Skip to content

Résumé

David May

Product security engineer and systems architect. About a decade breaking software, then building it. I design AI systems that do real work while a named human stays accountable for the result.

  • OSCP
  • CVE-2018-8021
  • B.S.M.E., UCF

Experience

Clara Building Company

2026

Cofounder & CTO

  • Sole architect and engineer of an AI-native construction platform: a Next.js 16 / React 19 / TypeScript application fronting roughly forty Python microservices on Google Cloud, spanning deal sourcing, AI estimation, construction project management, and financial reconciliation.
  • Built a conversational SMS project-management bot (Twilio, Cloud Run) that turns free-form contractor replies into structured schedule updates, using self-consistency voting and a confidence-gated auto-apply with full audit trails and human-in-the-loop review.
  • Engineered a vision pipeline that converts jobsite photos into milestone-progress signals, with a Slack approval loop and cost controls that bound model usage to a bounded sample of images per site each day.
  • Designed a server-authoritative critical-path scheduling engine that unified fragmented data models and duplicate schedulers into one source of truth, sharply cutting schedule-recompute cost while keeping every client and automation in sync in real time.
  • Built a real-estate deal-sourcing pipeline ingesting 400K+ MLS listings across 8 counties into BigQuery, with automated daily candidate selection feeding model-driven deal analysis.

TRM Labs

2024 – 2026

Senior Security Engineer

  • Integrated AI agents into vulnerability management and product security workflows to automate analysis and accelerate remediation.
  • Architected and delivered customer-facing security capabilities for a large-scale React/TypeScript SaaS platform used by thousands of enterprise customers.
  • Designed streaming security telemetry pipelines, ingesting Azure AD, identity provider, and application activity into a centralized data lake for real-time detection engineering.
  • Developed behavioral correlation logic combining identity and application telemetry to surface high-fidelity anomalies.
  • Managed bug bounty and independent penetration testing programs, triaging findings and driving remediation with engineering teams.

Plaid

2022 – 2024

Product Security Engineer

  • Managed application penetration tests. Applied threat modeling to identify gaps and hot spots in code so testers could start from the right places, and validated fixes with knowledge of advanced bypass techniques before approving a retest.
  • Built an AI tool that parses internal documentation and API docs to synthesize threats, making product-team-driven threat modeling viable in a resource-constrained environment. It got us most of the way there for a fraction of the effort, and surfaced latent risks that had gone unidentified.
  • Created a CVE parsing tool that processes feeds with AI to determine applicable software and versions, since CVE metadata is unstructured and inconsistent. Output cross-references against SBOMs and asset inventories to automate triage.

Bishop Fox

2021 – 2022

Security Consultant

  • Application penetration testing for some of the largest companies in the world, including hard-to-find business-logic and cross-service trust vulnerabilities.
  • Static and dynamic code review (SAST and DAST), cloud architecture review (AWS and GCP), IoT and network-connected device testing, and internal and external network penetration testing.
  • Designed automated test cases for identified vulnerabilities so findings could be regression-tested as part of CI/CD.

Schellman & Company

2020 – 2021

Senior Penetration Tester

  • Assessed domains, networks, web applications and APIs, mobile applications, and people, often as part of FedRAMP or PCI assessments.
  • Researched new techniques and developed exploitation tooling. Designed and ran phishing campaigns.

SemanticBits

2018 – 2020

Security Engineer

  • Owned the security posture of entire programs pursuing FedRAMP and HIPAA compliance.
  • Penetration testing, SAST, DAST, vulnerability assessment, malware analysis, cloud security, and DevOps security.
  • Published CVE-2018-8021 (Apache Superset).

Northrop Grumman

2015 – 2018

Systems Engineer, Cyber Systems Engineer, ISSO

  • Cyber security operations oversight on a global network. Vulnerability research, patch development, incident response, and NIST 800-53 / RMF compliance.

Booz Allen Hamilton

2014 – 2015

Systems Engineer

  • Engineering review and analysis of ground-support pressure systems critical to space vehicle launch.

Skills

Security

  • Penetration testing
  • Threat modeling
  • Application security
  • Red teaming
  • Cloud security (AWS, GCP)
  • Detection engineering
  • Bug bounty & pentest program management

Building

  • TypeScript
  • React / Next.js
  • Python
  • Node
  • Distributed & event-driven systems
  • Firestore / BigQuery / SQLite
  • Docker / Cloud Run / Terraform

AI systems

  • LLM pipeline design
  • Self-consistency & confidence gating
  • Human-in-the-loop and rollback design
  • Vision pipelines
  • Prompt-injection defense
  • Cost control

Education & Certifications

University of Central Florida

B.S., Mechanical Engineering

2010 – 2014

Certifications

Offensive Security Certified Professional (OSCP)

September 2017