Profiles search
Jason Collins
Senior Cybersecurity Engineer
Arlington, VA, United States
Details
Experience:
2023 : Present
Travel + Leisure Co.
Senior Cybersecurity Engineer
• Conducted over 50 internal and external penetration tests for organizations of
varying sizes, demonstrating expertise in identifying vulnerabilities and mitigating
security risks.
• Deployed and configured testing infrastructure, including Cobalt Strike
Team Servers and cloud-based redirectors, to ensure efficient and effective
testing processes.
• Conducted extensive reconnaissance and OSINT activities, utilizing tools such as
nmap, shodan, crt.sh, and dnsdumpster, to gather information about clients and
their external footprint.
• Executed automated web application scanning and manual testing for common
security vulnerabilities such as XSS, SQLi, XXE, SSTI, and more, using tools such as
Burp Suite Pro, Nikto, GoBuster, and Aquatone.
• Performed comprehensive vulnerability scans with Nessus and validated results to
minimize false-positive and false-negative results.
• Conducted Active Directory enumeration and assessed ADCS templates for
potential security threats, utilizing tools such as PowerView and Bloodhound.
• Conducted poisoning attacks and captured hashes for initial access using tools
such as Responder, Pretender, Inveigh, and MITM6.
• Conducted local and domain hash dumping to gain persistence and laterally
move through the network, utilizing tools such as Mimikatz, NanoDump,
and SecretsDump.
• Leveraged WMIExec, PSExec, SMBExec, evil-winrm, and powershell remoting for
lateral movement.
• Created detailed reports for clients that highlighted discovered issues, both
at an executive and technical level, to ensure complete understanding and
effective remediation.
• Developed and maintained a library of Beacon Object Files (BOFs) to aid in
payload development and post-exploitation activities.
• Created social engineering pretexts and payloads to bypass border and host
protections, using a variety of delivery and execution techniques.
• Configured phishing domains and infrastructure using GoPhish to gather
sensitive information.
2020 : 2023
SIXGEN
Senior Offensive Cyber Operator
• Managed up-to fourteen (14) FTEs responsible for conducting NIST SP 800-53 based SCAs
• Led over 100 assessments using NIST SP 800-53A, resulting in successful granting of ATO
• Conducted IV&V on over 4,500 POA&M items ensuring any residual risk was properly accepted
• Conducted network and web application assessments using the Metasploit Framework, nmap, Burp Suite Pro, SQLMap, and numerous other tools included in Kali Linux
• Performed quality assurance review for major client deliverables including but not limited to all Security Assessment Reports (SAR)
• Utilized Tenable Nessus in order to perform vulnerability assessments
• Provided subject matter expertise to Information System Security Officers (ISSO) and system owners in order to assist with remediation of audit findings
• Leveraged Splunk to gather information related to auditing and access control requirements
• Tailored CIS and STIG benchmarks for various technologies in order to meet organizational requirements
• Worked directly with senior executives to assist in the creation of security related policies and procedures
• Created training guides for ISSOs to standardize and improve the POA&M management process resulting in a reduction in time-to-close for each item, ensuring a direct cost savings to the client
• Created and updated templates in accordance with NIST guidance and other best practices
• Presented various training sessions on topics including NIST SP 800-37, NIST SP 800-53/53A, and FIPS 140-2
• Assisted in organization wide strategic planning efforts to perform root cause analysis and to outline remediation suggestions
• Audited Active Directory and associated Group Policy settings for common misconfigurations
• Performed physical penetration testing and walkthroughs of client locations including office spaces and data centers
• Assisted clients in identification of and transition to new requirements or guidance
• Developed custom scripts and tools to assist clients with specific needs
2017 : 2020
Jacobs
Security Control Assessment Lead
• Led and supported Security Test and Evaluations (ST&E) for various general support systems and major/minor applications in accordance with NIST SP 800-53A Rev. 1 and Rev. 4.
• Conducted network and web application penetration testing using Nmap, BurpSuite, Wireshark, and various other tools available in Kali Linux.
• Discovered numerous OWASP Top 10 vulnerabilities in web applications and created proof of concepts to demonstrate how the aforementioned vulnerabilities could be used to compromise the application or the underlying system.
• Overhauled the Plan of Action and Milestone (POA&M) management process to automate the tracking of all POA&M items and provide accurate, up-to-date metrics.
• Conducted Independent Verification and Validation (IV&V) re-tests to confirm the remediation and mitigation strategies to close out POA&M items.
• Created in-house Standard Operating Procedures (SOPs) to assist in training junior staff in ST&E testing and the IV&V phase of POA&M re-testing.
• Generated training guides for Information Security Managers (ISMs) to standardize and improve the IV&V phase of POA&M re-testing.
• Assisted in modifying Solaris and Red Hat Enterprise Linux CIS Benchmarks and DISA STIGs to organization specific policies in order to create secure baselines.
• Aided in the creation of test cases for FedRAMP 3PAO Assessors.
