Aaron Hnatiw

United by a passion to build and create.

About Me

Aaron Hnatiw

I'm Aaron Hnatiw — a builder and creator at heart. Whether I'm writing software, breaking systems, publishing stories, or composing music, the thread that connects everything I do is the same: a deep passion to build and create.

As a software developer, I build tools and systems that solve real problems. As a hacker, I deconstruct and understand how things work — then make them more secure. As a publisher, I craft immersive fictional worlds through Proxy Publishing. And as a musician, I compose and perform live improvised piano and synthesizer pieces that blend modern classical with ambient soundscapes.

These aren't separate pursuits — they're all expressions of the same creative drive. The discipline of writing clean code informs my prose. The curiosity of hacking fuels my musical exploration. Every craft teaches me something that makes the others richer.

Proxy Publishing LinkedIn GitHub Twitter BlueSky

Music

Piano & synthesizer · Live improvisation · Modern classical meets ambient

All my music is composed, performed, and recorded live — entirely improvised. What you hear is always a live performance. I play primarily using piano and synthesizers, often layering the two together to form a modern classical and ambient synergy.

Music is a lifelong pursuit, one that I return to in turbulent times, and as a source of unending peace and joy. I have played piano for most of my life, but it was only recently that I discovered the vast sonic soundscape made possible by synthesizers — both hardware and software-based. By combining synthesized sounds with piano, I have formed a musical style all my own, yet one that would appeal to those who enjoy the music of Nils Frahm, Jay Hosking, Ólafur Arnalds, and Hania Rani.

First - Album Art by Madeline Hnatiw

Debut Album

First

"First" because it is the first of hopefully many to come. Thirteen tracks of improvised piano and synthesizer compositions, exploring themes of space, humanity, nature, and introspection.

Album art designed and created by Madeline Hnatiw — a budding artist and one of my biggest fans.

Spotify Apple Music

Publisher

Whispers of Vengeance Book Cover

Debut Novel: Whispers of Vengeance

Book 1 of Echoes of Ash: A Dark Progression Fantasy Series

They burned his home. They killed his kin. They left Ashelenar with nothing but ashes and a vow whispered into a poisoned sky: Vengeance against the green dragon, Veridianus.

Cast into a brutal world, the young druid's gentle ways are worthless against the memory of emerald fire. To challenge a force of nature, he needs power beyond imagining - power whispered about only in forbidden texts and shadowed ruins, secrets guarded by more than just stone.

Driven by grief, Ash desperately seeks this dangerous edge. But when cornered by death, something else awakens within him - a terrifying spark, an echo of the very destruction he despises. Is this the weapon he needs, or the seed of his own damnation?

To gain strength, he must embrace the darkness. To hunt the dragon, he might have to become something monstrous himself. How much of his soul will he sacrifice for the strength to kill a god? The journey into darkness begins now.

Perfect for fans of Will Wight, James Islington, and Anthony Ryan, this dark progression fantasy tale marks the beginning of an epic journey into power and sacrifice.

Published through my company, Proxy Publishing.

Stay updated on future releases in the Echoes of Ash series, plus news about giveaways and special editions, by joining the newsletter at Proxy Publishing.

View on Amazon

Tech Accomplishments

Conference Talks

  • Toronto Area Security Klatch, Toronto (2024)

    "The Art of Video Game Hacking" - How to hack video games, as a way to learn advanced security techniques. From beginner to advanced, this talk includes a plethora of references and real demos.

  • DerbyCon, Louisville (2017)

    "Hacking Blockchains" - A talk about blockchain and cryptocurrency security.

  • ToorCon, San Diego (2017)

    "How To Move Mountains" - How to develop a modern security program, in the world of "DevSecOps". This talk highlights modern security controls and practices that integrate with CI/CD pipelines, cloud deployments, and rapid development practices.

  • Hack In Paris, Paris, France (2017)

    "Beyond OWASP Top 10" - Similar talk to previous one of the same name, but with different web vulnerabilities.

  • CircleCityCon, Indianapolis (2017)

    "Security Training: Making Your Weakest Link The Strongest" - Talk about how to provide effective security training, using real-world experience as an educator and a practitioner.

  • NolaCon, New Orleans (2017)

    "Beyond OWASP Top 10" - Talk about common but impactful web vulnerabilities not listed in the OWASP Top 10.

  • Hackfest, Québec City (2016)

    "Racing the web" - Talk about race condition vulnerabilities, including an open source tool release.

