Skip to content

I build systems that hold up.

I'm David May. I spent about a decade in security, doing penetration testing, threat modeling, and product security at Bishop Fox, Plaid, and TRM Labs. More recently I've been on the building side, designing and running systems end to end.

A lot of what I build now leans on AI. It does real work, but it never answers for the result. A person does. Knowing where it genuinely adds value, and where it quietly gets you into trouble, is what I specialize in.

  • OSCP
  • CVE-2018-8021
  • Plaid
  • TRM Labs
  • Bishop Fox

How I work

01

I think in systems, not features

Data flow, failure modes, and cost. The first question is never "how do I build this." It is "what is authoritative, what is derived, and what happens when the thing upstream of me lies or disappears."

02

Security is a design input, not an audit

I spent a decade breaking applications: penetration testing, threat modeling, red teaming, bug bounty triage. That work does not stay behind when I build. It shows up as the shape of the architecture, long before there is anything to audit.

03

AI can be responsible. It cannot be accountable

I work where AI genuinely helps but a human still has to answer for the outcome. That means being explicit about who is Responsible, Accountable, Consulted, and Informed, then encoding it, so the accountability survives contact with a model that is confidently wrong.


Selected work


Writing