I build systems that hold up.
I'm David May. I spent about a decade in security, doing penetration testing, threat modeling, and product security at Bishop Fox, Plaid, and TRM Labs. More recently I've been on the building side, designing and running systems end to end.
A lot of what I build now leans on AI. It does real work, but it never answers for the result. A person does. Knowing where it genuinely adds value, and where it quietly gets you into trouble, is what I specialize in.
- OSCP
- CVE-2018-8021
- Plaid
- TRM Labs
- Bishop Fox
How I work
01
I think in systems, not features
Data flow, failure modes, and cost. The first question is never "how do I build this." It is "what is authoritative, what is derived, and what happens when the thing upstream of me lies or disappears."
02
Security is a design input, not an audit
I spent a decade breaking applications: penetration testing, threat modeling, red teaming, bug bounty triage. That work does not stay behind when I build. It shows up as the shape of the architecture, long before there is anything to audit.
03
AI can be responsible. It cannot be accountable
I work where AI genuinely helps but a human still has to answer for the outcome. That means being explicit about who is Responsible, Accountable, Consulted, and Informed, then encoding it, so the accountability survives contact with a model that is confidently wrong.
Selected work
Clara
An operating system for a construction company
Sole architect and engineer. A Next.js app fronting ~41 Python services on GCP, covering deal sourcing, AI estimation, project management, and financial reconciliation. The interesting part is not the AI. It is the machinery that keeps a human accountable for what the AI does.
- 308K lines TS
- ~41 Cloud Run services
- 349 API routes
- 9-role RBAC
Argus
What I built on top of two open-source projects
I forked an OSINT map dashboard and merged a forecasting engine into it from a second project. The work that is mine sits underneath: a persistent, spatially-indexed camera platform that keeps serving when the upstream APIs do not.
- SQLite + R-tree
- WAL
- Live video from state DOTs
- Empirically tuned concurrency
Writing
Who is accountable when the model is wrong?
AI can be Responsible for the work. It can never be Accountable for it. Designing that distinction into the system, with a RACI lens, is most of the job.
The security holes AI coding tools leave behind
I spent a decade breaking applications before I started building one with AI. The failures are not exotic. They are the same failures, arriving faster.