David Wolf · Project Use Case
AI SECURITY · PRODUCT SECURITY · SERVICENOW
ServiceNow
Principal Security Research Program
Advanced security research across ProdSec, AppSec, AI risk management, and AI voice threat modeling at enterprise SaaS scale.
Led advanced security research across product security, application security, and AI risk management at ServiceNow — one of the most widely deployed enterprise workflow platforms. Conducted deep-dive reviews, consulted with...
Client
ServiceNow
Engagement Type
Full-Time (FTE)
Period
Jan 2022 – May 2025
Role
Senior Principal Security Research Scientist
Focus Areas
Advanced product security research, Application security (AppSec) at enterprise SaaS scale, AI risk management and emerging AI threat research, AI...
The Research Narrative
Strategic Problem
Conducting principled security research at a platform of ServiceNow's scale requires navigating deep technical complexity across web, database, and virtualization surfaces while simultaneously staying ahead...
What David Did
Conduct deep-dive security research across ProdSec, AppSec, and AI risk management disciplines.
What Became Clearer
Delivered proactive security research that surfaced vulnerabilities before exploitation across critical platform surfaces.
Consulting Proof
This is evidence of turning messy security telemetry into explainable dashboards, alert-quality improvements, and executive-ready operating views.
The Context
ServiceNow's platform underpins critical enterprise workflows for thousands of organizations globally. As AI capabilities were embedded into the platform — including voice interaction and agentic automation — the attack surface expanded well beyond traditional web and application security into novel, less-characterized AI threat territory.
The Challenge
Conducting principled security research at a platform of ServiceNow's scale requires navigating deep technical complexity across web, database, and virtualization surfaces while simultaneously staying ahead of emerging AI threat vectors that lack established research frameworks. PSIRT coordination at this scale demands research depth and operational discipline simultaneously.
What I Did
- •Conduct deep-dive security research across ProdSec, AppSec, and AI risk management disciplines
- •Perform threat modeling and security analysis for web application, database, and Linux virtualization security surfaces
- •Consult with PSIRT on complex vulnerability disclosure, triage, and engineering response
- •Collaborate with the Red Team to research and characterize AI voice threat scenarios — attack surface, manipulation vectors, and detection gaps
- •Translate research findings into actionable security controls and architectural guidance for product engineering
The Outcome
Delivered proactive security research that surfaced vulnerabilities before exploitation across critical platform surfaces.
Research Outcomes
Signal Quality
Improved the trustworthiness of operational security signals
Operational Clarity
Translated complex security data into clearer operating views
Stakeholder Visibility
Made technical risk and status easier to explain
Operational Impact
Turned raw telemetry into actionable security intelligence
Capabilities Demonstrated
Security Analytics
Signal investigation and event analysis
IAM / Access Control
Identity telemetry and access insights
SIEM Alert Debugging
Noise reduction and signal validation
Dashboard Development
Operational and executive views
Executive Reporting
Security data translated for leadership
Telemetry Normalization
Consistent and trusted data
Operational Reporting
Actionable views for security operations
Public-Safe Evidence
Shareable insights without sensitive data
Key Deliverables
- •Security research reports and vulnerability findings
- •AI voice threat research and characterization
- •PSIRT consultation and triage guidance
- •Threat models for web, database, and virtualization surfaces
- •Architectural security recommendations for product engineering
Tools & Technologies
Consulting Translation
The reusable pattern is not Disney-specific: normalize fragmented security telemetry, debug low-signal alert behavior, build trusted operating views, and give leadership evidence they can act on without exposing sensitive systems.