Blog / Tiago Mendo

Tiago Mendo

Currently developing Probely technology and business, mostly focusing on improving the vulnerability detection capabilities.

Before that, I have worked for almost 12 years at Portugal Telecom, most of them in the web security team of SAPO which I co-founded with another teammate. In those days I tested site security, trained developers to code securely, provided all-around security consultancy and earned CPEs. Before SAPO, I spent a few years reverse-engineering traffic from proprietary applications and taking care of a countrywide network of honeypots.

I’m also a Security Researcher at Cobalt and a trainer at Citeforma, delivering courses about Linux and Network Security.

I hold a Master in Information Technology/Information Security by the Carnegie Mellon University and CISSP certification.

I’m a frequent speaker at security events, such as Codebits, Just4Meeting, ISEL Tech, Confraria da Segurança da Informação and recently at the BSides Lisbon conference. Slides and more info are available at

For the last few years, my team organizes a Capture The Flag security contest inside Pixels Camp (previously Codebits) where participants have to break in a number of web applications to get the flags, competing against other teams.

  • Many companies have internal web applications, accessible only from their corporate network or through a VPN. These are often back-offices, management portals, HR applications, and everything that makes sense only for the company workforce, not for their clients. This also means that cloud services, like Probely, could not scan them for vulnerabilities. Until now.
  • Recently, we created a checklist, a Web Application Security Checklist for developers. Why? Well, because we want to help developers avoid introducing vulnerabilities in the first place. And for that, the security development process should start with training and creating awareness. Searching for vulnerabilities with a web scanner is essential, but we should always try to make security shift left, i.e. place it at the beginning of the development lifecycle. It is an investment: instead of being reactive, invest in prevention.