01research
security research & tooling
Original research and custom tooling for hard targets — Elixir/Erlang systems, web3 wallets and protocol internals. Differential fuzzing, harnesses and the bugs no off-the-shelf scanner finds.
security research lab
slowwwlab
security research, bug bounty hunting & services
15 years of software engineering, security architecture and application security — now turned offensive. research-led work across web apps, APIs and web3, with custom tooling and original wallet research.
services
research-led offensive security across web apps, APIs and web3 — black box to full white box.
02web app
web application pentesting
Full-scope adversarial testing of web apps and dApp frontends. Auth bypasses, logic flaws, account takeover — real attacker tradecraft, no checklists.
03web app
application security review
Source-level appsec for the web stack — authn/authz, session and crypto handling, injection and SSRF surfaces. Built by someone who shipped these systems for 15 years.
04api
api pentesting
REST, GraphQL and RPC endpoints probed for broken auth, IDORs, rate-limit gaps and data exposure across your whole surface.
05web3
smart contract auditing
Solidity / EVM review for protocols, DeFi and bridges. Reentrancy, economic exploits, invariant breaks and the edge cases scanners miss.
06web3
wallet security auditing
Key handling, signing flows and seed lifecycle for wallets, signers and custody — backed by original wallet-security research and custom tooling. Where the keys live is where the money dies.
07research
elixir / erlang security
Offensive and defensive work on the BEAM — OTP architecture review, hardening, and adversarial testing of Elixir/Erlang services. A rare specialism, built on years in production.
08methodology
white & black box
From zero-knowledge, attacker's-eye assessments to full source, docs and architecture access — deep manual review that follows every code path to find what scanners never will.
09advisory
consultations
Threat modeling, secure design and architecture review, advisory. Bring me in early and ship with confidence — web, web3 or otherwise.
→bespoke
something else?
Bug bounty collaboration and custom security research. Tell me what's keeping you up at night.
get in touchwhy slowwwlab
research-led security work — the door stays open and the work stays deep.
builder turned breaker
15 years as a developer, architect, security engineer and appsec specialist — I know how these systems are built because I built them. Now I break them.
tool maker & researcher
I write my own web3 tooling and do original research into wallet security. Elixir & Erlang offensive and defensive specialist — no checklist theatre, real adversarial tradecraft.
tight communication
Regular updates through the engagement. Bugs discussed and fixes validated in real time — no black-box, no radio silence.
white hat, always
Responsible disclosure, NDA-friendly, no logs kept longer than the job. Your code and your secrets stay yours.
0+
years in software & security
0+
security tools & research projects
∞
research-led · one operator
disclosures
responsibly disclosed findings from bug bounty programs and research — kept high-level.
target
program
class
date
status
[redacted] crypto exchange
Bug bounty
[redacted]
2026-06
disclosed
[redacted] fintech
Bug bounty
[redacted]
2026-04
disclosed
from the lab
exploits, write-ups and notes from the work.
> no blog posts yet — check back soon.
go to the blog →move slow. break things. report responsibly.
harden your stack
Web app, API or web3 — let's talk scope, timeline and threat model before someone else finds the bug.