Open Source Security Tools

  • Damn Vulnerable Golang (2024)

    A deliberately vulnerable Go application for education and testing purposes. View Source

  • Cartograph (2023-present)

    Advanced proxy that maps HTTP networks and software supply chains. Designed to aid in cybersecurity assessments and research through high performance data collection and analysis. Written in Go. View Source

  • Race The Web (2017)

    A tool that tests for and identifies race condition vulnerabilities in web applications and APIs. Includes a RESTful API to integrate it into a CI/CD pipeline. Written in Go. View Source

  • Input Field Finder (2017)

    A web crawler that identifies and logs all input elements found, in order to identify potential vulnerability sources. Written in Go. View Source

  • Rogue MAC Check (2016)

    Identifies rogue wireless access points by comparing a file of authorized BSSIDs (MAC addresses of the wireless access point) against a list of discovered BSSIDs. Written in Go. View Source

  • USB Detector (2015)

    A blue team tool to help detect physical attacks using USB devices. It detects USB storage device insert/removal, logs events, and allows email alerts. Written in C#. View Source

  • Anchor Redirect (2013)

    A proof-of-concept Google Chrome extension that exploits a flaw in JavaScript that allows anchor elements to be changed AFTER the user clicks on them. This vulnerability has since been fixed. Written in JavaScript. View Source

Featured Workshops & Training

  • BSides Toronto, Toronto (October 19, 2024)

    "PC Video Game Hacking Fundamentals"

    Delivered a sold-out one-day course guiding participants through the fundamentals of PC game hacking. Attendees gained practical experience applying techniques like reverse engineering, memory analysis, and binary exploitation to real games, translating these skills to broader offensive security contexts.

    Core Skills Covered: Memory manipulation (Cheat Engine and C++), reverse engineering basics, assembly concepts, code injection, DirectX hooks, and game engine analysis.

    Delivered with Mickael Nadeau, co-founder of cyberdefense.ai and an experienced security researcher specialising in game hacking and cloud security architecture.

Certifications

  • CISSP - Certified Information Systems Security Professional

    Issued by: ISC2

  • CPT - Certified Penetration Tester

    Issued by: IACRB

Career

Director of Security, League Inc. 2025 - Present

I lead security for League, a health technology company focused on transforming the healthcare consumer experience with AI-powered digital front doors and personalized, omni-channel care journeys. My responsibilities span enterprise security strategy, product security, and governance for League's platform that serves payers, providers, and consumer health organizations.

Partnering closely with product, engineering, and customer stakeholders, I ensure security and privacy are foundational to League's AI-powered capabilities, including League Agent Teams™, while maintaining a frictionless experience for members. This includes aligning controls with HITRUST r2, SOC 2 Type II, HIPAA, PIPEDA, and GDPR expectations and helping teams ship secure, compliant features quickly.

Product Manager, Garnet 2025

As Product Manager, I supported Garnet's security solutions by bridging the gap between internal engineering/product teams and the external market. My role focused on gathering customer feedback and market insights to inform the product roadmap, ensuring our focus on securing software releases, high-performance production runtime security (with detection & blocking), and optimized performance aligned with real-world needs. I collaborated closely with engineering and Go-To-Market (GTM) teams to facilitate communication and help translate technical capabilities into customer value.

Senior Security Engineer, Amazon Web Services (AWS) 2024 - 2025

Contributed to a team focused on making security seamless for developers. Key initiatives included:

  • Evangelizing a secure-by-default infrastructure-as-code (IaC) solution internally, helping increase adoption from 5% to 20% of active software projects.
  • Developing security automation tooling that resulted in an estimated annual saving of over 3,000 security engineer hours.

Senior Software Engineer, Oneleet 2024

Provided specialised software engineering expertise on a contract basis for a new security platform. Key contributions included porting custom macOS security agent software to Windows and developing static analysis capabilities for their security and compliance platform.

Founder & Instructor, Hacker Dev Bootcamp 2023 - 2024

Founded and instructed the Hacker Dev Bootcamp, developing and delivering hands-on training focused on custom cybersecurity tool development. The curriculum leveraged real-world examples and extensive experience in security tooling to empower students to build practical, usable security tools.

Visit Original Website

Founder, Proxy Products 2022 - 2024

Founded Proxy Products, a security company focused on developing innovative web and API security tooling. Key projects included Infinity Insights, later released as the open-source tool Cartograph for mapping HTTP networks and software supply chains.

Principal Security Engineer, ecobee 2020 - 2022

Led security automation initiatives at ecobee, architecting and implementing solutions to protect millions of IoT smart home devices. Developed systems for large-scale static code analysis and dynamic/runtime analysis of web applications and APIs, emphasising performance and high-fidelity detection to secure internet-facing services.

