Meet Carve

We are a team of cybersecurity professionals.

About Us

The Carve Story

Carve Systems LLC was founded in 2011 to bring enterprise level information security, training, and risk management services to organizations of any size and industry. Like most boutique security consulting shops, Carve has its roots in delivering high-end security consulting services to Fortune 500 organizations. Unlike most, Carve also complements its enterprise consulting offerings with services specifically tailored for mid-size companies.

We believe that true security is found in the continual process of evaluation and improvement required to match the dynamic technology, business, and threat landscape. We’ll advocate for security and challenge your thinking in a way that’s beneficial to your organization.  


The Management Team

Jeremy Allen - CTO

Jeremy started writing code for MUDs (Multi User Dungeons) on a 66 Mhz 486 running Slackware Linux in 1995, he has never been the same since.

Jeremy is responsible for conducting risk assessments, threat modeling, code reviews, application security assessments, research, and reverse engineering. He has discovered numerous critical flaws and bugs. He helps organizations by understanding their key risks and building security into their organization (through people, processes, and the technology stack).

Mike Zusman - CEO

At 7 years old, Mike was hammering on the keys of a Ti-99 computer. By age 10, Mike was a licensed amateur radio operator and was building Intel x86 computers in his room at home. Now, a two-time Blackhat speaker with media mentions in publications such as Forbes.

Mike leads Carve Systems to help clients manage technology risk, and operate with appropriate levels of security assurance.

Max Sobell - COO

Max Sobell is a partner and COO at Carve Systems. Max runs Carve’s cybersecurity leadership and engineering practice, which helps companies manage technology risk without compromising business objectives. As a technical leader, Max has responsibly disclosed bugs in embedded internet devices, mobile payment systems, public transit, and Android smartphones. Max has presented technical work and vulnerabilities at industry conferences such as CanSecWest and ShmooCon.

Prior to joining Carve, Max held security and engineering roles at Intrepidus Group and financial technology firms.


Why choose us

Businesses often struggle with security teams acting in isolation from the rest of the company.  Gaps in communication between the technical and business teams can lead to devastating vulnerabilities, breaches, delayed products, wasted resources, and a damaged reputation.

Organizing your business so that security is part of the inherent structure, instead of an afterthought, is a necessary change to make if you want to keep your products and employees protected.

At Carve, we know how to integrate our security experts within your business so that communication is streamlined between employees and nothing falls through the cracks. 

Cultivation of security champions on engineering teams

Identification of critical security flaws before code is written

Ownership of high-risk issues from discovery through remediation

Tailored automation for continuous security improvements

Syncing of business and security goals to deliver products more quickly and securely

Network monitoring with nmap

Asset management is a problem we help many of our customers with. What are an organization's assets, and how accurate and up-to-date is this information? Even with a mature asset management program, organizations want some form of validation of their result. From a...

Android Hard Coded Secrets

One of the more common findings we report for Android security reviews is an issue involving hard coded secrets. This blog post will specifically focus on hard coded secrets used for encrypting application data. I'll try to use a bit of light threat modeling and risk...

Abusing WebViews to Steal Files via Email

A few months ago, I was testing the email functionality on a company's contact us page, when I sent an email to myself containing: <script> alert("Hi, It's almost lunch time") </script> It actually was close to lunch time, so I wrapped up testing and waited for...

Web Cache Session Hijacking

In recent years it has become popular to use Content Delivery Networks (CDN) provided by cloud hosting providers. Amazon's CloudFront is an example of a popular CDN. These CDNs can take advantage of HTTP Caching to reduce latency for a global pool of end users. There...

Get In Touch