Daniel García (cr0hn)

Critical security and APIs.
20 years of this.

I’m Daniel García. Everyone calls me Dani.

I’ve been working in cybersecurity and software development for over 20 years, starting with the ethical hacking team at Telefónica R&D and later leading API security research at 42Crunch, a company focused entirely on API security. I’m currently technical lead of the core team in Banco Santander’s new AI department.

I don’t do everything. I specialize in critical security, API security, and systems at scale. If you need someone to fix something that’s been stuck for weeks, or to build something that holds up when real traffic arrives, it’s worth a conversation.

Recent work

Banco Santander (2025-present): Technical lead of the core team in the new AI department. Banco Santander is running a bank-wide AI transformation: 185,000 employees, OpenAI as a strategic partner. I led the technical side of the core team during its build phase.

42Crunch (2023-2025): API security research and architecture. Designed secure-by-design architecture from scratch in Python, covering both the product and the clients using it.

LAPIS: An API specification format designed for LLMs. OpenAPI works fine for tooling. When an LLM consumes it, the token overhead is brutal: 85% reduction across real APIs from GitHub, Twilio, and DigitalOcean. Published on arXiv.

I have over 100 open source security tools on GitHub. The most-used:

  • FestIn: scanner for misconfigured S3 buckets. 230+ stars.
  • Enteletaor: pentesting for message queues (RabbitMQ, Kafka, Redis). 150+ stars.
  • Dockerfile Security: static analysis of Dockerfiles before the build.

They’re in Kali Linux and BlackArch. I founded Navaja Negra and the OWASP Madrid chapter.

Some problems I remember

A healthcare company had an S3 bucket with medical data from millions of people sitting open on the public internet. No authentication. They had no idea. FestIn found it. A multimillion-euro GDPR fine avoided. They didn’t thank me, but karma works.

A financial system processed payments through a message queue that anyone could write to from outside. No authentication. Nobody had tested it because “it wasn’t a web application.” Enteletaor found it in minutes.

At RootedCON 2020 I presented vulnerabilities in CI/CD pipelines. Companies that watched the talk went back and audited their own pipelines. Some found backdoors that had been there for months. That’s not a metaphor.

If you have a specific problem

I talk to people before charging anything. 15 minutes to hear the problem and tell you honestly whether I can help. If I can’t, I’ll point you somewhere useful.

If it makes sense to continue: 200 euros per hour. One session, specific problem, solution and action plan that same day. For longer-term work, the structure is different. We talk about it.

Tell me about it

What others say

“He is one of the few people I know who can work on a project all the way from product management and design to prototyping, coding and testing. His security skills are second to none, across a vast variety of systems and languages.”

Isabelle Mauny, Field CTO & API Security Specialist, 42Crunch

“Daniel is a force of nature. His mastery of the real fundamentals of the world of security, the ones that really matter, is deep and detailed.”

Pascual De Juan Nunez, Global Head of Innovation in Technology, BBVA

“Brilliant mind. He’s a real DevSecOps and can not just do but teach all the three corners of modern IT.”

Luis Saiz, Head of Innovation in Security, BBVA