I architect secure systems and craft immersive narratives.
I'm Aaron Hnatiw, an architect of both secure software systems and immersive fictional worlds. With over a decade of experience in cybersecurity and software engineering, I specialise in building robust digital defences and crafting compelling narratives. My work is driven by a passion for intricate design, whether in code or prose.
In the tech realm, I focus on high-performance runtime security and comprehensive software protection. As a fantasy novelist, I explore the art and science of storytelling through my works published via Proxy Publishing. This dual focus allows me to bring a unique blend of analytical thinking and creative problem-solving to all my endeavors.
At Garnet, I'm focused on product management for security solutions that empower organizations to build and deploy software with confidence. My work centres on:
Through Proxy Publishing, I bring imaginative worlds to life. Our focus is on the art and science of great stories, meticulously crafting narratives that are deeply immersive and rich with the echoes of imagination.
My debut fantasy novel, "Whispers of Vengeance", is the first step in this journey.
Visit Proxy PublishingBook 1 of Echoes of Ash: A Dark Progression Fantasy Series
They burned his home. They killed his kin. They left Ashelenar with nothing but ashes and a vow whispered into a poisoned sky: Vengeance against the green dragon, Veridianus.
Cast into a brutal world, the young druid's gentle ways are worthless against the memory of emerald fire. To challenge a force of nature, he needs power beyond imagining - power whispered about only in forbidden texts and shadowed ruins, secrets guarded by more than just stone.
Driven by grief, Ash desperately seeks this dangerous edge. But when cornered by death, something else awakens within him - a terrifying spark, an echo of the very destruction he despises. Is this the weapon he needs, or the seed of his own damnation?
To gain strength, he must embrace the darkness. To hunt the dragon, he might have to become something monstrous himself. How much of his soul will he sacrifice for the strength to kill a god? The journey into darkness begins now.
Perfect for fans of Will Wight, James Islington, and Anthony Ryan, this dark progression fantasy tale marks the beginning of an epic journey into power and sacrifice.
Published through my company, Proxy Publishing.
Stay updated on future releases in the Echoes of Ash series, plus news about giveaways and special editions, by joining the newsletter at Proxy Publishing.
View on AmazonToronto Area Security Klatch, Toronto (2024)
"The Art of Video Game Hacking" - How to hack video games, as a way to learn advanced security techniques. From beginner to advanced, this talk includes a plethora of references and real demos.
DerbyCon, Louisville (2017)
"Hacking Blockchains" - A talk about blockchain and cryptocurrency security.
ToorCon, San Diego (2017)
"How To Move Mountains" - How to develop a modern security program, in the world of "DevSecOps". This talk highlights modern security controls and practices that integrate with CI/CD pipelines, cloud deployments, and rapid development practices.
Hack In Paris, Paris, France (2017)
"Beyond OWASP Top 10" - Similar talk to previous one of the same name, but with different web vulnerabilities.
CircleCityCon, Indianapolis (2017)
"Security Training: Making Your Weakest Link The Strongest" - Talk about how to provide effective security training, using real-world experience as an educator and a practitioner.
NolaCon, New Orleans (2017)
"Beyond OWASP Top 10" - Talk about common but impactful web vulnerabilities not listed in the OWASP Top 10.
Hackfest, Québec City (2016)
"Racing the web" - Talk about race condition vulnerabilities, including an open source tool release.
Damn Vulnerable Golang (2024)
A deliberately vulnerable Go application for education and testing purposes. View Source
Cartograph (2023-present)
Advanced proxy that maps HTTP networks and software supply chains. Designed to aid in cybersecurity assessments and research through high performance data collection and analysis. Written in Go. View Source
Race The Web (2017)
A tool that tests for and identifies race condition vulnerabilities in web applications and APIs. Includes a RESTful API to integrate it into a CI/CD pipeline. Written in Go. View Source
Input Field Finder (2017)
A web crawler that identifies and logs all input elements found, in order to identify potential vulnerability sources. Written in Go. View Source
Rogue MAC Check (2016)
Identifies rogue wireless access points by comparing a file of authorized BSSIDs (MAC addresses of the wireless access point) against a list of discovered BSSIDs. Written in Go. View Source
USB Detector (2015)
A blue team tool to help detect physical attacks using USB devices. It detects USB storage device insert/removal, logs events, and allows email alerts. Written in C#. View Source
Anchor Redirect (2013)
A proof-of-concept Google Chrome extension that exploits a flaw in JavaScript that allows anchor elements to be changed AFTER the user clicks on them. This vulnerability has since been fixed. Written in JavaScript. View Source
BSides Toronto, Toronto (October 19, 2024)
"PC Video Game Hacking Fundamentals"
Delivered a sold-out one-day course guiding participants through the fundamentals of PC game hacking. Attendees gained practical experience applying techniques like reverse engineering, memory analysis, and binary exploitation to real games, translating these skills to broader offensive security contexts.
Core Skills Covered: Memory manipulation (Cheat Engine and C++), reverse engineering basics, assembly concepts, code injection, DirectX hooks, and game engine analysis.
Delivered with Mickael Nadeau, co-founder of cyberdefense.ai and an experienced security researcher specialising in game hacking and cloud security architecture.
