safety
Offensive Security Engineering
- Web Application Penetration Testing
- Red Team Tooling & Attack Automation
- Attack Chaining & Advanced Exploitation
- Adversarial Robustness Evaluation
Product & Platform Engineering
- Full-Stack Prototyping & Rapid Iteration
- DAST/SAST Engine Development
- Cloud Infrastructure (AWS)
- Security Automation at Scale
Research & Communication
- Published Author (McGraw-Hill)
- 4x Black Hat Speaker
- Customer-Facing Technical Strategy
- Open Source Intelligence & Tooling
Professional Journey
Principal Technology Strategist
Built and shipped Cosmos, an AI-powered application security testing product. Building agentic systems that autonomously test web applications at scale. Working directly with enterprise customers and cross-functional teams across product, sales, and research.
Principal Researcher
Cloud security research (SmogCloud, CloudBots). Search engine hacking toolkit development. Conference speaker at Black Hat, DEF CON, and RSA.
Security Researcher
Web application security research. Built the Google Hacking Diggity Project. Early search engine hacking and OSINT tooling.
Software Engineer
Built the dynamic analysis (DAST) engine for WebInspect and the static analysis engine for DevInspect. Commercial cybersecurity products used by thousands of enterprises. SPI Dynamics acquired by Hewlett-Packard in 2007 on the strength of this product line.
Credentials
Pennsylvania State University
B.S. Information Sciences & Technology
Focus: Systems Development
Hacking Exposed Web Applications
3rd Edition · McGraw-Hill
Contributing Author