Security Practice

Scope-of-practice statement

A plain declaration of the security work performed at MadProjX, written for clients, collaborators, and platforms that need to verify the legitimacy and scope of the practice.

Scope of practice

MadProjX is an independent security and AI consulting practice operated by Kevin Hillis, CISSP. The practice is dual-use by design: effective defense requires direct familiarity with offensive techniques. Security work performed under this practice includes:

  • Vulnerability research — identifying, reproducing, and documenting security weaknesses in software, systems, and AI-integrated workflows.
  • Penetration testing — authorized technical assessment of systems, applications, and cloud configurations to validate real exploitability versus theoretical risk.
  • Red-team and adversary emulation — modeling credible attacker behavior, including AI-enabled attacker behavior, to measure and improve defensive posture.
  • Offensive security tooling development — building and refining tooling that exercises the techniques above, used within authorized engagements to produce better defensive outcomes.

All of this work is performed in a defensive framing. The goal is always to identify, document, and reduce risk for the organizations engaging the practice — never to cause harm, never to access systems without authorization, and never to enable others to do so.

What this practice does not do

Being explicit about what is out of scope is part of how a legitimate security practice operates. The following are categorically excluded:

Unauthorized access

Any activity against systems, accounts, or data where explicit written authorization from the system owner is not in place.

Ransomware or extortion tooling

Development, distribution, or operation of tooling whose purpose is destruction, extortion, or denial of access to legitimate owners.

Mass exfiltration or surveillance

Tooling or services designed to collect data at scale from populations, non-consenting individuals, or protected classes.

Operations against non-consenting targets

No work is performed against any system, organization, or individual without a written authorization scope signed by an entity empowered to grant it.

Credentials

  • CISSP — Certified Information Systems Security Professional, ISC2 (verifiable on Credly).
  • Bachelor of Science, Information Technology — Security, Western Governors University.
  • 20+ years in cybersecurity — security assessment, vulnerability research, and adversary-emulation practice.
  • Independent practitioner — MadProjX is operated by Kevin Hillis directly, with no subcontracted labor.

Additional security and IT certifications earned 2010–2020 (CompTIA Security+, Network+, A+, Project+, CIOS, CSIS; Cisco CCNA Routing & Switching, CCNA Security) — historical, not currently maintained.

CISSP verified by ISC2 — click to verify on Credly

Contact for authorized engagements

Inquiries about security work — assessment, vulnerability research, red-team exercises, tooling development, or advisory — should come by email. A written authorization scope is required before any technical work begins.

kevin@madprojx.com

Domain: madprojx.com · Operator: Kevin Hillis, CISSP