Yuma Kurogome

Ricerca Security, Inc. — Board Director & CTO

2021–Present

Member of the executive leadership team at an offensive security firm with approximately 20 full-time employees and roughly 40 total staff, overseeing security services and R&D lines. I own scoping and final reporting quality for the established vulnerability-assessment and penetration-testing practice, and lead newer, high-difficulty initiatives from their first, challenging engagements through to standardized, repeatable services. I also cover hiring and organizational design, and contribute to business planning.

Advisory & Opportunity Shaping

• Lead proposal work as a partner to clients, from needs discovery through attack-scenario design, scoping, and pre-engagement PoC validation.
• Consistently expand vulnerability-assessment and penetration-testing discussions into higher-value security advisory, red-team, generative-AI security, internal enablement, and R&D engagements.
• Lead work end-to-end from proposal development through evaluation-method and delivery design, quality control, reporting, and final executive communication.
• Translate attack scenarios, vulnerability findings, technical risks, remediation priorities, and residual risks into decision-ready language for both executives and practitioners.
• Helped establish field-sales workflows, reusable proposal templates, and engagement-design patterns that improved the repeatability of proposal work.

Service Incubation & Methodology Development

• Lead execution design for advanced security-service engagements, including evaluation methodology, PoC planning, delivery processes, review practices, report structures, and executive summaries.
• Led the company's first red-team engagement as PM, for an enterprise client, combining physical, social, and technical attack paths. Contributed to attack-scenario design and covered contract negotiation with outside counsel, reporting-flow setup, progress management, on-site execution oversight, and final reporting.
• Built an offering that helps clients establish in-house vulnerability-assessment capability, including white-paper-led demand generation, hypothesis-driven proposal work, internal tooling, training environments, service delivery, and reporting. Put a self-built agentic vulnerability-research system at its core and systematized the delivery process and teaching materials into a client-ready training program that gets an organization to the point of running assessments continuously on its own.
• Ran the first end-to-end engagement on the company's generative-AI security assessment offering — from sale through assessment, report writing, and final delivery — proving out the delivery flow, and also handled hypothesis-driven proposal work and assessment tooling.
• Led PoCs involving AI-agent-assisted penetration testing and deception environments for AI agents, including environment setup, engineering leadership, and reporting.

Government-Funded R&D Programs

• Run multi-year government-funded cybersecurity programs end-to-end, from research planning through WBS-based progress governance and external coordination.
• Joined a Japanese ATLA national-security technology program (安全保障技術研究推進制度) on reinforcement-learning-based adaptive fuzzing as a co-investigator after award, leading the research and an in-house team of roughly ten people. The project earned an AA rating (results exceeding expectations) in the program's final evaluation.
• Serve as PM for two research themes on vulnerability discovery under a five-year competitive research grant (details on request).
• Coordinated researchers, engineers, and external stakeholders by aligning research objectives, evaluation methods, expected deliverables, reporting requirements, and progress-management routines. Also contributed to some of the resulting publications.

AI Security, Offensive Security & Technical PoCs

• Identified high-impact generative-AI security issues, including zero-click prompt-injection paths.
• Led research on offensive-technique automation using AI agents, along with deception environments and obfuscation techniques designed to impede them.
• Designed and built an agentic vulnerability-research system ready for real-world use, introducing mechanisms (hooks, schemas, gates) — rather than relying on prompts — to guard against malfunctions and hallucinations, forming a workflow that runs from autonomous exploration through to human final judgment.
• Own final quality assurance for 10+ vulnerability-assessment and penetration-testing reports per year, ensuring sound risk framing, remediation priorities, and executive-facing final communication; created the standard VAPT report template the team uses.

Hands-on Technical Credibility

• Discovered and responsibly reported multiple issues in QEMU, including VM-escape-class vulnerabilities, plus a separate heap-overflow vulnerability assigned CVE-2026-5744.
• Performed impact validation, reproduction, root-cause analysis, and exploit development for multiple findings.
• Maintain hands-on depth across binary analysis and reverse engineering automation, vulnerability discovery and validation, and offensive security.

Organization, Hiring & Institutionalization

• Translated the CEO's vision into internal systems, role definitions, job descriptions, interview design, and hiring workflows.
• Contributed to more than 30 hires across the security services, sales, and corporate functions, serving as interviewer for roughly 10 full-time roles.
• Built repeatable systems for delivery governance, quality control, role ownership, hiring, and proposal execution as the organization scaled.

NTT Secure Platform Laboratories — Research Engineer

2017–2020

Worked on malware-countermeasure R&D spanning detection technology, analysis automation, SOC support, and binary analysis. Connected research outputs to publications, implementation, patent work, and transfer to an NTT group company, bridging research and practical security operations.

• Proposed EIGER, an automated IOC-generation method designed to improve both accuracy and interpretability in endpoint malware detection; presented as first author at ACSAC 2019.
• Led implementation of the research output and its transfer to an NTT group company.
• Filed a related patent.
• Worked as a SOC analyst, developed malware signatures, and improved SOC workflows through automation.
• Published technical materials on binary analysis, deobfuscation, and malware analysis that were widely referenced by the practitioner community (e.g. malrev/ABD).

Earlier — Part-time & Internships

2013–2017

Hands-on security and software R&D as a part-timer/intern at FFRI, Gehirn, and IIJ Innovation Institute, among others, during university.