Security Researcher & Compliance Advisor
I came to security through compliance — frameworks, audits, the long documents that describe what should be true. I stayed because the code describes what is, and the gap between the two is where the interesting work lives.
These days I spend most of my time reading implementations against their specifications. I look for the edge case that nobody wrote a test for, the assumption that holds everywhere except in one narrow window. When something survives review, I send it upstream.
I'm a researcher by temperament more than by title. I read more than I write, write more than I publish, and try to keep the ratio honest. The good bugs tend to be quiet — they sit between two lines that both look correct, and they reward patience over cleverness.
I work at the intersection of cybersecurity, low-level systems, and compliance engineering. Most of my professional work has been in regulated environments — healthcare, financial services, MSPs, legal firms — where the question is not whether controls exist, but whether they hold up when something unusual arrives at the door.
Reading code in places that are supposed to be safe. Container runtimes, protocol stacks, syscall layers. Writing notes. Sending small patches upstream when they survive review.
On the compliance side, I keep returning to one question: how does runtime evidence — what the system actually does under load — map back to the controls auditors ask about. Most frameworks describe intent. The interesting work is closing the distance between intent and behavior.
- Container and sandbox runtime internals
- Protocol parsers and the state machines around them
- Race conditions, TOCTOU, and the windows where they hide
- Fuzzing and differential testing
- Compliance frameworks: HIPAA · NIST CSF · ISO 27001 · PCI DSS · SOC 2
Open to technical conversations and collaboration with people working in low-level security, protocol research, or compliance engineering.
🔗 LinkedIn: ievgen-jack-bondarenko 🐙 GitHub: ibondarenko1