Juan Esteban Muñoz Díaz

Application Security Engineer · Security Automation & AppSec Testing — "Juanes"

↓ download CV (PDF)

Application security engineer focused on securing APIs and data paths through automated security testing and CI/CD integration. I come from large-scale test automation, plus my own research into offensive security and Linux internals — the same attacker's mindset applied to building security guardrails that development teams actually use.

$ cat experience.md

Application Security / Security QA Engineer

2026 – present

B2Gnow (via Insight Global) Phoenix, AZ — remote

Data-path and sensitive-data security for eComply, a U.S. government compliance platform (legacy ASP.NET MVC).

  • Mapped system architecture and data flows across 1,500+ endpoints to build the platform's first inventory of sensitive-data entry points and risk exposure — from a codebase with near-zero documentation.
  • Designed an automated authorization-sweep approach to validate access control (IDOR, privilege escalation, broken authZ) at scale, surfacing the highest-impact risks across all endpoints rather than one at a time.
  • Built automated security test suites for critical data paths and integrated them into CI/CD pipelines, enabling continuous validation of authentication, authorization, and session-management controls.
  • Performed negative security testing to confirm no sensitive data leaks through logs, API responses, or error messages.

Test Automation Engineer

2025 – 2026

Globant Bogotá — hybrid

Qiddiya program — large-scale Web / Mobile / API quality automation.

  • Built cross-platform automation frameworks (Playwright, Appium, Cucumber) for Web, Mobile, and API, reaching 90% automated coverage on critical business flows.
  • Integrated automation suites into GitLab CI/CD pipelines, shortening feedback loops and improving release reliability.
  • Applied a shift-left approach, analyzing system architecture early to surface failure points before release; contributed to an internal AI-powered testing agent.

$ cat lab.md

My personal lab is where I practice the offensive depth I later apply to AppSec — it's not a demo, it's real infrastructure I keep running in production for myself. It runs on a two-node Proxmox cluster with real quorum via a Raspberry Pi as a QDevice (see the post).

  • Offensive research: Linux kernel-module development in C (syscall-table manipulation, CR0 write-protection bypass, syscall hooking, covert C2 over Netfilter). M.S. thesis on rootkit detection via kernel-level entropy analysis.
  • Hands-on practice: continuous offensive-security practice on Hack The Box (web exploitation, network attacks, privilege escalation) with an ongoing weekly streak.
  • Network & infrastructure: five-VLAN segmented architecture on RouterOS with independent IPv6 via LACNIC; Tor relays and obfs4 bridges; OpenVPN/WireGuard.
  • Defensive operations: honeypots (Cowrie, Dionaea, Conpot), a MISP threat-intelligence pipeline, and Wazuh SIEM monitoring in an isolated sandbox.

$ cat asn.md

In parallel, I'm getting my own ASN via LACNIC to operate as an independent autonomous system. The goal: stop depending on other people's infrastructure to serve what I build, and write about the process end to end — BGP included.

$ cat education.md

  • M.S. in Information Security in progress · 2026–2027

    Universidad de los Andes, Bogotá

    Offensive and defensive security: cloud security, network defense, cryptography, secure programming, digital forensics. Thesis: Linux rootkit detection via information theory.

  • B.S. in Systems Engineering 2022–2025

    Pontificia Universidad Javeriana, Bogotá

    Strong foundation in networks, operating systems, and security. Teaching assistant (OS, data structures, advanced programming); Vice-Chair of IEEE Javeriana (Best Student Branch in Colombia).

Certifications: eJPT (eLearnSecurity Junior Penetration Tester, 2025) · ISC2 CC (Certified in Cybersecurity) · INE CCA (Certified Cloud Associate) · Google Cloud Digital Leader.

$ ls expertise/

  • #appsec
  • #devsecops
  • #pentesting
  • #kernel
  • #networking
  • #ipv6
  • #tor
  • #homelab

$ cat recognition.md

  • 1st place in Colombia — IEEEXtreme 18 Programming Competition (2024).
  • 2nd place — CyberWings cybersecurity competition, Colombian Air Force.
  • Judge — VEX Robotics World Championship, Dallas, USA.
  • Founded chapters and led technical teams of 30+ members across IEEE Javeriana and IEEE Uniandes.

$ cat talks.md

No public talks yet. The goal is to make it to DEF CON — this space will get updated when it happens.

$ cat contact.md