Jonathan Trowbridge Resume

JONATHAN TROWBRIDGE

Richmond, Virginia, USA

CAREER SUMMARY

Principal Software Engineer & Security Researcher with 10+ years of experience building secure, scalable web, mobile, and backend systems. Certified in OSCP+, GPEN, GCIH, GSEC, and GFACT with a deep technical foundation in offensive security. Specialist in bridging the gap between full-stack software architecture and exploit development with a proven track record of delivering reproducible PoCs for critical RCE vulnerabilities.

CERTIFICATIONS & EDUCATION

CYBERSECURITY

OSCP+ Offensive Security Certified Professional | Offsec

Oct. 2025

GPEN GIAC Penetration Tester | SANS Technology Institute

Jun. 2025

GCIH GIAC Certified Incident Handler | SANS Technology Institute

Apr. 2025

GSEC GIAC Security Essentials | SANS Technology Institute

Feb. 2025

GFACT GIAC Foundational Cybersecurity Technologies | SANS Technology Institute

Dec. 2024

ACADEMIC EDUCATION

Undergraduate Certificate in Applied Cybersecurity | SANS Technology Institute

Jun. 2025

Bachelor of Science in Computer Science | Virginia Commonwealth University

Dec. 2013

TECHNICAL FIELD RESCUE & EMERGENCY MEDICINE

EMT-B Emergency Medical Technician-Basic | State of Wyoming

2016

WFR Wilderness First Responder | National Outdoor Leadership School

2016

Rock Rescue | National Outdoor Leadership School

2016

Swiftwater Rescue | National Outdoor Leadership School

2016

SECURITY TRAINING & HANDS-ON EXPERIENCE

CVE-2026-21858 (ni8mare): Developed a functional PoC for an unauthenticated RCE in n8n automation platforms (< 1.121.0), demonstrating full system compromise via logic flaws.
CVE-2025-55182 (React2Shell): Reproduced a critical RCE via vulnerable React Server Components (RSC) behavior, bridging the gap between front-end architecture and server-side exploitation.
CVE-2026-33017 (Langflow): Engineered a reproducible RCE exploit targeting Langflow AI orchestration layers, highlighting vulnerabilities in emerging LLM infrastructure.
CVE-2026-1357 (WPVivid): Demonstrated RCE within the WPVivid Backup & Migration WordPress plugin, targeting widespread deployment surfaces.
Offensive Operations & Methodology: Applied advanced enumeration, pivoting, and privilege escalation techniques across complex Linux and Windows environments through OSCP+, SANS/GIAC labs, TryHackMe, and Hack The Box.
Architectural Vulnerability Analysis: Leveraged 10+ years of engineering seniority to perform deep-dive analysis on backend behavior, authentication flows, and trust boundaries.

PROFESSIONAL EXPERIENCE

Lead Principal Software Engineer

Coinme | Seattle, WA (Remote)

Sept. 2021 – Oct. 2024

Directed the native platform migration to Flutter, architecting authentication and payment flows to ensure PCI data security and transaction integrity.
Engineered a secure mobile architecture using Riverpod, implementing state-management patterns to prevent PII leakage across modular, decoupled feature sets.
Established a secure SDLC and mentored teams to accelerate the delivery of high-impact features while ensuring architectural integrity and scalability.

Senior Full Stack Software Engineer

CoStar Group | Richmond, VA (Hybrid)

Jan. 2019 – Aug. 2021

Led development of an Android listing module and supporting ASP.NET Core API, ensuring secure data handling and endpoint protection for high-traffic commercial services.
Engineered scalable web applications with React and Node.js and built an enterprise AWS push notification system for secure, real-time cross-platform communication.
Partnered cross-functionally to implement secure design principles and code review standards, ensuring resilient and consistent feature releases across mobile and web.

Full Stack Software Engineer

Mapleton Hill Media | Boulder, CO

Aug. 2016 - Feb. 2018

Developed cross-platform mobile applications for logistics and agriculture, ensuring secure client-side data handling and architectural consistency.
Modernized legacy ASP.NET architectures by migrating monolithic APIs to modular services, improving service isolation and system auditability.
Engineered real-time synchronization for distributed inventory systems, implementing secure data flows and validation logic across mobile devices and APIs.

Full Stack Application Developer

Worldview Solutions Inc. | Richmond, VA

Feb. 2013 - Feb. 2016

Led implementation of claims-based authentication and IAM for a U.S. Air Force recruiting portal, ensuring strict access control and federal compliance.
Developed regulatory and monitoring modules for Virginia state agencies, focusing on data integrity and workflow efficiency within ASP.NET environments.
Modernized legacy web architectures to improve performance and maintainability, ensuring architectural consistency across client projects.

Software Developer

Gallium Technology | Richmond, VA

2012 - 2013

Quality Assurance Internship

Prematics Inc. | McLean, VA

2008

PERSONAL PROJECTS

Full Stack Flutter + Ktor Starter Kit

Project Bootstrap Template

Built a full-stack Flutter frontend and Ktor backend as a boilerplate project to accelerate rapid application bootstrapping, supporting user registration, profile updates, and SMS-based two-factor authentication (2FA).
Implemented JWT-based authentication and authorization, with MySQL for persistent user data, Redis for transient 2FA token storage, and GitHub Actions for automated backend deployment.
Architected the Ktor backend using a modular, feature-based structure grounded in Clean Architecture principles and Domain-Driven Design (DDD), organizing core business logic into clearly defined use cases to enhance separation of concerns, scalability, and testability.

Bit Cast

Android Application

Built a native Android application that facilitates the sequential streaming of torrent media for playback on the local device or Chromecast devices.
Powered media playback using a custom VLC/libVLC wrapper.
Integrated in-app torrent search capabilities, enabling users to find and stream content without leaving the application.

Maneki Torrent Search

Android Application

Built a native Android application that integrates with the Jackett torrent indexer aggregation engine.
Implemented a custom Foreign Function Interface (FFI) to enable direct interop between Kotlin and a Jackett .NET Core library, offloading indexer management to the Jackett project.
Leveraged cross-runtime communication to reduce maintenance overhead and align with upstream improvements.

Simple VLC Player

Android Library

Developed a comprehensive Android media player library leveraging the core libVLC library and Open Subtitles API, facilitating seamless media playback on Android and Chromecast devices

TECHNICAL SKILLS

Security Research & Engineering:

Penetration Testing, Vulnerability Research, Exploit Development, Web & Mobile Application Security, Network Security, API Security, Threat Modeling, Security-Focused Code Review

Languages:

Python, Bash, PowerShell, Kotlin, Java, C#, TypeScript, Dart

Frameworks

Flutter, KMP, Xamarin, Ktor, ASP.NET Core, Node.js, React, Angular

Infrastructure & Environments:

Linux, Windows Server, Docker, Git, CI/CD Pipeline Security

Databases

SQL Server, MariaDB, Redis, PostgreSQL, SQLite, MongoDB

(Download resume as PDF; private GitHub repositories available for review upon request)