Distinguished Security Engineer

Henry
Nnoli

Application Security Architect & AI Security Engineer

20+ years securing global-scale systems at Mastercard, Enbridge, and Kimberly Clark. I find what automated scanners miss: logic flaws, broken access control, and AI-integrated attack surfaces. Then I build the tooling to make sure they never get missed again.

Get in Touch → LinkedIn →
$ whoami
# Henry Nnoli | CISSP · CISM · CRISC · CISA · CGEIT
$ cat /etc/expertise
# AppSec · AI Security · Penetration Testing · DevSecOps · Cloud Security
$ ls ./impact/
90% vuln reduction @ Mastercard  |  35,000+ assets secured @ Enbridge
50+ critical vulns identified  |  20+ years securing enterprise systems
[SECURED] Auth bypass → 200k financial records protected ✓
$
20+
Years Experience
90%
Vuln Reduction
250+
Security Projects Executed
5
Elite Certs
Henry Nnoli
0xCyberGuru · henrynnoli.ai
CISSP CISM CRISC CISA CGEIT PMP
Trusted by
About

I secure what others
can't find.

At Mastercard, I lead Application Security Engineering for one of the world's highest-throughput payment ecosystems. Not governance, not checkbox compliance. Real manual code review, API penetration testing, threat modeling across distributed systems, and building automation that catches what scanners miss entirely.

My edge is rare: I operate equally at the architecture table and in the code. I can threat-model a distributed microservices architecture in the morning, perform manual API penetration testing in the afternoon, and brief the CISO on risk posture by end of day.

I specialize at the intersection of application security and artificial intelligence. That means conducting threat modeling for LLM-integrated systems, identifying prompt injection and inference abuse risks, and building AI-augmented offensive security tooling that operates autonomously.

With over two decades of hands-on experience, I advise organizations on building security programs that actually scale. Programs that combine deep technical execution with executive-level risk communication across financial services, energy, and critical infrastructure.

AI Security
Prompt injection · LLM API threat modeling · Inference endpoint abuse · Token leakage analysis · AI-integrated system risk assessment
Application Security
OWASP Top 10 · Secure SDLC · Manual code review (Java, Python) · SAST/DAST · Business logic flaws · API security
Penetration Testing
Web · API · Microservices · Cloud · Network · ICS · Red team operations · MITRE ATT&CK
DevSecOps
Checkmarx · Burp Suite · Black Duck · CI/CD security gates · Python automation · Kubernetes security
Cloud Security
Azure · AWS · GCP · IAM privilege escalation · Container security · Secrets management · Zero-trust architecture
Credentials

Five elite
certifications.

CISSP
Certified Information Systems Security Professional
ISC² · Globally recognised · <160,000 holders worldwide
CISM
Certified Information Security Manager
ISACA · Security management & governance
CRISC
Certified in Risk and Information Systems Control
ISACA · Enterprise risk management
CISA
Certified Information Systems Auditor
ISACA · Audit, control & assurance
CGEIT
Certified in Governance of Enterprise IT
ISACA · IT governance frameworks
OSCP
Offensive Security Certified Professional
Offensive Security · In progress
MBA
University of Alberta
MSc Information Security
Concordia University
BEng Computer Engineering
Computer Engineering
Experience

Enterprise scale.
Hands-on execution.