2011 : 2017
Blue Canopy
Senior Security Control Assessor
Travel + Leisure Co.
Senior Cybersecurity Engineer
• Conducted over 50 internal and external penetration tests for organizations of
varying sizes, demonstrating expertise in identifying vulnerabilities and mitigating
security risks.
• Deployed and configured testing infrastructure, including Cobalt Strike
Team Servers and cloud-based redirectors, to ensure efficient and effective
testing processes.
• Conducted extensive reconnaissance and OSINT activities, utilizing tools such as
nmap, shodan, crt.sh, and dnsdumpster, to gather information about clients and
their external footprint.
• Executed automated web application scanning and manual testing for common
security vulnerabilities such as XSS, SQLi, XXE, SSTI, and more, using tools such as
Burp Suite Pro, Nikto, GoBuster, and Aquatone.
• Performed comprehensive vulnerability scans with Nessus and validated results to
minimize false-positive and false-negative results.
• Conducted Active Directory enumeration and assessed ADCS templates for
potential security threats, utilizing tools such as PowerView and Bloodhound.
• Conducted poisoning attacks and captured hashes for initial access using tools
such as Responder, Pretender, Inveigh, and MITM6.
• Conducted local and domain hash dumping to gain persistence and laterally
move through the network, utilizing tools such as Mimikatz, NanoDump,
and SecretsDump.
• Leveraged WMIExec, PSExec, SMBExec, evil-winrm, and powershell remoting for
lateral movement.
• Created detailed reports for clients that highlighted discovered issues, both
at an executive and technical level, to ensure complete understanding and
effective remediation.
• Developed and maintained a library of Beacon Object Files (BOFs) to aid in
payload development and post-exploitation activities.
• Created social engineering pretexts and payloads to bypass border and host
protections, using a variety of delivery and execution techniques.
• Configured phishing domains and infrastructure using GoPhish to gather
sensitive information.
2020 : 2023
SIXGEN
Senior Offensive Cyber Operator
• Managed up-to fourteen (14) FTEs responsible for conducting NIST SP 800-53 based SCAs
• Led over 100 assessments using NIST SP 800-53A, resulting in successful granting of ATO
• Conducted IV&V on over 4,500 POA&M items ensuring any residual risk was properly accepted
• Conducted network and web application assessments using the Metasploit Framework, nmap, Burp Suite Pro, SQLMap, and numerous other tools included in Kali Linux
• Performed quality assurance review for major client deliverables including but not limited to all Security Assessment Reports (SAR)
• Utilized Tenable Nessus in order to perform vulnerability assessments
• Provided subject matter expertise to Information System Security Officers (ISSO) and system owners in order to assist with remediation of audit findings
• Leveraged Splunk to gather information related to auditing and access control requirements
• Tailored CIS and STIG benchmarks for various technologies in order to meet organizational requirements
• Worked directly with senior executives to assist in the creation of security related policies and procedures
• Created training guides for ISSOs to standardize and improve the POA&M management process resulting in a reduction in time-to-close for each item, ensuring a direct cost savings to the client
• Created and updated templates in accordance with NIST guidance and other best practices
• Presented various training sessions on topics including NIST SP 800-37, NIST SP 800-53/53A, and FIPS 140-2
• Assisted in organization wide strategic planning efforts to perform root cause analysis and to outline remediation suggestions
• Audited Active Directory and associated Group Policy settings for common misconfigurations
• Performed physical penetration testing and walkthroughs of client locations including office spaces and data centers
• Assisted clients in identification of and transition to new requirements or guidance
• Developed custom scripts and tools to assist clients with specific needs
2017 : 2020
Jacobs
Security Control Assessment Lead
• Led and supported Security Test and Evaluations (ST&E) for various general support systems and major/minor applications in accordance with NIST SP 800-53A Rev. 1 and Rev. 4.
• Conducted network and web application penetration testing using Nmap, BurpSuite, Wireshark, and various other tools available in Kali Linux.
• Discovered numerous OWASP Top 10 vulnerabilities in web applications and created proof of concepts to demonstrate how the aforementioned vulnerabilities could be used to compromise the application or the underlying system.
• Overhauled the Plan of Action and Milestone (POA&M) management process to automate the tracking of all POA&M items and provide accurate, up-to-date metrics.
• Conducted Independent Verification and Validation (IV&V) re-tests to confirm the remediation and mitigation strategies to close out POA&M items.
• Created in-house Standard Operating Procedures (SOPs) to assist in training junior staff in ST&E testing and the IV&V phase of POA&M re-testing.
• Generated training guides for Information Security Managers (ISMs) to standardize and improve the IV&V phase of POA&M re-testing.
• Assisted in modifying Solaris and Red Hat Enterprise Linux CIS Benchmarks and DISA STIGs to organization specific policies in order to create secure baselines.
• Aided in the creation of test cases for FedRAMP 3PAO Assessors.
2011 : 2017
Blue Canopy
Senior Security Control Assessor
Company:
Travel + Leisure Co.
Profile Photo
