Pablo Sanchez

About Pablo

Pablo Sánchez is a Senior Hive Member at CovertSwarm. Vulnerability researcher. Web application security specialist. Since joining the Swarm in September 2023, he’s discovered 16+ CVEs across enterprise platforms, open-source software, and WordPress plugins. His focus? Finding zero-days before attackers do. Then building offensive AI tools that accelerate how red teams operate.

His expertise spans web security, AI red teaming, and security tool development. Moreover, he’s contributed research on prompt injection vulnerabilities, agentic IDE exploitation, and local LLM security tooling. Pablo holds a BSc in Cyber Security and Forensic Computing from the University of Portsmouth, where he now returns as a guest lecturer to teach the next generation of security practitioners.

Pablo is an active bug bounty hunter with 50+ vulnerabilities discovered across different platforms. Consequently, he brings both breadth and depth to offensive security testing.

His credentials reflect his hands-on capability: CRTO (Certified Red Team Operator) and BSCP (Burp Suite Certified Practitioner). Not just certifications. Proof of expertise across red teaming and web application exploitation.

Currently, Pablo leads web application security testing and AI red teaming initiatives at CovertSwarm. He develops offensive security tooling like Atlas AI, a local LLM plugin for Burp Suite that keeps pentest data under practitioner control. Beyond tool development, he researches how AI systems fail under adversarial conditions. Then he documents it publicly so defenders can catch up.

In 2025, Pablo placed 5th at the BugBounty Village competition at DEF CON 33. Recognition from peers who operate at the same level. Ultimately, his philosophy applies across security domains: find the vulnerability, build the exploit, share the knowledge.

Research & Publications

Pablo’s research focuses on web application vulnerabilities, AI security exploitation, and offensive tool development:

Open Source Tools

• Atlas AI – Local LLM plugin for Burp Suite
  Enables AI-powered request/response analysis without exposing sensitive pentest data to third-party cloud providers

Vulnerability Research Portfolio

Pablo maintains an active CVE portfolio with 16+ discoveries across enterprise and open-source platforms. View his complete vulnerability research at diabl0sec.com

2025 Discoveries:

• Dokploy – 3 CVEs (OS Command Injection, Local File Inclusion, Information Disclosure)
• Cisco BroadWorks – CVE-2025-20307 (XSS Vulnerability)
• pfSense – 3 Security Advisories (Stored XSS vulnerabilities)
• OpenZiti – 2 CVEs (Unauthenticated Stored XSS, SSRF – High Severity)

2023 WordPress Security Research:

• 7 CVEs across WordPress plugins including SQL Injection (Bookly, WP Job Portal), Stored XSS (Booking Calendar, Quick Paypal Payments), and Reflected XSS vulnerabilities.

Speaking & Community Engagement

Pablo shares his offensive security expertise through webinars, conferences, and academic institutions:

Recent Appearances

• CovertSwarm AI Security Webinar (October 2025)
  “Artificial intelligence. Real risk.”
  Panel with James Dale and Ibai Castells
• Guest Lecturer – University of Portsmouth
  Teaching cybersecurity and offensive security methodologies to undergraduate students

Recognition

• 2025 BugBounty Village at DEF CON 33 – 5th Place
  Competitive bug hunting recognition at industry-leading event

Education & Certifications

• BSc in Cyber Security and Forensic Computing – University of Portsmouth
• CRTO – Certified Red Team Operator
• BSCP – Burp Suite Certified Practitioner