MK ScorpioSec — I find what others miss.

AI-Driven Security · Est. 2026 · Buenos Aires, AR

Pentesting · Compliance · Security Engineering

18+ years in IT security. I build the tools I use. Every finding goes through human review. No boilerplate. No offshore teams. Just results.

Request Assessment View Services

scroll

What I do

Services

Consulting delivered as a solo operator. No layers, no account managers — you talk directly to the person doing the work.

01 — IaC

IaC Security Analysis

Terraform, CloudFormation, Bicep. Multi-scanner pipeline (Trivy + Checkov + pq-audit). Gap matrix between tools revealing what single scanners miss.

TerraformCloudFormation BicepTrivy

02 — AI/LLM

AI & LLM Security Assessment

MCP server auditing, agentic pipeline testing, prompt injection, tool-use abuse. Attack surfaces that traditional pentests don't reach.

MCP AuditPrompt InjectionAgentic

03 — PQC

Post-Quantum Cryptography Audit

Cryptographic posture against NIST FIPS 203/204/205. BROKEN_NOW and SNDL_VULNERABLE classification. Mapped to DORA Art. 9, NIS2, NIST SP 800-131A.

NIST FIPSDORA NIS2SNDL

04 — Cloud

Cloud Security

AWS / Azure / GCP misconfiguration analysis, IAM privilege escalation paths, attack surface enumeration. Compliance mapping: CIS, PCI DSS, ISO 27001.

AWSAzure GCPIAM

05 — Pentest

Penetration Testing

Web, API, mobile, IaC, AI systems. Privacy-by-Design: data analyzed in controlled local environments, never transmitted externally without anonymization.

WebAPI MobilePrivacy-by-Design

06 — DevSecOps

DevSecOps Integration

Security gates in CI/CD, GitHub Actions hardening, container scanning, secrets management, SAST/DAST pipeline design.

CI/CDGitHub ActionsSAST/DAST

07 — Red/Purple

Red Team / Purple Team

Adversary simulation with documented TTPs. Human-in-the-loop at every decision point. No automated-only outputs.

TTPsMITRE ATT&CKHuman Review

Published Work

Research

Case Study — TerraGoat IaC Analysis

What Trivy doesn't tell you about your IaC

TerraGoat is the industry-standard intentionally-vulnerable Terraform repository, widely used to test IaC security scanners. I ran it through a multi-scanner pipeline and documented what falls through the cracks — including cryptographic exposures that no standard scanner classifies today.

The gap matrix methodology is now part of every IaC engagement I run.

Read the Research →

187

Undocumented Findings Trivy findings not in official TerraGoat docs

Crypto Findings pq-audit classified — missed by all standard scanners

Scanners Compared Trivy · Checkov · pq-audit — gap matrix output

Solo operator

About

Mike Martínez Oroz — Founder & Security Specialist, MK ScorpioSec.

18+ years in IT security. I don't run a company with account managers and subcontractors. When you hire MK ScorpioSec, you work directly with me — the person writing the code, running the scans, and reviewing every finding.

I build the tools I use. pq-audit and the IaC research pipeline weren't academic exercises — they came out of real engagements where existing tools left gaps I couldn't accept.

Every assessment applies Privacy-by-Design from the start: client data stays in controlled local environments and never moves to cloud infrastructure without explicit anonymization.

"I don't hunt threats. I am the threat."

⚙

I build the tools I use

No off-the-shelf reports. The tooling is built for the specific attack surface.

👤

Human review, always

AI accelerates the analysis. Every finding goes through human judgment before it reaches you.

🔒

Privacy-by-Design

Client data analyzed locally. No external transmission without anonymization. No exceptions.

📐

Gap-matrix methodology