Mastercard
Global Lead, Application Security Engineering
2020 — Present
Toronto, Canada
+
  • Manual and automated security assessments of web applications, REST APIs, and microservices in Azure and hybrid cloud environments.
  • Deep code reviews across Java and Python services, covering injection vulnerabilities, broken access control, insecure deserialization, and cryptographic misuse.
  • Integrated Checkmarx (SAST), Burp Suite (DAST), and Black Duck (SCA) into CI/CD pipelines with automated policy gates blocking high-severity vulnerabilities pre-production.
  • Reduced high and critical production vulnerabilities by 80–90% through early-stage detection and developer remediation workflows.
  • Built and scaled a 40+ member Security Champions program embedding security ownership directly into engineering teams.
  • Threat modeling and risk analysis for LLM-integrated API systems: prompt injection, inference abuse, token leakage, and excessive data exposure.
Alberta Energy Regulator
Lead Cybersecurity Solution Architect
2019 — 2020
Calgary, Canada
+
  • Application and infrastructure security assessments aligned with NIST CSF across 5,000+ assets.
  • Led red and purple team exercises using MITRE ATT&CK to identify detection and response gaps.
  • Developed incident response playbooks improving containment efficiency and forensic readiness.
  • Built executive dashboards visualizing risk exposure and remediation metrics for senior leadership.
Kimberly Clark
Principal Vulnerability Management Architect
2017 — 2019
Dallas, Texas
+
  • Designed and implemented a global vulnerability management program covering 30,000+ assets, spanning discovery, risk-based prioritization, remediation tracking, and SLA enforcement.
  • Integrated Tenable, Qualys, and Nucleus for contextualized risk analysis and SLA governance.
  • Partnered with application teams to remediate high-risk web and API vulnerabilities.
Enbridge Inc.
Technical Manager, Vulnerability Management & Penetration Testing
2015 — 2017
Calgary, Canada
+
  • Continuous vulnerability assessment across 35,000+ assets using Tenable, delivering a significant reduction in technical debt within the first 12 months.
  • Led penetration testing across network, application, database, and ICS environments.
  • Directed red team exercises simulating real-world adversarial scenarios aligned to MITRE ATT&CK.
  • Integrated vulnerability data into ServiceNow GRC workflows improving remediation velocity.
Coast Capital Savings
Lead, Security Operations & Architecture
2015
Surrey, Canada
+
  • Managed SOC operations including SIEM (Splunk) tuning and endpoint protection across enterprise environments.
  • Designed firewall and network security configurations; improved network segmentation and access controls.
  • Led incident response and developed threat detection rules and monitoring strategies.
  • Delivered security posture reports to senior leadership.
MNP LLP
Cybersecurity Manager, Security Architecture & Risk Advisory
2014 — 2015
Calgary, Canada
+
  • Led end-to-end security architecture and risk assessment engagements for public sector clients including the Government of Alberta.
  • Performed Threat and Risk Assessments (TRAs) across Microsoft Azure, AWS, and on-premise environments.
  • Identified critical gaps including absent MFA, weak identity controls, insecure API configurations, and inadequate network segmentation, then delivered formal remediation roadmaps with implementation timelines.
  • Designed secure architecture patterns for identity, access management, encryption, and network security.
ATB Financial
IT Security Governance Manager, Security Architecture & Risk Management
2011 — 2014
Edmonton, Canada
+
  • Designed and led enterprise security architecture and governance programs aligned to ISO 27001, NIST, and COBIT.
  • Acted as security architect for Active Directory hardening, identity governance, and access control improvements.
  • Enhanced SOC threat detection, Splunk SIEM capabilities, and incident response processes.
  • Supported PCI DSS compliance and regulatory audits through architecture reviews and control validation.
TEACHING & MENTORSHIP
Concordia University of Edmonton
Guest Lecturer / Industry Instructor — Graduate Cybersecurity Program
2011 — 2016
Edmonton, Canada
+
  • Delivered graduate-level cybersecurity instruction covering enterprise security architecture, threat modeling, penetration testing, incident response, and regulatory compliance across 5 consecutive years.
  • Brought live enterprise case studies and real-world attack scenarios directly into the classroom, bridging the gap between academic theory and industry practice.
  • Mentored graduate students pursuing professional certifications including CISSP and CISM, several of whom went on to senior security roles in industry.
  • Taught simultaneously while leading senior security positions at ATB Financial and MNP LLP, giving students direct access to current enterprise security challenges.
  • Published IEEE research during this period, presented at the International Conference on Digital Forensics in Amsterdam.
Early Career
Security Architecture · Network Security · SOC · Vulnerability Management · Governance & Risk
2006 — 2010
Canada
+
  • Designed firewall, DMZ, and network segmentation architectures across enterprise environments.
  • Conducted penetration testing, vulnerability assessments, and implemented identity and access management controls.
  • Built SIEM monitoring and threat detection capabilities; supported ISO 27001, PCI DSS, and NIST frameworks.
  • Led incident response and forensic investigations; delivered security architecture and risk reports to executive leadership.
Projects

What I'm
building.

