_

PIERGIORGIO LADISA

Offensive Security Engineer · Red Team Operator

Software Supply Chain Security

[./research] [./blog] [./contact]

$ cat about.txt

I'm an Offensive Security Engineer specializing in software supply chain security, currently working in offensive security and red team operations within the financial sector.

My research focuses on malicious code in third-party dependencies, offensive techniques across the SDLC, and CI/CD pipeline security. I hold a PhD in Computer Science and authored 6 papers published at venues including IEEE S&P and ACSAC, earning over 400+ citations.

In my spare time I responsibly disclose vulnerabilities found in CI/CD pipelines.

[github] [linkedin] [scholar] [hackerone]
pl@gh — skills.sh

$ skills --list


// offensive

red-teamactive
supply-chainexpert
ci-cd-secexpert
cloud-seck8s · docker · azure
pentestOSCP · CRTO

// programming

pythonproficient
javafamiliar
javascriptfamiliar
c/c++familiar

// spoken

italiannative
englishfull working
frenchfull working

$ ls research/

> Software Supply Chain Security & Attack Taxonomies
> Malicious Code Detection in Open-Source Packages
> CI/CD Pipeline Offensive Techniques
> Static Analysis & Machine Learning for Security
> Cloud-Native Security (Kubernetes, Docker)
> Red Team Operations & Adversary Simulation

// publications

Google Scholar →
PhD Thesis 2024

Understanding and Preventing Open-Source Software Supply Chain Attacks

Ladisa, P. — Université de Rennes

[thesis]
IEEE S&P 2023 flagship 2023

SoK: Taxonomy of Attacks on Open-Source Software Supply Chains

Ladisa, P.; Plate, H.; Martinez, M.; Barais, O.

[pdf]
IEEE S&P Mag. 2023

Journey to the Center of Software Supply Chain Attacks

Ladisa, P.; Ponta, S.E.; Sabetta, A.; Martinez, M.; Barais, O.

[pdf]
ACM SCORED 2023 2023

The Hitchhiker's Guide to Malicious Third-Party Dependencies

Ladisa, P.; Sahin, M.; Ponta, S.E.; Rosa, M.; Martinez, M.; Barais, O.

[acm]
ACSAC 2023 2023

On the Feasibility of Cross-Language Detection of Malicious Packages in npm and PyPI

Ladisa, P.; Ponta, S.E.; Ronzoni, N.; Martinez, M.; Barais, O.

[acm]
ACM SCORED 2022 2022

Towards the Detection of Malicious Java Packages

Ladisa, P.; Plate, H.; Martinez, M.; Barais, O.; Ponta, S.E.

[acm]
ACM SCORED 2022 tool 2022

Risk Explorer for Software Supply Chains

Ladisa, P.; Plate, H.; Martinez, M.; Barais, O.; Ponta, S.E.

[acm] [official tool]

$ cat experience.log

Offensive Security Expert [ACTIVE] Dec 2024 — Present
  • Red Team Operations across five global locations; identified several critical vulnerabilities
  • Designed and executed adversary simulation exercises to improve organizational resilience
  • Security research on novel CI/CD threats; discovered 3+ critical internal vulnerabilities
  • Core team expertise: software supply-chain security, cloud security
Application Security Engineer Mar 2024 — Nov 2024
  • Enhanced cloud-native security practices: CI/CD pipelines, Kubernetes, Docker
  • Threat modeling for the software supply chain; drove gap analysis and security posture improvements
  • Led secure SDLC initiatives across multiple engineering teams
  • Designed and delivered training for security champions and penetration testers
Security Researcher — PhD Student Jan 2021 — Feb 2024
  • Industrial PhD specializing in open-source security and software supply chain attacks
  • Developed comprehensive OSS attack taxonomy; identified 60+ zero-day malwares
  • Enhanced internal SDLC security through threat analysis and threat modeling
  • Co-authored two patents on software security
  • Presented at internal conferences to audiences of 1,000+ attendees
Penetration Tester Jan 2020 — Dec 2020
  • Web application, network, and infrastructure penetration testing
Research Intern Mar 2019 — Sep 2019
  • Security characterization and research in the context of the Bitcoin blockchain

$ ls certs/ honors/

2025
CRTO
Certified Red Team Operator — Zero Point Security
2020
OSCP
Offensive Security Certified Professional — OffSec
2023
[1st] CSAW'23 Europe
Applied Research Competition — Valence, France
2022
[4th] Meta BountyConEDU
Live Hacking Competition — Madrid, Spain
2021
[3rd] SAP Internal CTF
Global CTF Competition — Remote

$ ping pl

Open to collaboration, speaking invitations, and responsible disclosure coordination. Reach out via any of the channels below.

piergiorgioladisa piergiorgio-ladisa HackerOne Google Scholar

// PGP key available on request