Carles Llobet

About

I have always been in love with technology and computers, building my own home servers and websites at an early age, and feeling thrilled with hacker movies.
Since then, I have always looked forward to thinking out of the box and being able to foresee and identify the weak points of all the technologies we use.

Lead Security Engineer

In order to do so, I began my journey by studying the Computer Science Degree at Universitat Politècnica de Catalunya (FIB), and later on the CyberSecurity Management Master at UPC School.
I have worked as a Security Engineer in several companies, where I have been able to perform Penetration tests and Source Code Reviews on all kinds of application s (Web, Mobile, API, IoT, ...), helping establish Red Team capabilities or leading their Application Security programs to implement a Secure SDLC.

Degree: MSc in CyberSecurity Management
Degree: BSc in Computer Science
Passions: Home automation, Homelabs, ...

Hobbies: Sports, Music, Reading, Nature, ...
Sports: Surf, Snowboard, Climbing, Hiking, ...
Recently Read: Indistractable (Nir Eyal)

My interests have always involved cybersecurity at all levels, from Application Security and Ethical Hacking to Risk Management, and how it may impact new emerging technologies.
This passion has led me to not only enjoy the work that I do but also to always keep learning through security conferences, CTFs, and certifications such as CISSP, OSCP, OSWE, CCSK, AZ-500.

Certifications

Offensive Security Experienced Pentester

Ongoing

Certified Information Systems Security Professional

Aug 2024

Offensive Security Web Expert

Apr 2021

Certificate of Cloud Security Knowledge

Jan 2021

Azure Security Engineer Associate

Dec 2020

Offensive Security Certified Professional

Jul 2020

Azure Fundamentals

Feb 2020

Cybersecurity Fundamentals Certificate

Mar 2018

Resume

Sumary

Carles Llobet

Innovative and deadline-driven Security Engineer with 7+ years of experience securing and hardening PII-sensitive applications from initial concept / architecture design to final deployments.

Education

Cybersecurity Management Master

2017 - 2018

UPC School (Universitat Politècnica de Catalunya)

Computer Science Engineering Degree

2013 - 2017

Universitat Politècnica de Catalunya

Certifications

Offensive Security Experienced Pentester (OSEP)

Ongoing

Offensive Security

Certified Information Systems Security Professional (CISSP)

Aug 2024

ISC2

Offensive Security Web Expert (OSWE)

Apr 2021

Offensive Security

Certificate of Cloud Security Knowledge (CCSKv4)

Jan 2021

Cloud Security Alliance (CSA)

Azure Security Engineer Associate (AZ-500)

Dec 2020

Microsoft

Offensive Security Certified Professional (OSCP)

Jul 2020

Offensive Security

Azure Fundamentals (AZ-900)

Feb 2020

Microsoft

Cybersecurity Fundamentals Certificate (CSX)

Mar 2018

ISACA

Professional Experience

Lead Security Engineer

Mar 2022 - Present

Personio

I joined Personio with the challenge of helping set up the pillars of the security team from scratch in order to prepare their overall security posture for IPO.
Thrilled to join an industry-leading HR company in hypergrowth, I've been helping secure Personio at all levels, from fine-tuning our AWS security polices or rebuilding the company Security Awareness program, to working hand in hand with our Dev Engineering teams.

Application Security Manager

Jan 2020 - Mar 2022

Coca-Cola Europacific Partners

I joined the Application Security team of Coca-Cola Europacific Partners as a Cybersecurity Manager for a team of 8 people.
Short after joining and understanding the current process they had for Third Party Security Assessments and Web and API vulnerability scans, I helped them enlarge their skillset and capabilities by creating the Security Standards and Methodologies to carry out Mobile Application security assessments.
I also took part to create the long-term security project we have with our main e-commerce, where we have helped its developers to enhance their overall security in all possible parts of their SDLC.

Within my responsibilities, the main focus was on:

Compliance and application of security standards company-wide
Career path development and guidance of the team members
Web, Mobile, IoT and API's application vulnerability assessment and penetration testing
Cloud Platforms Security Assessments (Azure/Salesforce/...)
Engaging with developers to improve their SSDLC

Security Engineer & Security Tooling Program Manager

Mar 2019 - Jan 2020

Applus+ Laboratories

I joined the Applus+ Laboratories Mobile Security Team, where I was able to increase my expertise on Mobile Application security assessments, principally to Bank Payment and Host Card Emulation (HCE) applications that had to be certified as compliant with EMV (Europay Mastercard Visa) or Common Criteria security standards.
In 2019 I also accepted the challenge to lead the Security Tooling Program.
With this new role, I was able to help them coordinate and balance the workload of the ongoing developments, Architecture and Design new security solutions, and supervise the development of security tools to carry out security assessments internally and automate security processes externally on several clients.

Security Analyst

Mar 2017 - Jun 2018

Wise Security Global

Upon joining Wise Security Global security team, I was able to perform all kinds of security assessments.
Although the main focus was on Web and Mobile (iOS & Android) penetration tests, I also had the opportunity to take part in some Red Team exercises, Wi-Fi audits, and wearable pentests, amongst others.
I also developed there my master thesis, a solution to help security engineers to report their findings in a more professional, coherent and efficient way.

Security Analyst

Mar 2017 - Jun 2018

esCERT UPC - inLab FIB

Whilst finishing my Computer Science degree, I had the opportunity to work as a Security Analyst at inLab FIB, part of the Spanish CERT (esCERT).
There I made my first steps as a Penetration Tester by assessing the security of servers, websites and different solutions across all Universitat Politècnica de Catalunya (UPC).
I also had the chance to develop a solution to help all University departments to be able to configure automated security assessments to all their servers and services in an easy way, so that they could not be exposed to vulnerabilities during long periods of time until the next assessment from inLab Security Department, which ended up becoming my degree thesis:

CoSA (https://inlab.fib.upc.edu/en/cosa-audit-services-suite)

Services

Ethical Hacking

Holding various offensive security certifications and with professional experience as a lead penetration tester, I can work as an Ethical Hacker, finding vulnerabilities in your application before the bad guys do.
During my previous professional experience, I have developed and applied a pentesting methodology in many international, publicly traded companies.

Application Security

Finding vulnerabilities is not the end of the story. You need to manage them, helping development teams ensure the fix they deploy is not bypassable and that it is deployed in a timely manner according to your vulnerability management program.
With experience in a variety of frameworks and programming languages, I will make sure improvements made to your application are as robust as they can be.

DevSecOps (SSDLC)

Manual work does not scale. That is why it is important to shift left security, adding security wherever necessary without slowing development and using automation whenever possible.
SCA, SAST, DAST, Code Review and Threat Modelling are some of the buzzwords I work with.

Security Awareness

Security needs to be business aware, being an enabler instead of a blocker. I enjoy technical work, but I also enjoy making meaningful changes in companies.
To achieve the latter, it is essential to have a human approach, justifying your decisions and educating users on the way to get them to see security as a benefit instead of a toll.