y4y

Page

About

Twitter @brandon_shi

Github @brandonshiyay

Discord @brandio#3418

Career Roadmap

  • Started with Physics & Math background, majoring in Physics with specialization in Astrophysics at University of California, Irvine

July 2017 - August 2017

Learned basic programming concepts and the Java language, such as loops, classes, etc.

August 2018 - January 2019

Started learning Python and basics of networking, read “Computer Networking, A Top-Down Approach”.

January 2019 - June 2019

Learned basics of PHP, MySQL, HTML, JavaScript and CSS, started exploring CTF and infosec.

June 2019 - October 2019

Did a team project with UCI Cyber club, a simple intrusion detection system using Bash, VBScript and Python. In preparation for CCDC.

October 2019 - July 2020

Started learning penetration testing, watched tons of Ippsec videos and did many HackTheBox machines to practice exploitation skills, did around 70 machines. Signed up for OSCP in April 2020. Passed OSCP in late July 2020 with first try.

August 2020 - December 2020

Competed in various CTFs, learned more about Assembly and reverse engineering. Understood how memory works with CPU and more advanced techniques on staked based buffer overflow such as ROP.

Also did a few interviews for fulltime job as penetration tester or security researcher. Ended up becoming a Web security researcher in a security company.

Graudated from UC Irvine with a bachelor degree in Physics, concentration in Astrophysics.

March 2021 - April 2025

Fulltime Job

Developed a few exploit toolkits for internal usages, analyzed a few Web CVEs, with one of the most famous being my analysis of ProxyShell.

Spent some time in July 2022 to explore and learn about browser exploitation and reproduced a working exploit from PoC. Then dove deeper into inline cache and other V8 internals in around March or April 2023.

Side Projects

In late 2022 also spent some time doing Ethernaut CTF to learn basic Solidity and EVM and how smart contract works.

Decided to explore Web3 and followed Jeiwan’s UniswapV3 clone book to deepen Solidity knowledge, also got familiar with how UniswapV3 works, and the similar DEX kind.

Starting May 2023, read some contest reports on Code4rena, tried to understand real life vulnerabilities and how they are exploited.

Participated in my first ever Web3 audit contest on CodeHawks in late August 2023, ended up finding a Medium severity bug, and paid for 5 USDC. And started doing contests then.

May 2025 - Present

Decided to quit my job to pursue a transition in Web3 security research.

Became Sherlock Lead Judge in November 2025 and lead my first contest as LJ in the same month.

Joined a collaborative audit group thanks to my friend and finished my first collaborative audit in December 2025.

As of January 2026, made 23000 USDC from contests alone. Found 80+ H/M issues. Secured multiple 1st places and top 5 finishes.