SECURITY RESEARCH · THREAT INTELLIGENCE · DATA EXPOSURE ADVISORY
Never trust what an organization says about its own security posture. Always verify from the outside. That is the zero-trust principle applied to external reconnaissance - and it is the foundation of everything I do. Sensitive data sits exposed - sometimes for months, sometimes for years - until someone finds it. My job is to be that someone before a threat actor is.
I am an independent security researcher. For three years, I have been finding what organizations leave visible from the outside: open databases, leaked credentials, exposed PII, misconfigured cloud assets. I report it. They fix it. That is the entire model.
In January 2026, I formalized this work as ZERO|TOLERANCE - a one-person practice built around a single premise: data exposure exists before detection. The gap between those two things is where I work. The name carries the methodology: zero trust - nothing external is assumed secure until independently verified. Zero tolerance - no excuses for preventable security failure, no acceptable threshold for exposed data.
Three years of passive external reconnaissance across nine MENA countries, the European Union, the United Kingdom, and the United States. No exploitation. No intrusion. No tooling that touches a target system. I observe what is already visible from the outside, document what it means, and report what it costs.
That methodology has led to responsible disclosure engagements with Fortune 500 organizations and Big 4 professional services firms - engagements that resulted in confirmed remediation. Exposed databases taken offline. Credential leaks contained. Attack surface reduced. All of it conducted privately, on my own initiative, with no institutional backing.
I have no team. No venture funding. No advisory board. One researcher, working alone, finding things that internal security programs and enterprise tooling missed. That is either a problem with the industry or a credential. I think it is both.
I identify exposed PII, credentials, and sensitive assets visible through passive external reconnaissance. I quantify the operational risk, calculate fine exposure under applicable data protection law, and deliver findings before they become breach notifications.
Deep-dive breach analysis built from primary sources: SEC filings, DPA rulings, court documents, threat actor communications, and dark web monitoring. Every incident deconstructed to its technical root cause, with threat actor attribution, TTPs mapped to MITRE ATT&CK, and severity-rated reporting.
Every finding mapped to jurisdictional exposure under GDPR Article 83, UK GDPR, Saudi PDPL, UAE PDPL, CCPA, and HIPAA. Technical gap and regulatory price tag, in the same document.
The methodology is passive external reconnaissance. I observe what is already publicly accessible. I confirm the exposure exists and assess its severity. I report findings with evidence - screenshots, metadata, timestamps, regulatory mapping. I work with the organization to close the gap and confirm remediation.
I do not access, extract, or store sensitive data. I do not run active scans against systems without authorization. When an engagement requires deeper assessment, I proceed only under written authorization with a clearly defined scope. Every disclosure follows a structured process documented at zerotolerance.me/disclosure.
For responsible disclosure, threat intelligence sharing, or advisory engagements:
We do not use web forms. Your message is sent directly from your own email client - no data passes through or is stored on our servers. For sensitive disclosures, encrypt with our PGP key.
RESPONSE WITHIN 48 HOURS