About 丨 tomneaves.com

IT security consultant during the week, pilot at the weekend. Rewriting pointers and surfing clouds.

Hello. I’m Tom.

A little bit about me.

Let me take you back to when I was about 6 years old, at primary school during break, both my arms out fully extended, acting as wings, weaving around people on the tarmac playground, for I was (in my mind!) flying a plane.

I wanted to be a pilot.

A small airfield was a couple of fields away from my family home and school so I’d very often hear the noise of a plane’s engine and look up to try and locate it in the sky. My mind was made up, I was going to be a pilot. A RAF fighter pilot or an airline pilot, I hadn’t quite decided which yet.

All those plans were however about to change when I discovered computers the moment I started secondary school.

It’s hard to put into words the pull that computers had on me. I found them so fascinating, how is this microprocessor able to do all this? (These were 286s and 386s back then so ‘this’ wasn’t much by today’s standards!). These operating systems (DOS, Windows 3.11 and Netware at that time) were like new worlds to explore. What does this do? What happens if you type this here, click there, etc.? Computer programming (Basic, Pascal and C) were like the stuff of magic - being able to script things up! I spent most of my break and lunch times just exploring, trial and error - mostly error and breaking things, but then learning how to fix them! By the end of the first year I found myself no longer looking at the keyboard to type, at one with the computer.

Break times were not enough for me. I presented the case to my mum and dad about the benefits of home computer ownership and how it would help me with my studies, convincing them it was a ‘need’ not a ‘want’. I was successful and enter the family computer. The trial and error and exploration could now continue before and after school, no longer limited to break times only!

I am quite a curious individual, always interested in how things are working ‘under the hood’, breaking them apart often to learn these secrets to then put them back together. With this in mind, related to computers, I was very quickly drawn into computer security at a very young age, fascinated by the concept of authentication. Asking myself; when a user is putting in their password, how is this being handled in the login screen, where is this going on the computer in memory, where and how on the network, what kind of logic is happening on the server to verify this is correct, where are the passwords stored, in what format, etc. These were the early days of IPX/SPX networking with Novell Netware. More importantly, my curious mind was thinking, is it possible to learn of the password at any of these points or perhaps circumvent the authentication altogether?

Enter the dial up days of the Internet in the 90’s and what a time to be alive learning about all of this. I was a sponge to all the information and continued the trial and error, self teaching myself all the things. On several occasions I would accidentally overwrite my master boot record when installing Linux, which doesn’t go down too well with a computer being a shared family one.

I loved programming, all things computer security, being deep in the inner workings of an operating system. Time flew by too quickly when I was doing all these fun things and I knew I wanted the job title of “Security Consultant” under my name.

I remember while studying for my GCSEs and coming across Royal Holloway’s MSc in Information Security postgraduate degree course which had just started up. I remember seeing the topics on that and thinking to myself wow, to have a day full of lectures around computer security… what a dream! A slight problem, at the age of 15 I didn’t even have my GCSEs yet, let alone A-Levels or an actual University undergraduate degree, all which would be needed! From that point I set sail for that destination, after my GCSEs purposely picking the A-Levels of Computer Science, IT and Business which would get me on that track. I then went to the University of Kent for my undergraduate degree and in my final year I very vividly recall asking my supervisors to write reference letters to form part of the application process for MSc in Information Security at Royal Holloway, University of London and packing them into the admissions envelope.

Enter September 2005, I had arrived. I had to pinch myself as I sat at the top back row inside the Founder’s Building lecture theatre at Royal Holloway with the irreplaceable Professor Fred Piper giving a cryptography talk on Alice, Bob and Eve.

Sometime in September 2006, I remember being on the train back from London, after having had an interview for the position of a penetration tester job, with my phone ringing informing me that I’d been offered the job. What a dream… and that was that, now fast forward 20 years.

To this day, I am still as passionate about computers and security as I was back then. I couldn’t think of doing anything else, still having so much fun breaking into things, which hopefully you can see through my blog posts and research.

With the introduction of AI, especially around LLMs and RAG/AI agents, it feels very much to me like the 90’s again from a security vulnerabilities/attack surface perspective, things evolving quicker than the security can keep up. We are really on the edge of this AI evolution and I feel so lucky and privileged to be part of it, looking to find lots of novel bugs in AI and LLMs along the way. :)

On a final point, if you hadn’t worked out from the ‘private pilot’ headline or wing picture below, about 11 years ago I revisited that tarmac playground and now have my private pilot’s licence.

