Gyoithon is an open-source, ML-driven penetration testing framework designed to automate the discovery and exploitation of vulnerabilities at scale.

How do you reduce Mean Time to Detection (MTTD)?

By building automated telemetry pipelines and self-healing response workflows that move at machine speed rather than relying on manual human intervention.

What is the TAME framework?

The Technological Approach to Mind-like Entities (TAME) is a framework used to engineer security for autonomous agents and distributed intelligence.

Why focus on Zero Knowledge (ZK) architecture?

ZK architecture allows for verifiable security guarantees without exposing sensitive data, moving beyond traditional perimeter-based trust models.

How does your work at DEF CON influence your approach to enterprise security?

The adversarial mindset from the research community (like backdooring Git) reveals the fragility of enterprise tools, forcing me to build defense that assumes compromise.

What role does Physical Layer Network Coding play in secure systems?

Physical Layer Network Coding pushes security and optimization to the edge, allowing for reliable, decentralized communication in high-interference or adversarial environments.

How do bio-inspired models like morphogenetic fields apply to network defense?

By treating network nodes like cells in a developing organism, we can engineer systems that maintain functional homeostasis and regenerate after a breach.

What is the 'straggler solution' in decentralized MPC?

It leverages Coded-MPC to achieve reliability without redundancy, ensuring that the slowest node (the straggler) doesn't bottleneck the entire decentralized network.

What is your approach to mentorship?

I believe in 'teaching by doing,' pairing on active incidents and co-authoring detections to help engineers build genuine systems thinking.

How does systems biology inform cybersecurity?

Just as organisms maintain homeostasis, security infrastructures can use regenerative models to recover from breaches autonomously.

What are the risks of technical debt in security engineering?

Technical debt leads to brittle systems. I prioritize modeling the problem and mapping feedback loops over quickly reaching for vendor tools.

What role does amateur radio play in your security work?

Radio operations (W8MEJ) provide deep insights into distributed systems and maintaining security in high-noise, adversarial environments.

About John Menerick

Q: How do you apply complex systems theory to security engineering?

Threat landscapes are nonlinear. I use Ashby's Law of Requisite Variety to ensure defensive systems match the adaptive capacity of threats.

Q: What's missing from how most organizations approach security engineering today?

Organizations optimize for compliance over resilience, fail to adapt to machine-speed threats, and neglect the distributed systems nature of security.

Security Engineer · Complex Systems Practitioner

John Menerick

11+ years securing Fortune 500 financial institutions, tech companies, startups, and public-sector organizations — applying complex systems science to build defenses that evolve under pressure.

Most security programs assume more tools and more operators will keep pace with an ever-expanding attack surface. That assumption is wrong. Defense is a complex adaptive system — one that senses, responds, and evolves. Drawing on TAME, TOTE feedback loops, and Ashby’s Law of Requisite Variety to engineer security architectures that self-correct under pressure, spanning application security, detection engineering, zero trust, cryptographic protocol design, and AI/ML security.

11+

Years in information security

40K+

Endpoints secured via zero trust

78+

Engineers mentored

F500

FinTech, tech, and public sector

Core Competencies

Application & Product Security

Threat modeling, secure code review, supply chain

Secure code review, SAST/DAST integration, threat modeling (STRIDE, PASTA, attack trees), secure SDLC design, API security, and supply chain hardening. Built security programs adopted across Fortune 500 SDLC pipelines.

Detection, Response & Threat Intelligence

Detection engineering, SIEM pipelines, forensics

Detection engineering end-to-end, SIEM and telemetry pipeline design, IR and forensics, threat hunting, vulnerability management, and red team automation. Reduced MTTD from hours to minutes at a Fortune 500.

Cryptographic Engineering & Zero Trust

MPC, ZK proofs, TEE, PKI, formal verification

Zero trust and zero-knowledge architecture, MPC, threshold cryptography, SPIFFE/SPIRE, zk-SNARKs/zk-STARKs, BFT/PBFT, Paxos/Raft consensus security, TEE and confidential compute, side-channel mitigation, and formal verification of distributed protocols.

AI/ML Security & Trusted Compute

LLM security, federated learning, autonomous agents

LLM security and prompt injection defense, federated learning security, differential privacy, model poisoning defenses, energy model-driven simulations, autonomous agent security, distributed agent consensus, and verifiable inference in untrusted environments.

Cloud, Infrastructure & DevSecOps

AWS/GCP/OCI, CI/CD hardening, service mesh

AWS, GCP, and OCI security architecture, secure CI/CD and IaC hardening, distributed systems security (consistency models, linearizability, causal ordering), container security and service mesh trust, workload orchestration security.

Complex Systems Science

TAME, TOTE, Ashby’s Law, adaptive defense modeling

Applying TAME framework, TOTE feedback loops, and Ashby’s Law of Requisite Variety to security architecture. Models the problem before reaching for a tool — mapping feedback loops and failure modes before writing a single detection rule.