Director of Application Security, Royal Bank of Canada (RBC) 2018 - 2019

Directed application security for the Royal Bank of Canada (RBC), overseeing the security posture of software applications across the bank, including mobile, web banking, APIs, and core systems. Spearheaded the integration of automated security testing into CI/CD pipelines, implementing modern DevSecOps controls within a large-scale financial environment without hindering development velocity.

Senior Security Researcher, Security Compass 2017 - 2018

Contributed to the security community through original research focused on web application/API security, DevSecOps, and blockchain technology. Disseminated findings via technical blog posts, international conference presentations, and podcasts.

Adjunct Professor, Georgian College 2016

Developed and taught a practical, hands-on application security course for third-year computer programming students. The curriculum emphasised real-world skills through weekly labs and culminated in a final project where students successfully identified and reported vulnerabilities via bug bounty platforms.

Security Consultant, Security Compass 2015 - 2016

Provided security consulting for Fortune 500 companies, performing penetration tests, secure code reviews, red team engagements, and wireless assessments. Architected and managed the enterprise security program for a notable Fortune 100 technology client, and contributed to building client security programs.

Founder and CEO, Inspectral Security 2014 - 2015

Founded Inspectral Security, providing full-scale security testing services for medium-sized organizations. Services included red team assessments, penetration testing, vulnerability identification, and implementing post-assessment mitigations and controls to enhance client defenses.

For a complete career history, please visit my LinkedIn profile.

Startup Graveyard

"I have not failed. I've just found 10,000 ways that won't work."
- Thomas A. Edison

Infinity Insights

Software that mapped dependencies across web assets and identified critical components for prioritized testing and patching. It leveraged a novel approach to security testing that scales web application and API vulnerability identification using machine learning algorithms, including an advanced algorithm to automatically classify and group similar web assets, with an interactive visual interface. Marketing and selling to enterprise meant that the sales cycles were long, and as a bootstrapped startup, this became untenable. This software has been migrated to the open source project called "Cartograph".

2022-2024

Shelter WiFi

A "plug-and-play" Wi-Fi router with advanced parental controls and security features. Aimed to keep kids safe online, the project reached the prototype phase with strong market interest. However, the venture came to a halt as in-built parental controls became standard in devices offered by major tech companies, rendering a separate solution less necessary.

2023

Gridd Space

What initially started as a new user interface for vulnerability analysis in web applications (using a novel algorithm I invented that converted the DOM into a live 3D object) gradually evolved into a platform for immersive VR world development on the web. After a sizeable investment commitment for this platform fell through, I was forced to shelve this software until a later time.

2022

Scout (formerly known as "Security Sidekick", then "Recon++")

A high performance web proxy that created an asset inventory and passively identified security vulnerabilities through a signature-based approach. Although initially successful with bug bounty hunters and penetration testers, circumstances required a pivot back to full-time employment. However, much of the work I've done since then has leveraged the tools and techniques I developed as a part of this solution, allowing me to move well beyond the initial scope of this fledgeling software.

2019 - 2020

Education

University of Ottawa

Studies in Criminology

2008 - 2009

My academic journey began with an interest in Criminology, aiming for a career in federal law enforcement. However, an encounter that introduced me to the world of cybersecurity sparked an intense fascination. Realising that true proficiency required deep technical understanding, I decided to pivot and build foundational knowledge in computer systems.

Algonquin College

Diploma, Computer Systems Technology

2009 - 2011

Focused on acquiring the essential hardware and networking knowledge needed as a base for cybersecurity pursuits. This program provided the technical grounding necessary before diving deeper into security specifics and software development.

Georgian College

Diploma, Computer Programmer

2012 - 2014

Following initial self-study in programming (discovering a strong affinity for C# after exploring C++), I pursued formal programming education here. This is where I truly discovered my passion for software development. The hands-on, practical nature of the program resonated deeply, leading to academic excellence.

Governor General's Academic Medal - Awarded for achieving the highest academic standing in the graduating class across all programs (final semester GPA: 4.0 / 100%, overall program GPA: 97.3%).

Athabasca University

Studies toward Bachelor of Science, Computer Science

2017

Attempted to formalise my computer science knowledge through online study while working full-time. While I completed over 50% of the required credits, I found the format less conducive to deep learning than practical application and self-directed study, which have remained my preferred methods for acquiring advanced CS concepts. The knowledge equivalent to a degree was gained through extensive real-world experience and continuous learning.