Aaron Hnatiw

I architect secure systems and craft immersive narratives.

About Me

Aaron Hnatiw

I'm Aaron Hnatiw, an architect of both secure software systems and immersive fictional worlds. With over a decade of experience in cybersecurity and software engineering, I specialise in building robust digital defences and crafting compelling narratives. My work is driven by a passion for intricate design, whether in code or prose.

In the tech realm, I focus on high-performance runtime security and comprehensive software protection. As a fantasy novelist, I explore the art and science of storytelling through my works published via Proxy Publishing. This dual focus allows me to bring a unique blend of analytical thinking and creative problem-solving to all my endeavors.

Proxy Publishing LinkedIn GitHub Twitter BlueSky

Current Work

Product Manager, Garnet

At Garnet, I'm focused on product management for security solutions that empower organizations to build and deploy software with confidence. My work centres on:

  • Securing Software Releases: Supporting the definition and advancement of capabilities to protect the software supply chain and build pipelines.
  • Production Runtime Security: Contributing to initiatives for real-time threat detection AND blocking in production environments, ensuring applications are actively defended.
  • High-Performance Security: Advocating for solutions that deliver robust security with minimal performance impact, making comprehensive protection practical for demanding workloads.
Visit Garnet Website

Founder, Proxy Publishing

Through Proxy Publishing, I bring imaginative worlds to life. Our focus is on the art and science of great stories, meticulously crafting narratives that are deeply immersive and rich with the echoes of imagination.

My debut fantasy novel, "Whispers of Vengeance", is the first step in this journey.

Visit Proxy Publishing

Author & Publisher

Whispers of Vengeance Book Cover

Debut Novel: Whispers of Vengeance

Book 1 of Echoes of Ash: A Dark Progression Fantasy Series

They burned his home. They killed his kin. They left Ashelenar with nothing but ashes and a vow whispered into a poisoned sky: Vengeance against the green dragon, Veridianus.

Cast into a brutal world, the young druid's gentle ways are worthless against the memory of emerald fire. To challenge a force of nature, he needs power beyond imagining - power whispered about only in forbidden texts and shadowed ruins, secrets guarded by more than just stone.

Driven by grief, Ash desperately seeks this dangerous edge. But when cornered by death, something else awakens within him - a terrifying spark, an echo of the very destruction he despises. Is this the weapon he needs, or the seed of his own damnation?

To gain strength, he must embrace the darkness. To hunt the dragon, he might have to become something monstrous himself. How much of his soul will he sacrifice for the strength to kill a god? The journey into darkness begins now.

Perfect for fans of Will Wight, James Islington, and Anthony Ryan, this dark progression fantasy tale marks the beginning of an epic journey into power and sacrifice.

Published through my company, Proxy Publishing.

Stay updated on future releases in the Echoes of Ash series, plus news about giveaways and special editions, by joining the newsletter at Proxy Publishing.

View on Amazon

Tech Accomplishments

Conference Talks

  • Toronto Area Security Klatch, Toronto (2024)

    "The Art of Video Game Hacking" - How to hack video games, as a way to learn advanced security techniques. From beginner to advanced, this talk includes a plethora of references and real demos.

  • DerbyCon, Louisville (2017)

    "Hacking Blockchains" - A talk about blockchain and cryptocurrency security.

  • ToorCon, San Diego (2017)

    "How To Move Mountains" - How to develop a modern security program, in the world of "DevSecOps". This talk highlights modern security controls and practices that integrate with CI/CD pipelines, cloud deployments, and rapid development practices.

  • Hack In Paris, Paris, France (2017)

    "Beyond OWASP Top 10" - Similar talk to previous one of the same name, but with different web vulnerabilities.

  • CircleCityCon, Indianapolis (2017)

    "Security Training: Making Your Weakest Link The Strongest" - Talk about how to provide effective security training, using real-world experience as an educator and a practitioner.

  • NolaCon, New Orleans (2017)

    "Beyond OWASP Top 10" - Talk about common but impactful web vulnerabilities not listed in the OWASP Top 10.

  • Hackfest, Québec City (2016)

    "Racing the web" - Talk about race condition vulnerabilities, including an open source tool release.

Open Source Security Tools

  • Damn Vulnerable Golang (2024)

    A deliberately vulnerable Go application for education and testing purposes. View Source

  • Cartograph (2023-present)

    Advanced proxy that maps HTTP networks and software supply chains. Designed to aid in cybersecurity assessments and research through high performance data collection and analysis. Written in Go. View Source

  • Race The Web (2017)

    A tool that tests for and identifies race condition vulnerabilities in web applications and APIs. Includes a RESTful API to integrate it into a CI/CD pipeline. Written in Go. View Source

  • Input Field Finder (2017)

    A web crawler that identifies and logs all input elements found, in order to identify potential vulnerability sources. Written in Go. View Source

  • Rogue MAC Check (2016)

    Identifies rogue wireless access points by comparing a file of authorized BSSIDs (MAC addresses of the wireless access point) against a list of discovered BSSIDs. Written in Go. View Source

  • USB Detector (2015)

    A blue team tool to help detect physical attacks using USB devices. It detects USB storage device insert/removal, logs events, and allows email alerts. Written in C#. View Source

  • Anchor Redirect (2013)

    A proof-of-concept Google Chrome extension that exploits a flaw in JavaScript that allows anchor elements to be changed AFTER the user clicks on them. This vulnerability has since been fixed. Written in JavaScript. View Source

Featured Workshops & Training

  • BSides Toronto, Toronto (October 19, 2024)

    "PC Video Game Hacking Fundamentals"

    Delivered a sold-out one-day course guiding participants through the fundamentals of PC game hacking. Attendees gained practical experience applying techniques like reverse engineering, memory analysis, and binary exploitation to real games, translating these skills to broader offensive security contexts.

    Core Skills Covered: Memory manipulation (Cheat Engine and C++), reverse engineering basics, assembly concepts, code injection, DirectX hooks, and game engine analysis.

    Delivered with Mickael Nadeau, co-founder of cyberdefense.ai and an experienced security researcher specialising in game hacking and cloud security architecture.

Certifications

  • CISSP - Certified Information Systems Security Professional

    Issued by: ISC2

  • CPT - Certified Penetration Tester

    Issued by: IACRB

Career

Product Manager, Garnet 2025 - Present

As Product Manager, I support Garnet's security solutions by bridging the gap between internal engineering/product teams and the external market. My role focuses on gathering customer feedback and market insights to inform the product roadmap, ensuring our focus on securing software releases, high-performance production runtime security (with detection & blocking), and optimized performance aligns with real-world needs. I collaborate closely with engineering and Go-To-Market (GTM) teams to facilitate communication and help translate technical capabilities into customer value.

Senior Security Engineer, Amazon Web Services (AWS) 2024 - 2025

Contributed to a team focused on making security seamless for developers. Key initiatives included:

  • Evangelizing a secure-by-default infrastructure-as-code (IaC) solution internally, helping increase adoption from 5% to 20% of active software projects.
  • Developing security automation tooling that resulted in an estimated annual saving of over 3,000 security engineer hours.

Senior Software Engineer, Oneleet 2024

Provided specialised software engineering expertise on a contract basis for a new security platform. Key contributions included porting custom macOS security agent software to Windows and developing static analysis capabilities for their security and compliance platform.

Founder & Instructor, Hacker Dev Bootcamp 2023 - 2024

Founded and instructed the Hacker Dev Bootcamp, developing and delivering hands-on training focused on custom cybersecurity tool development. The curriculum leveraged real-world examples and extensive experience in security tooling to empower students to build practical, usable security tools.

Visit Original Website

Founder, Proxy Products 2022 - 2024

Founded Proxy Products, a security company focused on developing innovative web and API security tooling. Key projects included Infinity Insights, later released as the open-source tool Cartograph for mapping HTTP networks and software supply chains.

Principal Security Engineer, ecobee 2020 - 2022

Led security automation initiatives at ecobee, architecting and implementing solutions to protect millions of IoT smart home devices. Developed systems for large-scale static code analysis and dynamic/runtime analysis of web applications and APIs, emphasising performance and high-fidelity detection to secure internet-facing services.

Director of Application Security, Royal Bank of Canada (RBC) 2018 - 2019

Directed application security for the Royal Bank of Canada (RBC), overseeing the security posture of software applications across the bank, including mobile, web banking, APIs, and core systems. Spearheaded the integration of automated security testing into CI/CD pipelines, implementing modern DevSecOps controls within a large-scale financial environment without hindering development velocity.

Senior Security Researcher, Security Compass 2017 - 2018

Contributed to the security community through original research focused on web application/API security, DevSecOps, and blockchain technology. Disseminated findings via technical blog posts, international conference presentations, and podcasts.

Adjunct Professor, Georgian College 2016

Developed and taught a practical, hands-on application security course for third-year computer programming students. The curriculum emphasised real-world skills through weekly labs and culminated in a final project where students successfully identified and reported vulnerabilities via bug bounty platforms.