Live · AI Security Tooling
PentestAgent
v1.0 · Open Source · MIT License
⌥ GitHub ▶ Live Demo

An autonomous AI security analysis agent that executes full-scope engagements from reconnaissance through exploitation to proof-of-exploitation capture and report generation, without manual orchestration at each step. Detects prompt injection, data leakage paths, model abuse vectors, API vulnerabilities, and cloud misconfigurations using an agentic reasoning engine that thinks through attack surfaces the way a senior security engineer would.

DETECTION
Prompt injection · Data leakage · Model abuse · OWASP API Top 10 · Cloud misconfig
AGENT LOOP
Recon → Discovery → Attack → Post-exploit → Report, with gated authorization at each phase
OUTPUT
CVSS-scored findings · PoE artifacts · Submission-ready reports · Remediation roadmap
React 18 AI Agent Loop Tool Use API OWASP Top 10 Prompt Injection AWS · GCP · Azure MIT License Vite
🔒
AUTHORIZATION GATED
Active exploitation phases require written authorization verification. Email 0xCyberguru@gmail.com to request engagement access.
Teaching & Mentorship

Shaping the next
generation.

5 YEARS · UNIVERSITY LEVEL · GRADUATE CYBERSECURITY
Guest Lecturer and Industry Instructor at Concordia University of Edmonton from 2011 to 2016, teaching graduate-level cybersecurity courses. Bridging the gap between academic theory and the realities of enterprise security practice.
ACADEMIC APPOINTMENT
Concordia University of Edmonton
Guest Lecturer / Industry Instructor
Graduate Cybersecurity Program · Information Security Management
2011 — 2016
5 Years
Edmonton, Canada
WHAT I TAUGHT
Enterprise security architecture and governance frameworks aligned to ISO 27001, NIST, and COBIT
Threat modeling, risk assessment, and vulnerability management in real enterprise environments
Penetration testing methodologies, incident response, and digital forensics
Identity and access management, network security design, and cloud security principles
PCI DSS, HIPAA, and regulatory compliance in financial and healthcare sectors
IMPACT & APPROACH
Taught graduate-level cybersecurity students simultaneously while leading senior security roles at ATB Financial and MNP LLP
Brought live enterprise case studies and real-world attack scenarios into the classroom
Mentored students pursuing CISSP, CISM, and other professional certifications in the field
Repeatedly invited back for 5 consecutive years — a direct reflection of student and faculty endorsement
Published IEEE research presented at the International Conference on Digital Forensics in Amsterdam during this period
"Teaching graduate cybersecurity students for five years shaped how I think about security communication at every level. The ability to explain complex attack chains to a room of aspiring professionals is the same skill that lets me brief a board on risk posture without losing them. Security knowledge that can't be transferred is security knowledge that doesn't scale."
— Henry Nnoli
IEEE PUBLISHED DURING THIS PERIOD
"The Governance of Corporate Forensics Using COBIT, NIST and Increased Automated Forensic Approaches"
International Conference on Digital Forensics · Amsterdam
READ PAPER →
Research

IEEE Published
Researcher.

IEEE · International Conference on Digital Forensics · Amsterdam
The Governance of Corporate Forensics Using COBIT, NIST and Increased Automated Forensic Approaches
Published research on corporate forensic governance frameworks, addressing the growing demand for digital forensics capabilities across enterprise environments facing fraud, insider threats, and intellectual property theft.
IEEE
PUBLISHED
Contact

Let's work
together.

Available for speaking engagements and advisory conversations.

Email
hello@henrynnoli.ai
🌐
Website
henrynnoli.ai
💼
LinkedIn
linkedin.com/in/henry-nnoli