TL;DR - The short ‘corporate’ version of the above

Security has been my passion since I was 12 years old, back then playing with Novell Netware 3.12, coding in Turbo Pascal 7 and humming along to the dialup tone of my 14.4k modem.

In the last two decades I have carried out hundreds of security assessments and provided consultancy across a large number of verticals all over the world; from finance and retail to aerospace and everything inbetween. I’ve worked with most of the major global companies within these. I was involved with the creation of CBEST/STAR with the Bank of England and CREST.

In the security world I specialise in Application Security, Offensive AI and Wireless Security - the general trend in my blog posts and research.

I’m comfortable both in a debugger working through assembly code doing some POP POP RET - manually constructing ROP chains and sitting down around a table with C-level executives.

When not at a computer I can usually be found flying a plane with that other kind of cloud.

Qualifications, Certifications, etc.

MSc Information Security from Royal Holloway, University of London - 2006
BSc (Hons) Multimedia Technology and Design from the University of Kent - 2005
CESG CHECK Team Leader (CTL) - 2011
CREST Certified Tester (Applications) - 2011, 2015 & 2018
CREST Certified Simulated Attack Manager - 2017
CREST Fellowship Award - 2018
Offensive Security Web Expert (OSWE) - 2021
Offensive Security Certified Expert (OSCE) - 2018
Offensive Security Certified Professional (OSCP) - 2016
SANS GIAC Auditing Wireless Networks (GAWN) - 2009, 2012, 2016, 2021 & 2024.
OWASP CFP/CFT Global Review Board 2022-2024
Private Pilot’s Licence

Media References

Researchers Demonstrate How MCP Prompt Injection Can Be Used for Both Attack and Defense (The Hacker News)
https://thehackernews.com/2025/04/experts-uncover-critical-mcp-and-a2a.html

Billions of iPhone and Android owners warned over ‘bank raiding’ Wi-Fi trick – but a new tool could save you (The Sun)
https://www.thesun.co.uk/tech/22904871/iphone-android-owners-warned-wi-fi-trick/

Snappy: A tool to detect rogue WiFi access points on open networks (Bleeping Computer)
https://www.bleepingcomputer.com/news/security/snappy-a-tool-to-detect-rogue-wifi-access-points-on-open-networks/

Snappy - A New Tool to Detect Fake WiFi Access Points (GB Hackers)
https://gbhackers.com/snappy-detect-fake-wifi/

Informational Wi-Fi traffic can be used as covert communication channel for malware (Computer World)
https://www.computerworld.com/article/1612255/informational-wi-fi-traffic-can-be-used-as-covert-communication-channel-for-malware.html

Security researcher exploits Wi-Fi to create undetectable side channel (Fierce CIO)
https://www.fiercecio.com/story/security-researcher-exploits-wi-fi-create-undetectable-side-channel/2014-11-10

Informational Wi-Fi Traffic As a Covert Communication Channel For Malware (Slashdot)
https://it.slashdot.org/story/14/11/07/0227250/informational-wi-fi-traffic-as-a-covert-communication-channel-for-malware

Cyber security: Speaking the CEO’s Language (SC Magazine)
https://www.scmagazineuk.com/cyber-security-speaking-the-ceos-language/article/343071/

60 percent of FTSE companies mention cyber security rtisks in annual reports (SC Magazine)
https://www.scmagazineuk.com/60-percent-of-ftse-companies-mention-cyber-security-risks-in-annual-reports/article/339053/

Has Cyber Security Awareness Improved Among the Largest UK Businesses? (International Business Times, Continuity Central)
https://www.ibtimes.co.uk/has-cyber-security-awareness-improved-among-largest-uk-businesses-1441191

Cyber risk is not translating into boardroom discussion (Infosecuriy Magazine)
https://www.infosecurity-magazine.com/view/30326/cyber-risk-is-not-translating-into-boardroom-discussion/

Cyber security needs to be a board level issue (Help Net Security, Continuity Central)
https://www.helpnetsecurity.com/2013/01/21/cyber-security-needs-to-be-a-board-level-issue/

How hackers hijack the net’s phone books (BBC)
https://www.bbc.co.uk/news/technology-31603930

…and now for some plane pictures: