A four-tier classification for cyber assistance from frontier models, aligned with emerging cross-framework thinking on capability thresholds.
The contested Tier 2 / Tier 3 boundary is named explicitly, not assumed away.
Larry Peseckis
Security at the intersection of
offense, defense, cloud, and AI.
AI and Cloud Security Architect. Thirty years of mission-critical defense and aerospace systems. DoD Cleared. Now building at the intersection of offensive security, cloud architecture, and AI risk.
Research
Frameworks, taxonomies, and evaluations for AI and security risk. Each is a public writeup — methodology shown, limitations named, claims grounded.
A practical threat model for tool-using AI agents. Eleven threats mapped to the OWASP Agentic and LLM Top 10, a threat-to-control matrix, and a pre-deployment checklist.
Agent security is the security of seams, not boxes. The compromise lives where the model, the browser, and the cloud token meet.
A default-deny grant table mapping agent tool classes to risks, required controls, and enforcement points. Cross-walked to OWASP Top 10 for Agentic Applications 2026.
The controls-side companion to the taxonomy: it says where each control actually lives, not just to use least privilege.
A structured corpus of documented LLM attack techniques across the OWASP LLM Top 10, vendor red-team disclosures, and arXiv research — built for analytical queries.
100% precision on technique extraction (95% CI lower bound 83.9%).
A five-lane model for how a safety router should explain a reroute to a benign user without handing the trigger to an attacker.
Disclosure granularity should track inverse oracle risk.
A labeled prompt set and tooling that tests how models handle cyber requests across the taxonomy, with an LLM-as-judge scorer and a human-comparison harness.
Pilot: the judge matched the human on every verdict — and abstained on the 4 most severe.
Work
The proof behind the brand. Real pipelines, honest methodology, documented findings — not marketing language.
A pipeline that turns public CISA and DFIR Report threat intel into a queryable MITRE ATT&CK trend dataset, with honest precision reporting.
Citation patterns reveal the reporting org's vantage point as much as adversary behavior.
A Burp Suite Community extension that exposes Burp's HTTP capabilities as a token-authed localhost REST API — the scripted automation the Pro license gates.
203 validated bridge calls across 4 vuln classes, zero GUI fallbacks.
A local-first home command deck on a repurposed iMac — one Grafana console spanning home network security, home health, and host vitals, with zero egress by default.
Every number is grounded in a deterministic SQL query first — the model can't fabricate traffic.
An adaptive, dependency-free cert practice engine that targets your weak areas — SSCP, CCSP, Linux Essentials, and discrete math.
Adapts to your weak areas instead of reshuffling the same question pool.
Labs
Systematic documentation of offensive and defensive security techniques across 300+ rooms spanning web exploitation, Active Directory, cloud environments, DFIR, and AI/LLM security. Every room gets a writeup. The writeups follow a consistent format: attack chain, detection engineering, key concepts, lessons learned. The habit that made the CJCA report possible.
Empirical comparison of human-in-the-loop vs autonomous AI on the same CTF room. The research question: what does the human variable actually change?
Windows DFIR. A .url file in a network share captures Net-NTLMv2 credentials when the folder is opened. No click required.
Social engineering reconstruction from Chrome cache. Lazarus Group TTPs. The job offer was the pretext. The collaboration request was the collection mechanism.
A Go binary using a local LLM to generate dynamic encryption payloads at runtime. Signature-based detection is blind to it.
Private subnet is a routing concept, not a security boundary. Four IAM permissions combined turn it into a public attack surface.
LKM rootkit detection. lsmod vs /sys/module/ comparison. Flag embedded as hex in a kernel module's printk format string.
Full AD kill chain reconstructed from Windows event logs and prefetch artifacts. Three detection signatures that confirm ticket theft, offline crack, and lateral movement.
Six log entries, 72 seconds, complete attack chain visible. Data Access logging gap is the defensive finding.
Writing
Selected posts from a Tuesday/Thursday LinkedIn cadence, plus the occasional longer essay, built around one idea: that security practitioners who understand both how attacks work and how defenses fail are more valuable than those who specialize in only one. The posts that landed hardest were the ones that documented failure as clearly as success.
-
Your Browser Is an Environment, Not a Tool
Three recent browser changes, FROST, Gemini Nano, and Manifest V3, are each defended in the language of your security while transferring control to the vendor. The justification is the tell.
Read the essay → -
What threat intel citation patterns reveal about the observer
The most-cited ATT&CK techniques across CISA and The DFIR Report don't reveal what adversaries do. They reveal how threat intel gets written.
Read on LinkedIn → -
Opening a folder shouldn't hand an attacker your credentials
A .url file in a network share captures Net-NTLMv2 credentials when the folder is opened. No click required. The defensive baseline is two controls, neither enabled by default.
Read on LinkedIn → -
The certification discourse is broken
On what cert stacks actually signal, what they don't, and why the conversation keeps missing the point.
Read on LinkedIn →
05
About
Most security practitioners sit on one side of the wall. Red team or blue team. Compliance or engineering. Cloud or endpoint.
The Integration Thesis is the opposite framing — that offense, defense, cloud, and AI security are one discipline viewed from different angles, and that the most valuable security work happens at the intersections between them. Thirty years of systems administration in classified defense environments taught me how mission-critical infrastructure actually fails. CTF practice, DFIR work, and threat intel research taught me how adversaries actually operate. The portfolio here is what happens when those two bodies of experience start talking to each other.
Credentials
The certification stack runs from CompTIA A+ through SecurityX, ISC2 CC and SSCP, TryHackMe SAL1 and PT1, HackTheBox CJCA, and ITIL 4 — with CISSP as the next target. Each one was earned alongside full-time defense work, not instead of it. The WGU BS in Cybersecurity and Information Assurance (in progress, on track to complete ahead of schedule) fills the formal degree gap. The cert path isn't the point. The judgment that comes from running the material against real labs and real incidents is.
Contact
The fastest way to reach me is LinkedIn.