Luís Fontes

Principal Product Security Engineer

I've been writing code for more than 20 years, and at some point that passion for building things became an obsession with making them secure — across web apps, smart contracts, and everything in between. I still code constantly, still find new ways to harden systems, and still haven't run out of side projects. This blog is where both worlds collide.

Read the Blog View Projects
Luís Fontes

Projects

Some of the tools and resources I've built

OrgSec Guide

OrgSec Guide

A comprehensive checklist and guide for organizations looking to implement a robust cybersecurity program.

View Project
XXExploiter

XXExploiter

Tool to help exploit XXE vulnerabilities. Generates XML payloads and automatically starts a server to serve DTDs or perform data exfiltration.

View Project
VSCode Swissknife

VSCode Swissknife

Scriptable VS Code extension to generate or manipulate data. Stop pasting sensitive data into webpages.

View Project
DamnVulnerableCryptoApp

DamnVulnerableCryptoApp

An app with intentionally insecure crypto. Perfect for testing and exploiting weak cryptographic implementations and learning crypto without diving deep into the math.

View Project
Watchtower

Watchtower

VS Code extension that scans your workspace for malicious configurations, invisible Unicode threats, and dangerous IDE attack vectors — fully local, fully open source.

View Project
Warden

Warden

Enforce file-based policies on managed machines by automatically detecting and correcting config files that drift from approved values.

View Project
Coup Sheet

Coup Sheet

If you like the board game Coup as much as I do, you'll find this sheet super helpful.

View Project
MirageVM

MirageVM

JavaScript virtual machine for code obfuscation. Protects sensitive client-side logic with custom bytecode through a low-level language that supports all JavaScript features. (Private project)

Private
How To Test Secrets

How To Test Secrets

A visual, interactive cheat-sheet for testing whether leaked API keys and secrets are still valid — pick a service and get a ready-to-run command.

View Project
hash-identifier-js

hash-identifier-js

JavaScript port of hash-identifier. Identifies the hashing algorithm used to generate any supplied hash value.

View Project

Latest Posts

Security research, deep dives and tutorials

View all posts →