Published Research & Open Source

Whitepapers

Open Source

Live Intelligence Dashboards

Volunteerism & Public Service

White House, Office of the President

Contributor — Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence
Contributor — National Strategy for Trusted Identities in Cyberspace (NSTIC)

DARPA — Defense Advanced Research Projects Agency

Cyber Grand Challenge Finalist
AI Cyber Challenge Participant

US Department of Defense

Satellite Contributor
InfraGard — US Critical Infrastructure First Responder
Alameda County Sheriff’s OES Comm. Team — Incident Management

CNCF / Kubernetes

Cloud-Native Security Governance

CNCF SIG Security member and Kubernetes SIG Security contributor — working on security standards, threat models, and policy guidance for cloud-native deployments.

OWASP

CFP & CFW Review Board

Call-for-Papers and Call-for-Workshop reviewer for OWASP conferences, evaluating security research submissions for technical rigor and practitioner relevance.

CSA

Steering Committee Member

Cloud Security Alliance Steering Committee, contributing to cloud security standards, best practice guidance, and enterprise adoption frameworks.

Conference Presenter & Lecturer

DEF CON · ISC2 · CCC · GrrCON · DerbyCon · Skytalks · BSides · RootCon

Invited speaker and lecturer at 8+ major information security conferences spanning offensive security research, supply chain attacks, and AI security architecture.

Accomplishments

DEF CON Black Badge

Black Badge Holder

The DEF CON Black Badge is the most prestigious award in competitive hacking — issued only to winners of DEF CON CTF and select elite competitions. Fewer than a few hundred exist worldwide. A lifetime pass to DEF CON and a permanent mark of elite offensive security capability.

National Honor

Tomb of the Unknown Soldier — Wreath Bearer

Selected as a Wreath Bearer at the Tomb of the Unknown Soldier at Arlington National Cemetery — one of the most solemn honors the United States extends to a civilian. Reserved for individuals recognized for distinguished service to the nation.

White House, Office of the President

Letter of Recognition for Outstanding Achievements and Merit

US Congress

US Senate — Resolution of Merit and Accomplishment
US House of Representatives — Resolution of Recognition

Michigan State Senate

Resolution of Merit and Accomplishment

Letters of Commendation

US Air Force

Letter of Commendation

Formal recognition from the United States Air Force for distinguished contributions to national security.

US Marine Corps

Letter of Commendation

Formal recognition from the United States Marine Corps for distinguished contributions to national security.

US Army

Letter of Commendation

Formal recognition from the United States Army for distinguished contributions to national security.

US Navy

Letter of Commendation

Formal recognition from the United States Navy for distinguished contributions to national security.

Certifications

Credential	Issuer
Security Professional
Certified Information Systems Security Professional (CISSP)	(ISC)²
InfoSec Assessment Methodology (IAM) I / II / III	NSA
InfoSec Evaluation Methodology (IEM) I / II / III	NSA
Certified Kubernetes Security Specialist (CKS)	CNCF
Certified Kubernetes Administrator (CKA)	CNCF
SANS Elite Portfolio (GXPN, GDAT, GX-IA, and others) former	SANS Institute
Google Cloud & Infrastructure
Google Cloud Professional Certification	Google
Professional Google Workspace Administrator	Google
GDC Air-Gapped Security Operator Fundamentals	Google
SecOps on Google Distributed Cloud (GDC) — Tier 1 Analyst	Google
SecOps on Google Distributed Cloud (GDC) — Tier 2 Analyst	Google
SecOps on Google Distributed Cloud (GDC) — Tier 3 Analyst	Google
Evaluate Your Cloud Next-Generation Firewall Needs	Google
Google AI & Machine Learning
Gemini for Security Engineers	Google
Machine Learning Operations (MLOps) for Generative AI	Google
Vector Search and Embeddings	Google
Transformer Models and BERT	Google
Attention Mechanism	Google
Encoder-Decoder Architecture	Google
Introduction to Generative AI	Google
Google Responsible AI
Responsible AI for Developers: Privacy & Safety	Google
Responsible AI for Developers: Fairness & Bias	Google
Responsible AI: Applying AI Principles with Google Cloud	Google
Introduction to Responsible AI	Google
Oracle Cloud Infrastructure
OCI Foundations Associate	Oracle
OCI AI Foundations Associate	Oracle
OCI Data Management Foundations Associate	Oracle
Government & Federal
IS-100, IS-200, IS-700, IS-800 — Incident Command System	US FEMA
Public Trust Clearance	US Department of Justice / FBI
Other Professional
Certified Scrum Master	Scrum Alliance
Amateur Extra Class License (W8MEJ)	US FCC
General Class & GMRS License	US FCC
LinkedIn Trusted Cryptographic Identity Portfolio	LinkedIn

Coding Identity & Developer Rankings

Rankings derived from verified repository activity — not self-reported skills — across a career-spanning corpus of open source and professional work. Independently computed by CodersRank from 627,824+ active developers worldwide.

