Joseph Rach, Developer in Philadelphia, United States
Joseph is available for hire
Hire Joseph

Joseph Rach

Verified Expert  in Engineering

IT Security Developer

Philadelphia, United States
Toptal Member Since
November 10, 2022

Joseph is a cybersecurity professional who strives to be well-rounded while maintaining specialties in technical cybersecurity areas where he provides the best return on investment. As a master of many cybersecurity domains and fully qualified for all categories and levels of the IA workforce under the Department of Defense (DoD) 8140 and 8570, he advocates team-based approaches and promotes knowledge-transferable, shared, and open-source-based methodologies whenever feasible.


Kestrel Information Security
IoT Security, Offensive Security, Risk Management, Security Architecture...
New Jersey Institute of Technology
Ethical Hacking, Digital Forensics, Game Theory, IoT Security, Web Security...
Kestrel Information Security
Ethical Hacking, Cybersecurity, Embedded Systems, Embedded C...




Preferred Environment

Linux, Office 365, Amazon Web Services (AWS), Firefox, Vi, Bash, pfSence, Suricata, Python, C

The most amazing...

...tool I've developed is a tool blending heuristics, fuzzy logic, machine learning, and direct behavioral observation to discover IoT devices and systems.

Work Experience

Product Security Officer, Cybersecurity Engineer, Consultant, President, Owner

2008 - PRESENT
Kestrel Information Security
  • Performed as an accomplished and hands-on cybersecurity practitioner, leader, team builder, and problem solver related to ever-evolving Internet of Things (IoT).
  • Accumulated a wide breadth and depth of experience, knowledge, and capabilities.
  • Managed embedded systems, infrastructure, and web and mobile application security assessment.
  • Developed a second complementary concentration in digital forensics, malware analysis, and investigations.
  • Strengthened systems development, governance, and lifecycle management.
  • Designed, created, and managed practical and sustainable cybersecurity team practices.
  • Built and implemented new innovative cybersecurity capabilities.
  • Led rapid development and zero-day bug discovery, an IoT specialty.
  • Automated red-team, simulated malware, and toolsmith cybersecurity.
  • Delivered exceptional quality at a competitive value.
Technologies: IoT Security, Offensive Security, Risk Management, Security Architecture, Software Development Lifecycle (SDLC), Penetration Testing, Technical Product Management, Security Policies & Procedures, Risk Assessment, Threat Modeling, DevSecOps, Security, Containers, DevOps, Vulnerability Assessment, HIPAA Compliance, NIST, PCI, Cybersecurity, Architecture, Embedded Systems, Embedded C, Embedded C++, Internet of Things (IoT), DDoS, IT Security, ISO 27001, Data Loss Prevention (DLP), Security Research

Cybersecurity Instructor

2020 - 2023
New Jersey Institute of Technology
  • Led as the cybersecurity instructor for the New Jersey Institute of Technology.
  • Delivered various technology courses in a synchronous, virtual classroom environment as an adjunct instructor. My concentration and area of specialty are the cybersecurity offerings.
  • Worked in offensive security ethical hacking, digital forensics incident response and threat hunting, game theory strategy in cybersecurity, Python for security, cyberinfrastructure and technology, network security, and CyWar cyber arena.
Technologies: Ethical Hacking, Digital Forensics, Game Theory, IoT Security, Web Security, Web App Security, Security, Security Architecture, Cybersecurity, IT Security, ISO 27001

Security Assessment Manager and Lead Penetration Tester

2011 - 2014
Kestrel Information Security
  • Designed, managed, and conducted processes in secure systems development, governance, and management life cycles to begin and complete a global organizational integration.
  • Conducted and reported on security assurance review and testing. Generally performed and managed testing as a customized combination of white, gray, and black-box testing to provide practical, effective business value.
  • Tested and incorporated performance and availability requirements while following responsible disclosure principles for product security testing.
Technologies: Ethical Hacking, Cybersecurity, Embedded Systems, Embedded C, Internet of Things (IoT), DDoS, IT Security, ISO 27001

Information Security Mananger and Lead Penetration Tester

2008 - 2011
Kestrel Information Security
  • Managed, led, and completed numerous security projects in security management, penetration testing, security audit, and security advisory services.
  • Assisted several, often global, organizations with Information Security and Information Assurance Program development and maturation.
  • Conducted security research and development, invested in developing cybersecurity capabilities, and crafted cyber tools to enable my peers further.
Technologies: Ethical Hacking, Risk Management, Cybersecurity, Embedded Systems, Embedded C, Internet of Things (IoT), DDoS, IT Security, ISO 27001

Aplomado Toolkit
An open-community, open-source project.

