About

I break systems like an adversary —
and rebuild them impenetrable.

I'm Bishoy Emad — a cybersecurity specialist with a criminal-investigation background, focused on web application, API, and AI/LLM security, and red-team methodology. I'm the founder of BRIVOX, where I build secure digital products and security-first systems.

My foundation is full-stack engineering, sharpened by six years in offensive security. As a former police investigator, I read systems the way I once read cases — looking for the assumption everyone trusted and no one tested. I don't just find flaws; I build complete exploitation environments and develop bespoke tooling to prove real impact.

"The tools are learnable in a year. The investigator's instinct took a career."

Proven by 80+ responsibly-disclosed critical vulnerabilities and the full compromise of expert-grade enterprise lab environments, I fuse investigative discipline with software architecture — and right now I'm going deep on the next frontier: AI / LLM security and AI red-teaming.

80+
CVEs disclosed
6 yr
Offensive security
4+
Products owned
RTO IV
Expert labs solved

What I Do

Red Team Operations

Authorized, full-scope APT emulation. Complete exploitation environments built to bypass enterprise perimeters and reach objectives like a real adversary.

Web & API Security

Dismantling complex web architectures — deep API authorization hunting, BOLA discovery, and stateful business-logic fuzzing. 80+ disclosed CVEs.

AI / LLM Security

Prompt injection, jailbreaks, agentic tool abuse, model exfiltration, and AI supply-chain risk — securing systems that reason. My primary focus right now.

Secure Engineering

Architecting SaaS platforms, zero-bloat WordPress, headless commerce, and native mobile apps — secure by design from day one.

Current Focus · 2026

The next attack surface is intelligence itself.

I'm going deep on AI / LLM security and AI red-teaming — prompt injection, model exfiltration, agentic tool abuse, and the supply-chain risks of building on frontier models. The same investigator's instinct that broke web apps now applies to systems that reason. This is where the next decade of security gets decided.

Prompt injectionAgentic abuseLLM exfiltrationAI supply-chainWeb & API security
Resume

Experience & trajectory

2021 — Present
Founder & Security Lead
BRIVOX (Brivox Technologies Ltd · UK)
Founded and run a UK-registered digital engineering & cybersecurity firm. Lead security architecture across all products, conduct offensive assessments, and ship secure SaaS, commerce, and AI platforms end-to-end.
2020 — Present
Offensive Security Researcher / Red Teamer
Independent · Crowdsourced platforms
Responsibly disclosed 80+ critical vulnerabilities to global enterprise vendors. Specialized in web & API security, BOLA hunting, and full-scope adversary emulation against enterprise networks.
2017 — 2020
Investigator → Security Engineering
Police Academy Alumni · Class of 2017
Transitioned a criminal-investigation background into security engineering — applying behavioral analysis and human-risk assessment to social engineering and offensive operations.

Capabilities

Offensive

Red Team / APT EmulationWeb App PentestingAPI Security · BOLA Active Directory AttacksSocial EngineeringAI / LLM Red-Teaming

Tooling & Frameworks

Burp SuiteMetasploitNmap PythonGoCustom C2 / Tooling

Engineering

Next.jsReact / NativePostgreSQL PocketBaseWordPress / WooCommercePHP / Node.js

Standards

OWASP Top 10OWASP API Top 10OWASP LLM Top 10 NISTISO 27001

Pro-Labs Solved

Verified · Enterprise simulations
APTLabs
RTO IV · Expert
Cybernetics
RTO III · Advanced
Offshore
RTO II · Intermediate
RastaLabs
RTO II · Intermediate
Writing

Notes from the offensive side

Field notes on web & API security, AI/LLM red-teaming, and building secure systems.

Study Companion · Public Log

How I'm actually learning this

A working journal of what I study, build, and break — updated almost daily. No polish, just the real path.

0
Day streak
0
Entries
0
Focused hrs
4
Active tracks

Roadmap

Daily Entries

How this stays updated

Static, zero-backend by design — no database, no login, no attack surface. To add a day I edit one STUDY_LOG array in the page source and push to git. Exactly as secure as a static file should be.

Communication Protocol

Initiate an operation

Red-team engagement, security advisory, or a secure build — open a channel. Responses within one business day.

© 2026 Bishoy Emad · Built secure, served static · Cairo, EG