Application security expert

Professional services and developer training
Andres Riancho


My career is focused on offensive application security and training developers to write secure code.

I worked as an application security consultant for most of my career, delivered secure coding trainings for developers around the world, founded my own consultancy firm, and worked as a Director of Web Security for Rapid7 to improve NeXpose’s web application security scanner.

More than ten years ago I started w3af, an open source web application security scanner, which helps users identify and exploit vulnerabilities in their web applications. w3af’s popularity allowed me to speak at multiple international conferences and meet with the world’s best hackers.


The last years have been an amazing professional experience. I closed Bonsai, the consulting firm I created in 2009, and started to provide my professional services as a freelance consultant to multiple clients, including two LATAM-based unicorns such as MercadoLibre and Despegar.

As a freelance consultant I also provide services to US based companies, startups and information security consulting firms. This mix allows me to understand the problems faced by different company types, providing innovative solutions for their problems.

I founded Bonsai in 2009, being an entrepreneur at an early age allowed me to quickly learn about sales, marketing, hiring and managing a technical team. We delivered our services worldwide, made great partnerships with US-based consulting firms and had fun while doing it.

I also worked as a Director of Web Security for Rapid7, where I managed a software development team that improved NeXpose’s web application scanner. This was a very interesting challenge and certainly a huge change from what I had been doing with my open source scanner: w3af.

w3af is one of my greatest professional achievements, a free and open source tool used by thousands to help secure the Internet. A wide range of users, ranging from developers to hackers; and application security experts to software as a service startups have benefited from w3af’s features and flexibility. I created this tool with the help of the open source community and multiple sponsors over the past ten years.

A long time ago I worked at Cybsec, an information security consultancy firm based in Buenos Aires and recently acquired by Deloitte, where I learned how to perform security assessments in a professional and organized way. My career started at Impsat, where I deployed, configured and monitored intrusion detection systems for their clients in the Security Operations Center (SOC).

Open Source Software

Over the years I’ve created a few open source projects, here are the ones I like the most:

  • w3af: A web application attack and audit framework. Scans your web applications to identify vulnerabilities such as SQL injection and Cross-Site Scripting and allows you to confirm the findings by exploiting them.
  • nimbostratus: Exploit vulnerabilities in Amazon Web Services (AWS) and escalate privileges. Extract credentials from instance metadata, enumerate API key permissions and gain access to RDS databases through automated exploitation.
  • race condition exploit: Identify and exploit race conditions in web applications by concurrently sending hundreds of HTTP requests.

Visit my GitHub page to find the complete list.


I love attending and speaking at information security and developer conferences around the world, and I was lucky enough to be accepted as a speaker in more than 30 conferences in Latin America, Europe, Asia and the United States.

My talks and trainings are on w3af, web application security payloads, OWASP Top10, secure devops, pivoting in amazon clouds, esoteric web application vulnerabilities, timing attacks and other interesting subjects.


I’m based in Buenos Aires, Argentina; known for it’s asados, excellent Malbec wine and dulce de leche, but I provide my professional services worldwide, don’t hesitate to contact me to get a quote.