Security Consultant, Security Compass 2015 - 2016

Provided security consulting for Fortune 500 companies, performing penetration tests, secure code reviews, red team engagements, and wireless assessments. Architected and managed the enterprise security program for a notable Fortune 100 technology client, and contributed to building client security programs.

Founder and CEO, Inspectral Security 2014 - 2015

Founded Inspectral Security, providing full-scale security testing services for medium-sized organizations. Services included red team assessments, penetration testing, vulnerability identification, and implementing post-assessment mitigations and controls to enhance client defenses.

For a complete career history, please visit my LinkedIn profile.

Startup Graveyard

"I have not failed. I've just found 10,000 ways that won't work."
- Thomas A. Edison

Infinity Insights

Software that mapped dependencies across web assets and identified critical components for prioritized testing and patching. It leveraged a novel approach to security testing that scales web application and API vulnerability identification using machine learning algorithms, including an advanced algorithm to automatically classify and group similar web assets, with an interactive visual interface. Marketing and selling to enterprise meant that the sales cycles were long, and as a bootstrapped startup, this became untenable. This software has been migrated to the open source project called "Cartograph".

2022-2024

Shelter WiFi

A "plug-and-play" Wi-Fi router with advanced parental controls and security features. Aimed to keep kids safe online, the project reached the prototype phase with strong market interest. However, the venture came to a halt as in-built parental controls became standard in devices offered by major tech companies, rendering a separate solution less necessary.

2023

Gridd Space

What initially started as a new user interface for vulnerability analysis in web applications (using a novel algorithm I invented that converted the DOM into a live 3D object) gradually evolved into a platform for immersive VR world development on the web. After a sizeable investment commitment for this platform fell through, I was forced to shelve this software until a later time.

2022

Scout (formerly known as "Security Sidekick", then "Recon++")

A high performance web proxy that created an asset inventory and passively identified security vulnerabilities through a signature-based approach. Although initially successful with bug bounty hunters and penetration testers, circumstances required a pivot back to full-time employment. However, much of the work I've done since then has leveraged the tools and techniques I developed as a part of this solution, allowing me to move well beyond the initial scope of this fledgeling software.

2019 - 2020

Tech Blog

Windows Kernel Driver Starter Code

A guide to leveraging kernel driver code for monitoring system activity.

Getting Started With Game Hacking on PC

A comprehensive guide for beginners interested in the art of hacking video games on the Windows platform.

Windows API Function Naming Convention

Demystifying the patterns behind the naming of functions in the Windows API, with a quick reference guide.

Moving Beyond The OWASP Top 10, Part 1: Race Conditions

Exploring vulnerabilities like race conditions, which require a new level of vigilance beyond conventional security lists.

SSRF as a Service: Mitigating a Design-Level Software Security Vulnerability

Discussing strategies for limiting the impact of SSRF vulnerabilities when they can't be entirely removed.

A Guide to Implementing the Top Ten Security Principles for Business

Outlining the fundamental security principles every business should follow for a robust security posture.

How We Share our Software Security Research: A Guide to the Conference Talk Process

A guide for researchers on effectively presenting at conferences to share and discuss their work with peers.

Education

University of Ottawa

Studies in Criminology

2008 - 2009

My academic journey began with an interest in Criminology, aiming for a career in federal law enforcement. However, an encounter that introduced me to the world of cybersecurity sparked an intense fascination. Realising that true proficiency required deep technical understanding, I decided to pivot and build foundational knowledge in computer systems.

Algonquin College

Diploma, Computer Systems Technology

2009 - 2011

Focused on acquiring the essential hardware and networking knowledge needed as a base for cybersecurity pursuits. This program provided the technical grounding necessary before diving deeper into security specifics and software development.

Georgian College

Diploma, Computer Programmer

2012 - 2014

Following initial self-study in programming (discovering a strong affinity for C# after exploring C++), I pursued formal programming education here. This is where I truly discovered my passion for software development. The hands-on, practical nature of the program resonated deeply, leading to academic excellence.

Governor General's Academic Medal - Awarded for achieving the highest academic standing in the graduating class across all programs (final semester GPA: 4.0 / 100%, overall program GPA: 97.3%).

Athabasca University

Studies toward Bachelor of Science, Computer Science

2017

Attempted to formalise my computer science knowledge through online study while working full-time. While I completed over 50% of the required credits, I found the format less conducive to deep learning than practical application and self-directed study, which have remained my preferred methods for acquiring advanced CS concepts. The knowledge equivalent to a degree was gained through extensive real-world experience and continuous learning.