#364

Global rank of 627,824

Top 1%

Worldwide percentile

2,751

CodersRank score

13+

Ranked languages

579

GigaStreak — 579 Consecutive Days of Commits

June 29, 2020 – January 28, 2022. CodersRank awards the GigaStreak badge for unbroken daily commit activity measured in hundreds of days. This streak places it among the longest verified streaks on the platform — sustained through the pandemic, across security tooling, infrastructure automation, and open source research.

Language Rankings — Verified from Repository Activity

Language	Score	World Rank	US Rank
TypeScript	743.2	Top 0.2% of 118K	Top 1% of 1K
JavaScript	424.8	Top 0.5% of 279K	Top 3% of 2K
JSON	311.0	Top 0.8% of 283K	Top 4% of 2K
HCL	206.2	Top 0.7% of 8K	Top 3% of 70
Shell	172.9	Top 0.2% of 140K	Top 1% of 1K
SQL	83.7	Top 0.2% of 52K	Top 1% of 440
TSQL	62.9	Top 0.3% of 55K	Top 2% of 395
HTML	144.2	Top 2% of 292K	Top 5% of 2K
CSS / SCSS	120.9 / 101.1	Top 2% of 266K	Top 4–6%
Python	108.4	Top 5% of 165K	Top 9% of 1K
PHP	116.3	Top 4% of 107K	Top 5% of 628
PLpgSQL	54.3	Top 2% of 6K	Top 2% of 58

Technology Rankings

Node / Frontend — Elite Rankings

Socket.io Top 0.01% ExpressJS Top 0.06% NodeJS Top 0.4% ReactJS Top 2% Redux Saga Top 2% Enzyme Top 7% Cypress Top 6% Webpack Top 7% Chai Top 14% Supertest Top 18% Flask Top 16% NextJS Top 59%

Database & Backend

node-postgres Top 8% MySQL Top 40% Fastify Top 34% SQLAlchemy Top 44% mongoose Top 55% FastAPI Top 73% PyMongo Top 52%

Data Science & ML

Pandas Top 32% SciPy Top 33% PySpark Top 54% Scikit-Learn Top 64% Sinon Top 46% Pytest Top 46%

GigaStreak Badge

579 consecutive days of commits

Awarded for unbroken daily coding activity spanning June 29, 2020 to January 28, 2022. One of the longest verified streaks on the platform, sustained through active security research and infrastructure engineering.

VeteranDeveloper Badge

5+ years in multiple technologies

Awarded for sustained, deep engagement with multiple technologies over multi-year periods — verified from repository history rather than self-reported. Reflects career-spanning commitment to TypeScript, JavaScript, Shell, and security tooling.

Work Philosophy

Models the problem before reaching for a tool. Maps feedback loops, failure modes, and emergent behavior before writing a single rule.

Builds what doesn’t exist. Built Gyoithon and IntelMetrics when the tooling wasn’t there. Ships solutions, not vendor evaluations.

Operates at both altitudes. Moves between executive architecture conversations and hands-on code review, packet captures, and IR triage in the same week.

Teaches by doing. Pairs on active incidents and co-authors detections with junior engineers to build genuine systems thinking, not process compliance.

Defaults to transparency. Publishes research and open-sources tooling so the community can build on it rather than rediscover it.

Perspective

How do you apply complex systems theory to security engineering?

Threat landscapes are nonlinear — attackers adapt, environments shift, controls interact unpredictably. Ashby’s Law of Requisite Variety ensures defensive systems match the adaptive capacity of threats. Practically: detection pipelines with self-tuning feedback loops, architectures where subsystem failure doesn’t cascade, and security operations treated as a living system rather than a fixed-state machine.

What’s missing from how most organizations approach security engineering today?

Three things. First, optimizing for compliance over resilience — while defenders check annual audit boxes, threat actors use AI-driven reconnaissance to compress the attack lifecycle toward near-zero. Second, the velocity gap from underinvestment in automation: without real-time telemetry pipelines and self-healing response workflows, you’re bringing a manual process to a machine-speed fight. Third, failure to treat security as a high-concurrency distributed systems problem. Security has to be a set of algorithmic guarantees, not a gate.

Identity

sts:GetCallerIdentity

{
  "id": "ocid1.user.oc1..aaaaaaaaxxxxxxxxxxxxxxxxxxxxxxxx",
  "name": "[email protected]",
  "compartmentId": "ocid1.tenancy.oc1..aaaaaaaayyyyyyyyyyyyyyyyyyyyyyyy",
  "timeCreated": "2024-01-25T15:00:00.000Z",
  "lifecycleState": "ACTIVE"
}

{
  "email": "[email protected]",
  "sub": "117813812345678901234",
  "name": "John Menerick",
  "iss": "https://accounts.google.com"
}

Additional credentials for various services and entities →