Customized Linux, loaded with tools that are validated for correct operation and configuration upon build. A new tool called Aplomado Hunter™ blends heuristics, fuzzy logic, machine learning, and direct behavioral observation to discover and report network-based IoT devices and systems.

• Hours of free online educational material.
• An open blog for the community to share.
• Always open and always free.

Presented Embedded Systems Exploitation at Healthcare Cybersecurity Symposium | Hosted by CERT

Presented embedded systems exploitation at Healthcare Cybersecurity Symposium hosted by CERT in Pittsburg. The CERT division is a leader in cybersecurity that partners with government, industry, law enforcement, and academia to improve the security and resilience of computer systems and networks.

Presented Hacked! When Will Your Luck Run Out? and Panelist | Dulles Regional Chamber of Commerce

Served on the panel discussion for the Dulles Regional Chamber of Commerce broadcast event and presented Hacked! When will your luck run out?

The Dulles Regional Chamber of Commerce is an innovation gateway where business leaders collaborate to design, develop, and share ideas to make the Dulles Region a center for business and community growth.

Techtalk | Pentesting Cellular

Mobile opens a unique, low-cost opportunity for attackers of all skill levels to access a system potentially. Unlike internet addresses, a physical proximity of around five miles is required; however, that also provides an advantage. This makes it harder to detect an attack or even track one down after the fact.

Often security models of products generalize the mechanisms used for communications. This can cause designs to become reliant on assumed security features, and cellular is not immune to this.

Penetration Testing
Web application penetration test, an external internet-based penetration test, or an internal-trusted penetration test. This is our strength and, not surprisingly, our 2nd-most popular offering.

Product Security Assesment
We assess nearly anything connected at hardware, software, firmware, radio, and web cloud infrastructure levels using a strictly BlackBox or a more trusted, near-white-box approach.

Security Development Life Cycle (SDLC)
Supported several multi-million dollar development projects and developed Secure Systems Development Life Cycles for multiple clients. We are uniquely positioned to bring your systems development to the next level.

Smart Connected Elevator Product

As a highly skilled and experienced security architect, I led the security efforts for a smart connected elevator product. In that role, I designed, developed, and implemented security strategies, policies, and procedures for our product to ensure its safety and reliability.

• Conducted risk assessments and provided recommendations for mitigating potential threats and vulnerabilities.
• Developed and implemented secure architecture and design patterns for the smart connected elevator product.
• Worked closely with cross-functional teams, including engineering, product management, and quality assurance, to ensure security was embedded into all the stages of the development lifecycle.
• Conducted security testing and validated the effectiveness of security measures implemented in the product.
• Stayed up-to-date with emerging security threats and trends and evaluated their impact on the smart connected elevator product.
• Provided guidance and training to other team members on security best practices and ensured their adherence to security policies and procedures.
• Managed security incidents and responded to them in a timely and effective manner.
• Participated in security audits and compliance reviews.

Smart Connected Transportation Refrigeration

As a security engineer and assessor for a smart connected transportation refrigeration product, I designed, implemented, and assessed the security measures of transportation refrigeration units connected to smart networks. I worked with the development and operations teams to ensure the products were secure and met industry standards.

• Developed and implemented security measures for transportation refrigeration products connected to smart networks.
• Conducted security assessments of transportation refrigeration products to identify vulnerabilities and potential threats.
• Collaborated with cross-functional teams, including developers, engineers, and project managers, to ensure that security was integrated into the development and operations processes.
• Provided guidance and expertise on secure coding practices, threat modeling, and secure design principles.
• Ensured that the company's transportation refrigeration products met relevant industry standards and regulations, including NIST, ISO, IEC, and others.
• Maintained up-to-date knowledge of security technologies, trends, and practices.

