Site Map  |  Privacy Policy  |  Advisories

About Us



IOActive Labs

IOActive Labs IOBOT! Click to learn more.


Executive Management Team
Joshua Pennell, Founder and President
Jennifer Steffens, Chief Executive Officer
Cesar Cerrudo, CTO IOActive Labs
James Crimens, Vice President of Services
Matt Rahman, Vice President of Business Development and Sales
Karen Howe, Vice President of Marketing

Joshua Pennell

Founder and President

As IOActive's Founder and President, Joshua Pennell, enjoys a proven, 14-year entrepreneurial track record of creating and maintaining a multimillion-dollar, customer-focused, independent, global security services organization. Through Pennell's leadership, IOActive has emerged as one of the world's longest standing, highly technical boutique security consultancies with a history based on cutting-edge research and meritocratic governance.

Pennell serves on the advisory boards of Source, Vantos, and SiteScout. Pennell is also the Chairman of IOActive's advisory board, which includes computer industry venerables such as Steve Wozniak, Jim Reavis, and Jason Larsen. In years past, Pennell played an integral role in helping his team win Defcon's Capture the Flag competition for three consecutive years. He also spent several years technically revolutionizing the competition before handing the game over to Kenshoto.

Pennell enjoys riding his bicycle in London while thinking of innovative ways to reduce IOActive customers' security risks through pragmatic application of security best practices. If you enjoy what you do for a living, you'll never work another day in your life.

Visit Mr. Pennell's LinkedIn profile.

Jennifer Steffens

Chief Executive Officer

As its CEO, Jennifer Steffens is responsible for all aspects of IOActive's global business operations including sales, delivery, and finance as well as driving the company's strategic vision. Steffens brings a wealth of industry and business experience to the company, having been an early member of several successful startups.

Earlier in her career, Steffens was a Director at Sourcefire, where she helped build and grow the business from $250K to an over $35M run rate in just four years. Working closely with the CTO, Steffens helped commercialize the open source Snort technology and build several service offerings around the research initiatives. Prior to joining IOActive, she came to Seattle to help the struggling startup GraniteEdge reinvent itself. She spearheaded initiatives to restructure the company and developed a product strategy to drive early market penetration that ultimately secured two additional rounds of funding.

With over 10 years of industry experience, Steffens has also held senior management positions at Ubizen, NFR Security, and StillSecure. She graduated from Mary Washington University with a Bachelor of Science in Psychology.

Visit Ms. Steffens' LinkedIn profile.


Cesar Cerrudo

CTO IOActive Labs

Cesar Cerrudo is CTO at IOActive Labs, where he leads the team in producing ongoing cutting-edge research in the areas of SCADA, mobile device, application security, and more. Formerly the founder and CEO of Argeniss Consulting - which was acquired by IOActive - Cesar is a world-renowned security researcher and specialist in application security.

Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft BizTalk Server, Microsoft Commerce Server, Microsoft Windows, and Yahoo! Messenger. Cesar also has authored several white papers on database and application security, and attacks and exploitation techniques. He has been invited to present at a variety of companies and conferences including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, and Defcon. Cesar collaborates with and is regularly quoted in print and online publications including eWeek, ComputerWorld, and other leading journals.

Visit Mr. Cerrudo's LinkedIn profile.

James Crimens

Vice President of Services

As Vice President of Services, James is responsible and accountable for ensuring high levels of customer satisfaction and quality delivery for consulting engagements.

James Crimens is a seasoned security and services professional, bringing over 15 years of experience in influencing strategic direction, business planning, and execution to IOActive. Prior to joining IOActive, James served as a principal at JG Crimens & Associates and Director of Security & Privacy Services for Deloitte & Touche, where he was instrumental in building the global Oracle security practice and the Deloitte India Security & Privacy Services practice.

Prior to his tenure at Deloitte, James served with the Information Risk Management practice at KPMG and the Information Technology Management team at Washington Group International.

James is a subject matter expert in areas such as Information Security, Risk Management, IT Governance, Identity and Access Management, and Corporate IT Strategy. His past engagements have spanned IT strategy, business optimization, risk management, cloud computing, identity management, operations, and enterprise security clients globally.

Visit Mr. Crimens' LinkedIn profile.

Matt Rahman

Vice President of Business Development and Sales

As IOActive’s Vice President of Business Development and Sales, Matt Rahman plays a crucial role in expanding IOActive’s international footprint, while positioning the company as the worldwide premier high-end services company.

A veteran of the industry, Rahman has spent the last 19-years in various executive roles in security software and services firms, helping companies grow from less than $10 million to over $120 million.

Prior to joining IOActive, Rahman was Senior Director of Business Development and Strategic Alliances for Damballa where he built and led strategic alliances and business development focused on driving top line revenue through Communication Service Providers (CSP), MSPs and technology alliances. Before joining Damballa, Rahman was Corporate and Business Development executive at Solutionary and Technology Executive at IBM Internet Security Systems (ISS). Rahman gained early management experience while working for KPMG, BellSouth, UUnet/MCI, NetSec and Verizon Business.

Rahman holds an MBA, BS, CISSP, CISM and ITIL degrees and certifications. He serves on several boards as an officer including Aunigma, InfraGard and SEERN, and a contributing member at Cloud Security Alliance (CSA), ISSA, and HTCA. In his spare time Rahman is an Information Security adjunct professor at ITT Tech.

Visit Mr. Rahman's' LinkedIn profile.

Karen Howe

Vice President of Marketing

As IOActive’s Vice President of Marketing, Karen Howe will lead efforts to drive strategic growth oriented marketing programs on a worldwide basis aimed at demand creation, market communications, and sales enablement for the company. Howe leads strategic thinking regarding integrated marketing efforts, as well as the brand activation strategy including analyst relations, sponsorships, PR, and events.

Howe is a seasoned business leader and marketing veteran with more than 20 years’ experience working with multimedia and Internet technologies. Prior to joining IOActive, Howe was a director of marketing for Microsoft within Microsoft Research, vice president and GM at AOL, CEO of Technicolor subsidiary Singingfish, vice president of marketing for Mindbloom,, and 2WAY Corp.

Other career highlights include 11 years with Adobe Systems and Aldus Corp., where she helped launch the desktop publishing category and established the company's Australian subsidiary. She’s won two WEBBY awards and two audio/video search patents.

Howe received her B.A from Whitman College in Walla Walla, Washington.

Visit Ms. Howe's LinkedIn profile.



More Information

Need more information?
Contact IOActive today.

IOActive Profile:
Established: 1998
Headquarters: Seattle, WA and London, UK
Privately held and self-funded
IOActive Services:
Application Security, SCADA and Smart Grid, PCI and Compliance, Security Development Lifecycle, Infrastructure Audit, Incident Response and Training.
Global 500 companies including power and utility, game, hardware, retail, financial, media, travel, aerospace, healthcare, high-tech, social networking, and software development organizations.