Larry Peseckis
AI and Cloud Security Architect. Thirty years of mission-critical defense and aerospace systems. DoD Cleared. Now building at the intersection of offensive security, cloud architecture, and AI risk.
The proof behind the brand. Real pipelines, honest methodology, documented findings — not marketing language.
A Python pipeline that ingests public threat intelligence reports from CISA and The DFIR Report, extracts MITRE ATT&CK technique references, and stores them in a queryable Postgres dataset for trend analysis. Built with Wilson confidence intervals for honest precision reporting and documented methodology.
First finding Cross-source technique citation patterns reveal the vantage point of the reporting organization as much as they reveal adversary behavior.
A four-tier classification for cyber assistance from frontier language models, mapped to the emerging industry consensus on capability thresholds. Built as a decision aid for evaluators, red teams, and policy reviewers. Tier definitions map to the Frontier Model Forum's cross-framework analysis, Microsoft's capability tiers, OpenAI's Preparedness Framework, and the regulatory landscape forming around frontier AI cyber capabilities.
Design principle Serve at the most permissive tier the request's plausible legitimate framing supports; escalate when authorization context is stripped out. Refuse-first defaults produce high false-refusal rates and push legitimate practitioners off the tool. The Tier 2 / Tier 3 boundary is where most disputes live, and the framework names it explicitly rather than assuming it away.
A structured research corpus of documented LLM attack techniques across the OWASP LLM Top 10, vendor red-team disclosures, and arXiv research papers. The corpus supports analytical queries about category frequency, target-system architecture, and where defensive boundaries need to sit in modern AI system architecture.
Design principle Safety-by-default schema design — every new entry defaults to quarantine, status changes route through an audit trail enforced at the database level, and extraction precision is measured via Wilson confidence intervals against operator-validated ground truth.
v1.5 complete: 34 corpus entries across 3 sources, two validation runs with 100% precision on technique extraction (95% CI lower bound 83.9%). v2 in planning. Repository private during research phase.
A Burp Suite Community Edition extension that exposes Burp's HTTP
capabilities as a localhost REST API on 127.0.0.1:1337 with
token auth. Fills the $475/year gap between Community and Professional for
practitioners who need scripted automation without the Pro license. 12
endpoints, ~600 lines of Java, MIT licensed. Validated against 4 PortSwigger
Web Security Academy labs across 4 vulnerability classes — 203 bridge calls,
zero GUI fallbacks, zero failures before the repo went public.
A single-box local insight layer over a home firewall's telemetry. Turns raw alarms and flow data into plain-language answers using local-only AI, no cloud, no inbound exposure, no data leaving the LAN.
“Did my son play Roblox on his PC today?” Answered in seconds, grounded in real data it cannot fabricate.
MethodologyThe problem Raw firewall telemetry tells you what fired, not what it means. homescope sits between the firewall and a usable answer.
Architecture Five components, each one swappable: collector, store, translator, briefer, and ask agent.
Key finding The MSP API's time-window filters don't work. Every query returns newest-first regardless of what you pass in. Worked around it with pagination plus a bookmark file, so new records get captured without gaps or duplicates.
Grounding Every number the model produces comes from a deterministic SQL query first. The model writes prose around facts the system hands it. It cannot invent traffic that isn't in the database.
Honest limitation Shared CDNs defeat domain-level attribution. Disney+ rides Akamai and Fastly, so the flow data can't distinguish it from anything else using the same edge. The agent reports what it sees and what it can't, without filling in the gap with guesses.
LAN-only · Internal git · v1 complete
BackA five-lane model for how a model safety router should explain a reroute to a benign user without handing the trigger to an attacker. Built from a real Fable-to-Opus reroute, it separates the five causes a request can be moved for, and scores transparency on safety, explanation, and reversibility as independent axes.
Core finding Disclosure granularity should track inverse oracle risk: only the restricted-content lane earns strong redaction, and hiding it isn't enough unless content firing is observationally equivalent to it not firing. Otherwise the redaction is defeated by subtraction.
Built because I couldn't find SSCP practice that adapted to my weak areas
instead of just reshuffling the same question pool. Started with SSCP, added
CCSP — then realized the engine doesn't care what the subject is, so it now
covers Linux Essentials and discrete math too. Plain HTML and JavaScript, no
dependencies: open index.html and it runs. More sets as the need
comes up.
Systematic documentation of offensive and defensive security techniques across 300+ rooms spanning web exploitation, Active Directory, cloud environments, DFIR, and AI/LLM security. Every room gets a writeup. The writeups follow a consistent format: attack chain, detection engineering, key concepts, lessons learned. The habit that made the CJCA report possible.
Empirical comparison of human-in-the-loop vs autonomous AI on the same CTF room. The research question: what does the human variable actually change?
Windows DFIR. A .url file in a network share captures
Net-NTLMv2 credentials when the folder is opened. No click required.
Social engineering reconstruction from Chrome cache. Lazarus Group TTPs. The job offer was the pretext. The collaboration request was the collection mechanism.
A Go binary using a local LLM to generate dynamic encryption payloads at runtime. Signature-based detection is blind to it.
Private subnet is a routing concept, not a security boundary. Four IAM permissions combined turn it into a public attack surface.
LKM rootkit detection. lsmod vs /sys/module/
comparison. Flag embedded as hex in a kernel module's printk format string.
Full AD kill chain reconstructed from Windows event logs and prefetch artifacts. Three detection signatures that confirm ticket theft, offline crack, and lateral movement.
Six log entries, 72 seconds, complete attack chain visible. Data Access logging gap is the defensive finding.
Selected posts from a Tuesday/Thursday LinkedIn cadence built around one idea: that security practitioners who understand both how attacks work and how defenses fail are more valuable than those who specialize in only one. The posts that landed hardest were the ones that documented failure as clearly as success.
The most-cited ATT&CK techniques across CISA and The DFIR Report don't reveal what adversaries do. They reveal how threat intel gets written.
Read on LinkedIn →A .url file in a network share captures Net-NTLMv2 credentials when the folder is opened. No click required. The defensive baseline is two controls, neither enabled by default.
Read on LinkedIn →On what cert stacks actually signal, what they don't, and why the conversation keeps missing the point.
Read on LinkedIn →Most security practitioners sit on one side of the wall. Red team or blue team. Compliance or engineering. Cloud or endpoint.
The Integration Thesis is the opposite framing — that offense, defense, cloud, and AI security are one discipline viewed from different angles, and that the most valuable security work happens at the intersections between them. Thirty years of systems administration in classified defense environments taught me how mission-critical infrastructure actually fails. CTF practice, DFIR work, and threat intel research taught me how adversaries actually operate. The portfolio here is what happens when those two bodies of experience start talking to each other.
The certification stack runs from CompTIA A+ through SecurityX, ISC2 CC and SSCP, TryHackMe SAL1 and PT1, HackTheBox CJCA, and ITIL 4 — with CISSP as the next target. Each one was earned alongside full-time defense work, not instead of it. The WGU BS in Cybersecurity and Information Assurance (in progress, on track to complete ahead of schedule) fills the formal degree gap. The cert path isn't the point. The judgment that comes from running the material against real labs and real incidents is.
The fastest way to reach me is LinkedIn.
