Who's Running Your Test
The short version: U.S. Army veteran, 26 years in IT, full-time security work since 2018, specialized into penetration testing in 2020. The longer version is below.
I'm Patrick. My work covers both sides of security. On the defensive side, I do active threat hunting work: analyzing enterprise telemetry, investigating anomalous behavior, and tracing how attackers move through production networks. Coyote Bytes Security is the offensive half of that: finding the vulnerabilities before someone else does.
My IT career started in the U.S. Army in 1998: help desk and field support, followed by two decades across federal and defense environments spanning software development, intelligence analysis, project management, and eventually security. Full-time security work started in 2018 on a defensive cyber operations team. In late 2019, that shifted into dedicated offensive work: network, web application, social engineering, and adversarial threat emulation. Since then: federal high-value asset assessments and enterprise threat hunting work.
That background informs every engagement. Real operational security stakes, years on both sides of the line, and enough time in remediation-constrained environments to write findings a development team can actually act on.
Coyote Bytes Security is a solo practice. Every engagement is scoped, executed, and reported by me directly. There's no project management layer, no junior staff handling the work, no ambiguity about who's actually in your environment.
Experience
IT since 1998, starting with U.S. Army service and running through 26 years across federal and defense environments. That's not a credential, it's context. I've managed infrastructure, built full-stack applications, worked in intelligence analysis, and spent years in environments where security wasn't optional and failures had real consequences. That background matters during a penetration test: I understand what realistic remediation looks like, what a development team can actually implement, and where security trade-offs meet operational reality.
Full-time security work started in 2018 on a defensive cyber operations team: systems administration, IDS/IPS, compliance, and an introduction to authorized penetration testing within defined rules of engagement. That shifted into dedicated offensive work in late 2019: network, web application, social engineering, and red team engagements against federal systems, with findings feeding directly into remediation decisions. Subsequent work included federal high-value asset assessments before transitioning into enterprise threat hunting.
IT career begins, U.S. Army, help desk and field support
Full-time security work begins, defensive cyber operations
Specialized into penetration testing, federal offensive security work
Federal high-value asset assessments
Enterprise threat hunting + founder, Coyote Bytes Security
Certifications
The credentials that matter most for penetration testing work, with context on what they represent.
GIAC Penetration Tester
SANS Institute certification covering network penetration testing methodology: enumeration, exploitation, post-exploitation, and lateral movement. Proctored, open-book, and skills-based. The primary credential behind the external network assessment work.
GIAC Web Application Penetration Tester
SANS certification covering web application security testing: OWASP methodology, authentication flaws, injection vulnerabilities, session management, and business logic. The credential behind the web application assessment work.
GIAC Certified Incident Handler
Incident response, threat analysis, and attacker behavior from the defender's perspective. Knowing how incidents unfold on the detection side informs the offensive work — when findings go into the report, that context comes with them.
GIAC Python Coder
Custom tooling and automation. If a test requires something an off-the-shelf tool can't do, or if a finding needs a custom proof-of-concept to demonstrate exploitability clearly, I write it. Custom tooling also means engagements aren't constrained to what commercial scanners can test.
Certified Ethical Hacker (EC-Council)
Widely recognized outside the security community. Useful as a common reference point for buyers familiar with it.
CompTIA Security+
Industry baseline certification, broadly recognized in IT and compliance contexts.
The Offensive/Defensive Advantage
Most penetration testers come from one direction. They've studied offensive techniques, they know the tools, and they can find vulnerabilities. What they often can't tell you is whether your defenders would have caught what they did.
I work both sides of that equation. On the defensive side, I spend time in the defender's seat: reviewing enterprise telemetry, building detection logic, and identifying what slipped past existing controls. That gives me a clear view of what defenders actually see versus what they miss, which attack patterns generate alerts and which don't, and where the gaps tend to be.
That changes the penetration testing deliverable. For significant findings, I can tell you what I did, which log entry should have fired, and whether your current controls would have caught it. That's a more useful output than a list of CVEs sorted by score.
A CVSS score doesn't account for your specific environment, your existing controls, or what an attacker would realistically chain together to cause damage. The report does. Findings are prioritized by what's actually exploitable and what an attacker would care about, not by which number is highest on the label.
Approach
Direct from Scoping to Report
Every engagement is scoped and executed by me directly. The person you talk to in the initial call is the person running the tests and writing the report. There's no point where the work gets handed to someone else.
Written Authorization, Every Time
A signed Statement of Work and Rules of Engagement are required before testing begins, every time. Scope is confirmed in writing before anything gets touched. That protects you, it protects me, and it means there's no ambiguity about what was and wasn't authorized.
Prioritized by Real-World Exploitability
Findings are reported in the order an attacker would actually exploit them, not just sorted by CVSS score. A high-CVSS finding that requires three chained conditions may be less urgent than a medium finding that's one unauthenticated request from sensitive data. The report makes that clear.
Written for Two Audiences
Every report includes an executive summary written for leadership (what was tested, what was found, what the business risk is) and a technical findings section written for the people doing the remediation: reproduction steps, evidence, and specific guidance. The same document works for both audiences without needing to be translated between them.