Jevin Eskridge

Experience

• 

  Extracurriculars

  Oct 2016 - now

  Capture-the-flag Player

  I was a young high school student when I found my passion for programming; I enjoy the problem solving and I have always found the algorithmic thinking involved to be intuitive. In order to develop my competence as a programmer beyond an intermediate level, I started participating in computer science competitions that challenged me to produce elegant solutions to increasingly complex problems. I did not continue much further down that track, however, because I became far more enthralled by security CTFs. Cybersecurity competitions almost universally implement a flag-based scoring mechanism, so they are aptly dubbed capture-the-flags in most contexts. These activities still include various elements of computer science, but the more applied objective is to invent elegant exploits for a myriad of vulnerabilities.As an avid capture-the-flag player, I have an extensive history participating in cybersecurity competitions both individually and as captain of the team that I founded. My proven ability to accomplish a wide variety of tasks—even without prior knowledge or experience—demonstrates that I am capable of operating under self-direction and that I can be relied on to persevere through research and persistence. In addition to public competitions, I have also conducted several simulated penetration testing engagements as part of professional training programs.• Competed in picoCTF 2016, CP-X, EasyCTF-IV, PACTF 2018, CP-XI, HSCTF 5, PACTF 2019, NCL Fall 2019, CP-XII, NCL Spring 2020, DamCTF 2020, MetasploitCTF 2020, Tenable CTF 2021, CarolinaCon 2023, HTB Operation Cybershock, and RTV CTF 2023.• Actively working through boot-to-root pentesting labs offered on platforms such as Hack The Box, Proving Grounds, Virtual Hacking Labs, Snap Labs, and AttackDefense.• Reached the top 0.5% of ~560,000 users on a cybersecurity training platform called TryHackMe by completing approximately one hundred practical labs and fully compromising two full-scale vulnerable networks. Show less

• 

  Missoula County Public Schools

  Sept 2019 - Sept 2021

  The National Youth Cyber Education Program, a.k.a. CyberPatriot, was created by the Air Force Association to inspire the next generation of cybersecurity professionals. The organization is best known for hosting the nation's largest cyber defense competition, an event which regularly attracts several thousand teams of high school and middle school students. Right before the pandemic hit, I successfully pitched a plan to establish CyberPatriot as a new extracurricular activity at Meadow Hill Middle School.As the coach of their CyberPatriot teams, I was the administrative lead of the program and the main point of contact for competition-related correspondence. My responsibilities included recruiting students, communicating with parents, establishing and maintaining relationships with industry professionals who were willing to volunteer, working with the district's network coordinators to ensure that all technical requirements were met, and creating procedures for future coaches.Most importantly, it was also my responsibility to prepare our competitors for CyberPatriot's cyber defense competition. COVID-19 safety guidelines introduced many logistical challenges to the program's initial introduction, chief among which being that my original lesson plan had to be adapted for remote delivery. After careful consideration, I decided that the best course of action would be to create a video training series for my current and future competitors. Although the circumstances did not allow for the spectacular experience that I had hoped our rookie season would offer, our award-winning performance in CyberPatriot-XIII did prove that we adapted far better than most teams. Later during the preseason of CyberPatriot-XIV, I was finally able to lead a weekly in-person class for competitors that introduced them to careers in cybersecurity, taught them foundational concepts, and helped them improve their practical skills. Show less My part-time role as an aide at Meadow Hill played a strategic role in support of my educational goals. In order to maintain an optimal work-to-study ratio, I sought out a role that provided both consistently minimal hours and sufficient income to purchase my desired training materials. This position was one of the few that offered ten-hour workweeks, and that fulfilled my needs perfectly. My purposeful undertaking of this job's responsibility was a major step in my plan to enter the cybersecurity industry, and ultimately it indeed enabled me to achieve that ambition both in a forthright manner and at a very early age. Show less

  • CyberPatriot Coach

    Aug 2020 - Sept 2021

  • Recess Monitor and Cafeteria Aide

    Sept 2019 - Aug 2021
• 

  HackerOne

  Sept 2021 - now

  Security Researcher

  As an independent security researcher, I put my knowledge of web application security testing to use by hunting for security flaws that are within the scope of vulnerability disclosure and bug bounty programs.I have also stumbled upon and directly reported a variety of findings that were not within the scope of established disclosure programs.Below is a running list of vulnerabilities that I have responsibly disclosed:• Authentication Bypass by Primary Weakness (CWE-305) 𝘅𝟭• Cross-site scripting (CWE-80) 𝘅𝟮• Improper Access Control (CWE-284) 𝘅𝟭• Plaintext Storage of a Password (CWE-256) 𝘅𝟭• Insertion of Sensitive Information Into Sent Data (CWE-201) 𝘅𝟭 Show less

• 

  Soteria - Security Solutions & Advisory

  Feb 2022 - now

  Soteria is a trusted cybersecurity firm that provides its clients with a wide variety of tailored security services and solutions. Our primary professional service offerings fall under the umbrella categories of offensive security, security assessment and advisory, IT security policies and training, and security incident response. Additionally, we provide custom enterprise-scale security solutions, such Soteria Defense MDR, Soteria Inspect, and Soteria Defense Domain Watch. For more information on how Soteria can meet the needs of your organization, visit our official website and consider meeting with our team of distinguished industry experts.Soteria's consulting practice is a mature provider of offensive security services, including vulnerability assessments, full-spectrum penetration testing, and red/purple team exercises. As a member of the offensive security team, the focus of my efforts is typically planning and executing client engagements. I have experience executing and managing a variety of engagement types in diverse environments, both in the technical capacity of an offensive cyber operator and in the client-focused capacity of a professional security advisor.The types of engagements that I work on and my roles in projects each vary throughout the year depending on scheduling and resource assignment. Typically, I am a lead penetration tester independently performing web, network, and cloud assessments. I have also conducted open-source intelligence investigations, worked collaboratively with teammates on application security assessments, and supported red team operations. Additionally, I am a delivery engineer for Soteria's managed vulnerability scanning services.Internally, I am also involved in a number of company processes; these efforts include leading process improvement meetings, taking ownership of innovation initiatives, contributing to documentation, and performing quality assurance reviews of security assessment reports and deliverables. Show less For a period of a nine months, in addition to my existing responsibilities as a full-time offensive security consultant, I was also a member of an internal task force that was created to assist the Soteria Defense team. This task force was responsible for operating the Domain Watch solution and providing associated advisory services to clients.My involvement pertained both to domain threat analysis and to domain takedowns. We conducted hundreds of proactive investigations into suspicious domain registrations and, in some cases, we monitored domains that were determined to be high-risk. When we identified domains as being malicious or infringing upon our clients' rights, we provided detailed alerts and actionable recommendations to our clients' security teams. Domain takedown efforts included compiling evidence for registrar abuse centers, drafting and delivering cease and desist letters, and filing paralegal complaints to domain name dispute arbitration centers. In domain takedowns cases that escalated to Uniform Domain-Name Dispute-Resolution Policy (UDRP) actions, I worked directly with legal case managers from the WIPO Arbitration and Mediation Center and acted as clients' authorized representative in case proceedings. Show less

  • Offensive Security Consultant

    Jan 2022 - now

  • Domain Security Analyst

    Feb 2022 - Oct 2022