AI-Driven Security · Est. 2026 · Buenos Aires, AR

I find what
others miss.

Pentesting · Compliance · Security Engineering

18+ years in IT security. I build the tools I use. Every finding goes through human review. No boilerplate. No offshore teams. Just results.

Request Assessment View Services
scroll
18+
Years in IT Security
187
Trivy gaps found (TerraGoat)
10
pq-audit audit layers
7
Service areas

What I do

Services

Consulting delivered as a solo operator. No layers, no account managers — you talk directly to the person doing the work.

01 — IaC
IaC Security Analysis
Terraform, CloudFormation, Bicep. Multi-scanner pipeline (Trivy + Checkov + pq-audit). Gap matrix between tools revealing what single scanners miss.
TerraformCloudFormation BicepTrivy
02 — AI/LLM
AI & LLM Security Assessment
MCP server auditing, agentic pipeline testing, prompt injection, tool-use abuse. Attack surfaces that traditional pentests don't reach.
MCP AuditPrompt InjectionAgentic
03 — PQC
Post-Quantum Cryptography Audit
Cryptographic posture against NIST FIPS 203/204/205. BROKEN_NOW and SNDL_VULNERABLE classification. Mapped to DORA Art. 9, NIS2, NIST SP 800-131A.
NIST FIPSDORA NIS2SNDL
04 — Cloud
Cloud Security
AWS / Azure / GCP misconfiguration analysis, IAM privilege escalation paths, attack surface enumeration. Compliance mapping: CIS, PCI DSS, ISO 27001.
AWSAzure GCPIAM
05 — Pentest
Penetration Testing
Web, API, mobile, IaC, AI systems. Privacy-by-Design: data analyzed in controlled local environments, never transmitted externally without anonymization.
WebAPI MobilePrivacy-by-Design
06 — DevSecOps
DevSecOps Integration
Security gates in CI/CD, GitHub Actions hardening, container scanning, secrets management, SAST/DAST pipeline design.
CI/CDGitHub ActionsSAST/DAST
07 — Red/Purple
Red Team / Purple Team
Adversary simulation with documented TTPs. Human-in-the-loop at every decision point. No automated-only outputs.
TTPsMITRE ATT&CKHuman Review

Open Source

Tools I Built

Public tools born from real engagements. I use them on every assessment.

pq-audit
Live
Post-quantum cryptography audit framework — 10 layers: code, cloud, deps, config, certs, network, containers, api, compliance, web3. Classifies exposure as BROKEN_NOW or SNDL_VULNERABLE. Research Series #1: 4 findings in TerraGoat that Trivy's 243-finding scan missed entirely.
TerraGoat azure/app_service.tf:29 — TLS 1.0 minimum — Trivy: 243 findings, 0 crypto. pq-audit: 4.
PQCNIST FIPSDORA Art.9IaC
View on GitHub
research
Live
IaC security research — TerraGoat gap analysis: 187 undocumented findings across Checkov, Trivy, and pq-audit. Running only the official scanner shows 23% of actual exposure.
187 undocumented findings — official scanner covers only 23% of actual exposure
IaCTerraGoatGap Analysis
View on GitHub
mcp-scanner
Live
Audit MCP servers before connecting AI agents. 9 security checks: CVE exposure, tool poisoning (Unicode/BiDi), auth, SSRF, credential leaks, supply chain (MITRE T1195.002). OWASP LLM01/LLM07/LLM08/LLM09/LLM10 coverage.
LLM01 — tool descriptions can carry hidden instructions your agent executes
MCPLLM SecurityOWASP LLM Top 10Agentic
View on GitHub

Published Work

Research

Case Study — TerraGoat IaC Analysis

What Trivy doesn't tell you about your IaC

TerraGoat is the industry-standard intentionally-vulnerable Terraform repository, widely used to test IaC security scanners. I ran it through a multi-scanner pipeline and documented what falls through the cracks — including cryptographic exposures that no standard scanner classifies today.

The gap matrix methodology is now part of every IaC engagement I run.

Read the Research →
187
Undocumented Findings Trivy findings not in official TerraGoat docs
2
Crypto Findings pq-audit classified — missed by all standard scanners
3
Scanners Compared Trivy · Checkov · pq-audit — gap matrix output

Solo operator

About

Mike Martínez Oroz — Founder & Security Specialist, MK ScorpioSec.

18+ years in IT security. I don't run a company with account managers and subcontractors. When you hire MK ScorpioSec, you work directly with me — the person writing the code, running the scans, and reviewing every finding.

I build the tools I use. pq-audit and the IaC research pipeline weren't academic exercises — they came out of real engagements where existing tools left gaps I couldn't accept.

Every assessment applies Privacy-by-Design from the start: client data stays in controlled local environments and never moves to cloud infrastructure without explicit anonymization.

"I don't hunt threats. I am the threat."

I build the tools I use
No off-the-shelf reports. The tooling is built for the specific attack surface.
👤
Human review, always
AI accelerates the analysis. Every finding goes through human judgment before it reaches you.
🔒
Privacy-by-Design
Client data analyzed locally. No external transmission without anonymization. No exceptions.
📐
Gap-matrix methodology
Multiple scanners, documented overlaps and blind spots. You see what each tool misses.

Get in touch

Contact

Ready to discuss an engagement? Reach out directly — no intake forms.

Direct Channels

Emailcontact@mkscorpiosec.com
WhatsApp Business+54 9 11 6647-0166
Telegram@mkscorpiosec_bot
LinkedInlinkedin.com/company/mk-scorpiosec
GitHubgithub.com/mk-scorpiosec
Dev.todev.to/mkscorpiosec