micheal keines

Senior Security Engineer at Holm Security, Stockholm.

i build security products for a living — network scanners, web scanners, API scanners, the kind of tools that poke at your infrastructure so attackers don't get there first. i've spent the last few years designing scanning engines, writing exploitation modules, and figuring out how to make browser-based scanning actually work against modern SPAs. lately i've been integrating LLMs into security pipelines for smarter payload generation and false-positive reduction, which is more interesting than it sounds.

outside of work, i do independent vulnerability research — mostly in open-source projects where path traversals and file overwrites hide in plain sight. i also spend a lot of time in kernel land, writing a small ARM kernel from scratch just to understand how things actually work at the lowest level. memory management, page tables, schedulers — the stuff that makes everything else possible. i stream the whole kernel dev process live on YouTube — it's become a big part of how i learn and share what i'm working on.

before all this, i was a penetration tester doing white-box and grey-box assessments, and before that i was learning how to overflow buffers and pass OSCP. the thread through all of it is the same — i like breaking things to understand how they work, and then building better things with that understanding.

• GitHub
• YouTube
• LinkedIn
• X/Twitter

Streaming

i stream the entire kernel development process live on YouTube. building an ARM kernel from scratch — MMU setup, page allocators, schedulers, debugging sessions, all of it happening in real time. no edited highlights, just the actual process of writing kernel code, hitting weird faults, staring at GDB output, and eventually figuring it out.

if you're into low-level systems programming or just want to see what kernel development actually looks like (spoiler: lots of debugging), come hang out.

Vulnerability Research

i hunt for bugs in open-source projects — path traversals, file overwrites, info leaks, the kind of things that slip through code review because nobody thinks about what happens when a user-controlled path meets an unchecked write.

• CVE-2025-51480 — ONNX (Arbitrary File Overwrite)
  found an arbitrary file overwrite in ONNX caused by improper path handling during model processing. an attacker could write files outside intended directories, which in an AI pipeline means potential code execution. disclosure
• Ollama — Directory Traversal
  directory traversal via insufficient path sanitization, allowing access to unintended filesystem locations. huntr
• Ollama — Information Disclosure
  info disclosure through improper validation of user-controlled input paths, exposing internal resources. huntr
• lxml — Denial of Service
  crafted HTML input causing an unhandled exception during parsing. worked with maintainers on the fix. launchpad

ongoing research targets Linux kernel subsystems and Chromium/V8 internals — memory safety bugs, filesystem boundary issues, and fuzzing-based discovery.

Certifications

• OSCP — Offensive Security Certified Professional (Dec 2020)
• OSWE — Offensive Security Web Expert (Jul 2021)
• LFD103 — Linux Kernel Development, Linux Foundation (Feb 2023)

Projects

i learn by building. most of these are experiments, research tools, or things i built to understand something better. some are useful, some are just me figuring things out.

• kernel_fuzzing — ARM kernel built from scratch in C and assembly. custom MMU, page allocator, kmalloc, scheduler. the kernel dev articles below document the entire journey.
• Proyx — scalable HTTP proxy in Rust. built for protocol-level security testing and request/response instrumentation.
• V8-Research-Book — notes on V8 engine internals and vulnerability research. still actively digging into this.
• Vulnerable-API — intentionally vulnerable API with XSS, SQLi, SSTI, LFI, RFI, HHI — built for testing security scanners against real-world attack vectors.
• Rust — my Rust learning repo — systems programming, concurrency, networking experiments.
• CVE-Information-Extractor — python tool for extracting and filtering CVE data.
• BinaryExploitation — RPISec lab solutions, automated with bash.

What I Work With

• Languages: Rust, C, C++, Python, Go, TypeScript, x86/ARM Assembly
• Kernel & Systems: MMU, IPC, scheduling, debugging, control flow analysis
• Security Testing: fuzzing, SAST, source-to-sink analysis, threat modeling
• Reverse Engineering: IDA, Ghidra, GDB, dynamic instrumentation
• Security Tools: OpenVAS, libpcap, Burpsuite
• Infrastructure: Docker, Kubernetes, GitLab CI/CD
• AI/ML Security: LLM integration, model fuzzing, secure AI pipelines

Education

• M.Eng Electronic Systems — University of Liverpool (2023–2025)
• BS Computer Applications — University of Madras (2016–2019)

Articles

i'm writing a series on building an ARM kernel from scratch. it's not polished tutorials — it's the actual process, debugging sessions, wrong assumptions, and all. if you want to understand how kernels work at the lowest level, this is the messy real version.