Industrial Machine Monitoring

As the security architect and penetration tester, I designed and implemented security measures to protect the products' and customers' data. I worked closely with our development team to ensure that the products were secure by design and developed using secure coding practices. Additionally, I performed penetration testing to identify and address vulnerabilities in the product.

• Developed and maintained the security architecture of our industrial machine remote monitoring and GPS tracking products.
• Collaborated with the development team to ensure that our products were secure by design and implemented secure coding practices.
• Performed regular penetration testing to identify and address any vulnerabilities in our products.
• Implemented security measures to protect our customers' data and ensured they complied with industry standards.
• Stayed up-to-date with the latest security threats and trends and adjusted our security practices accordingly.
• Collaborated with customers and partners to ensure that our products integrated seamlessly with their security measures.
• Provided guidance and training to the development team on security best practices.
1995 - 1999

Bachelor's Degree in Computer Science and Mathematics

University of Delaware - Newark, DE, USA


Certified Ethical Hacker (CEH)



GIAC Certified Forensic Analyst (GCFA)

The SANS Institute


EC-Council Certified Security Analyst (ECSA)



GIAC Reverse Engineering Malware (GREM)

The SANS Institute


Computer Hacking Forensics Investigator (CHFI)



Certified Information Security Manager (CISM)

Information Systems Audit and Control Association


GIAC Law of Data Security & Investigations (GLEG)

The SANS Institute


Offensive Security Certified Expert (OSCE)

Offensive Security


Information Systems Security Architecture Professional (CISSP-ISSAP)

International Information Systems Security Certification Consortium (ISC)²


EC-Council Chief Information Security Officer Certification (CCISO)



Certified in Risk and Information Systems Control (CRISC)

Information Systems Audit and Control Association


Offensive Security Certified Professional (OSCP)

Offensive Security


Certified Information Systems Auditor (CISA)

Information Systems Audit and Control Association


Certified Information Systems Security Professional (CISSP)



GIAC Gold Certified Intrusion Analyst (GCIA)

The SANS Institute




VMware, pfSence, Suricata, Snort, Keycloak


C, Python, Embedded C, Bash, Python 3, Embedded C++


Agile Software Development, DevSecOps, DevOps, HIPAA Compliance, DDoS, Penetration Testing, App Development, Agile

Industry Expertise



Amazon Web Services (AWS), Embedded Linux, Linux, Firefox, Mobile, AWS IoT


Vi, Digital Forensics, Ethical Hacking, Security Analysis, Forensic Investigation, Security Architecture, Risk Management, Certified Ethical Hacker (CEH), Hacking, Risk Assessment, Information Security, Forensics, IoT Security, Offensive Security, Security Policies & Procedures, Security Design, Security, SSL, Transport Layer Security (TLS), Vulnerability Assessment, Embedded Systems, Internet of Things (IoT), IT Security, ISO 27001, Analysis, Research & Investigation, Law, Architecture, Threat Modeling, SOP Development, PMO Development, PKI, Cryptography, ARM Embedded, Embedded Development, NIST, PCI, Data Loss Prevention (DLP), Office 365, SecOps, Malware Analysis, Reverse Engineering, Security Management, Security Audits, Malware Removal, Legal, Data-level Security, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Host-based Intrusion Prevention, CISM, Information Systems, Information System Audits, Audits, Web App Security, Web Security, CISSP, Certified Information Systems Security Professional, System Architecture, IT Systems Architecture, Software System Architecture Development, Software Development Lifecycle (SDLC), Technical Product Management, Public Speaking, Cellular, Game Theory, Application Security, Development, Agile DevOps, Agile Delivery, Agile Software Testing, Containers, Core, CAN Bus, RS-232, RS422, WiFi, Applications, Mobile Security, Coding, Secure Coding, Certified Information Systems Auditor (CISA), GIAC Certifications, Product Security, Security Research

Collaboration That Works

How to Work with Toptal

Toptal matches you directly with global industry experts from our network in hours—not weeks or months.


Share your needs

Discuss your requirements and refine your scope in a call with a Toptal domain expert.

Choose your talent

Get a short list of expertly matched talent within 24 hours to review, interview, and choose from.

Start your risk-free talent trial

Work with your chosen talent on a trial basis for up to two weeks. Pay only if you decide to hire them.

Top talent is in high demand.

Start hiring