CISSP - Certified Information Systems Security Professional
Issued by: ISC2
CPT - Certified Penetration Tester
Issued by: IACRB
As Product Manager, I support Garnet's security solutions by bridging the gap between internal engineering/product teams and the external market. My role focuses on gathering customer feedback and market insights to inform the product roadmap, ensuring our focus on securing software releases, high-performance production runtime security (with detection & blocking), and optimized performance aligns with real-world needs. I collaborate closely with engineering and Go-To-Market (GTM) teams to facilitate communication and help translate technical capabilities into customer value.
Contributed to a team focused on making security seamless for developers. Key initiatives included:
Provided specialised software engineering expertise on a contract basis for a new security platform. Key contributions included porting custom macOS security agent software to Windows and developing static analysis capabilities for their security and compliance platform.
Founded and instructed the Hacker Dev Bootcamp, developing and delivering hands-on training focused on custom cybersecurity tool development. The curriculum leveraged real-world examples and extensive experience in security tooling to empower students to build practical, usable security tools.
Visit Original WebsiteFounded Proxy Products, a security company focused on developing innovative web and API security tooling. Key projects included Infinity Insights, later released as the open-source tool Cartograph for mapping HTTP networks and software supply chains.
Led security automation initiatives at ecobee, architecting and implementing solutions to protect millions of IoT smart home devices. Developed systems for large-scale static code analysis and dynamic/runtime analysis of web applications and APIs, emphasising performance and high-fidelity detection to secure internet-facing services.
Directed application security for the Royal Bank of Canada (RBC), overseeing the security posture of software applications across the bank, including mobile, web banking, APIs, and core systems. Spearheaded the integration of automated security testing into CI/CD pipelines, implementing modern DevSecOps controls within a large-scale financial environment without hindering development velocity.
Contributed to the security community through original research focused on web application/API security, DevSecOps, and blockchain technology. Disseminated findings via technical blog posts, international conference presentations, and podcasts.
Developed and taught a practical, hands-on application security course for third-year computer programming students. The curriculum emphasised real-world skills through weekly labs and culminated in a final project where students successfully identified and reported vulnerabilities via bug bounty platforms.
Provided security consulting for Fortune 500 companies, performing penetration tests, secure code reviews, red team engagements, and wireless assessments. Architected and managed the enterprise security program for a notable Fortune 100 technology client, and contributed to building client security programs.
Founded Inspectral Security, providing full-scale security testing services for medium-sized organizations. Services included red team assessments, penetration testing, vulnerability identification, and implementing post-assessment mitigations and controls to enhance client defenses.
For a complete career history, please visit my LinkedIn profile.
"I have not failed. I've just found 10,000 ways that won't work."
- Thomas A. Edison
Software that mapped dependencies across web assets and identified critical components for prioritized testing and patching. It leveraged a novel approach to security testing that scales web application and API vulnerability identification using machine learning algorithms, including an advanced algorithm to automatically classify and group similar web assets, with an interactive visual interface. Marketing and selling to enterprise meant that the sales cycles were long, and as a bootstrapped startup, this became untenable. This software has been migrated to the open source project called "Cartograph".
2022-2024A "plug-and-play" Wi-Fi router with advanced parental controls and security features. Aimed to keep kids safe online, the project reached the prototype phase with strong market interest. However, the venture came to a halt as in-built parental controls became standard in devices offered by major tech companies, rendering a separate solution less necessary.
2023What initially started as a new user interface for vulnerability analysis in web applications (using a novel algorithm I invented that converted the DOM into a live 3D object) gradually evolved into a platform for immersive VR world development on the web. After a sizeable investment commitment for this platform fell through, I was forced to shelve this software until a later time.
2022A high performance web proxy that created an asset inventory and passively identified security vulnerabilities through a signature-based approach. Although initially successful with bug bounty hunters and penetration testers, circumstances required a pivot back to full-time employment. However, much of the work I've done since then has leveraged the tools and techniques I developed as a part of this solution, allowing me to move well beyond the initial scope of this fledgeling software.
2019 - 2020Studies in Criminology
2008 - 2009
My academic journey began with an interest in Criminology, aiming for a career in federal law enforcement. However, an encounter that introduced me to the world of cybersecurity sparked an intense fascination. Realising that true proficiency required deep technical understanding, I decided to pivot and build foundational knowledge in computer systems.
Diploma, Computer Systems Technology
2009 - 2011
Focused on acquiring the essential hardware and networking knowledge needed as a base for cybersecurity pursuits. This program provided the technical grounding necessary before diving deeper into security specifics and software development.
Diploma, Computer Programmer
2012 - 2014
Following initial self-study in programming (discovering a strong affinity for C# after exploring C++), I pursued formal programming education here. This is where I truly discovered my passion for software development. The hands-on, practical nature of the program resonated deeply, leading to academic excellence.
Governor General's Academic Medal - Awarded for achieving the highest academic standing in the graduating class across all programs (final semester GPA: 4.0 / 100%, overall program GPA: 97.3%).
Studies toward Bachelor of Science, Computer Science
2017
Attempted to formalise my computer science knowledge through online study while working full-time. While I completed over 50% of the required credits, I found the format less conducive to deep learning than practical application and self-directed study, which have remained my preferred methods for acquiring advanced CS concepts. The knowledge equivalent to a degree was gained through extensive real-world experience and continuous learning.