About the founder

The senior practitioner behind Pentest Express.

Trey Blalock is a senior penetration tester with 15+ years of experience, 12 active certifications, and a track record across Fortune 500 companies and federal agencies. Pentest Express is his answer to a market that has been quietly broken for years.

Start Your Test Now Why I built Pentest Express

Trained the FBI, NSA, and DIA DefCon & MITRE ATT&CKcon speaker Two DHS CISA keynotes 500+ clients across major sectors

15+

Years of penetration
testing experience

500+

Clients served across
major industry sectors

Active professional
certifications held

F500

Fortune 500 client track record

A note from the founder

Why I built Pentest Express.

I have been performing penetration tests for fifteen years. In that time I have watched the same problem repeat itself across hundreds of engagements: a company needs an external pentest for compliance, calls three vendors, sits through three scoping meetings, waits two weeks for proposals, and ends up with either a $30,000 invoice or a $2,000 report full of false positives that an auditor will not accept.

Neither of those is the right answer. The first one wastes money the company should be spending on actually fixing things. The second one wastes the auditor's time and creates real risk because the buyer thinks they have been tested when they have not.

Pentest Express exists because most external network pentests are not actually that complicated. They are repeatable, well-defined work that benefits from a senior tester following a rigorous methodology. They do not benefit from a sales process, a custom SOW, or a tiered "platform." Those things exist to extract more money from buyers, not to produce better outcomes.

So I built the version of this service I wish existed when I was on the buyer side. Pricing is published. Scope is fixed. Manual validation is included on every engagement. There is no sales call. The report is written in a format that auditors recognize. And the person who finds the issues is the person who wrote the report, which, for now, is me.

If you need anything more involved than an external penetration test, internal testing beyond compliance, application testing, red team, custom scoping, that work goes to my parent company, Verification Labs. Pentest Express is deliberately narrow. That is the entire point.

Trey Blalock

Founder, Pentest Express

Background

Fifteen years across the work that defines this field.

Hands-on technical depth, large-scale security operations, and extensive speaking and training experience across advanced security topics for some of the world's largest corporations and governments.

Trey has provided penetration testing and assessment services to hundreds of clients across the financial, government, retail, chemical, aviation, oil & gas, medical, educational, legal, telecom, and law enforcement sectors.

He has trained numerous Fortune 100 companies, consulting firms, and federal agencies — including the DIA, FBI, and NSA on network security, system security, attack and penetration testing, and cloud security. He has performed thousands of penetration tests for Fortune 500 companies globally across various infrastructure devices, operating systems, protocols, and applications.

He speaks frequently about advanced security topics at financial institutions and Fintech conferences in the US, Europe, and Africa. He has spoken at DefCon and MITRE ATT&CKcon, and delivered two keynotes at the Department of Homeland Security's annual CISA conferences.

Trey currently serves on several forensic, red-team, and penetration-testing advisory boards, and is a frequent television and podcast guest on topics including ransomware, deepfakes, supply-chain attacks, and the weaponization of AI.

Featured talks & interviews

How I think about this work, on the record.

A small selection of recent conference talks and podcast interviews. Useful context if you want to see how I approach security topics before you hire me.

Data & Confused Podcast · 2025

Deepfakes and the AI arms race

How AI-enabled deception is reshaping the economics of cyber threats and what defenders need to do about it.

Data & Confused Podcast · 2025

Weaponized AI and the end of attribution

How AI is changing attacker tradecraft, speed, and scale — and what it means for the future of attribution.

Linux and the future of internet security LinuxFest Northwest · 2025 · Conference session

Threat landscape briefing SIM Portland · 2022 · Executive briefing

Selected speaking history

Conferences, keynotes, and training engagements.

A curated set of recent and notable talks. Trey speaks regularly at industry events on emerging threats, AI risk, ransomware, and offensive security.

2026 · Jan

Data Day Texas Weaponization of AI — keynote and AMA

2025 · Oct

MITRE ATT&CKcon 6 The limitations of current AI risk management frameworks

2025 · Apr

LinuxFest Northwest Linux and the future of internet security

2025 · Mar

AI Governance Day · Portland AWS Users Weaponization of AI and its impact on governance

2025 · Feb

ISSA Rainier 2025 threat landscape dynamics

2024 · Nov

Critical Infrastructure Summit Closing keynote

2023 · Nov

Critical Infrastructure Cybersecurity Summit Keynote address

2022 · Mar

ISC2 Seattle Chapter Deepfakes, voice cloning, and synthetic identities

2021 · Oct

ISSA Puget Sound Ransomware defense for modern enterprises

2021 · May

ISACA Portland Keynote

2016 · Aug

DefCon 24 PKI revocation in the real world

2012 · Jan

CISO Summit Atlanta Mobile device risks for the enterprise

See full speaking history at Verification Labs ↗

In the media

Television and broadcast appearances.

Selected on-air commentary on cybersecurity incidents and emerging threats.

KOMO News Seattle Colonial Pipeline ransomware attack — on-air analysis (May 2021)

KOMO News Seattle COVID-19 era hacking threats and remote-work risk (Apr 2020)

KOMO News Seattle Voice cloning and synthetic-identity fraud (Feb 2020)

Podcasts & panels Frequent guest on cybersecurity podcasts covering AI, ransomware, and supply-chain risk

Credentials

Professional certifications.

Active certifications across penetration testing, cloud security, forensics, risk management, and compliance.

GWAPT GIAC Web Application Penetration Tester #3845

GCPN GIAC Certified Cloud Penetration Tester #1349

GPEN GIAC Certified Penetration Tester #2089

GCTI GIAC Cyber Threat Intelligence #1977

GPCS GIAC Public Cloud Security #64

GCFA GIAC Certified Forensic Analyst #355

CISA Certified Information Systems Auditor #0862743

CISM Certified Information Systems Manager #0910809

CRISC Certified in Risk and Information Systems Control #1620233

CDPSE Certified Data Privacy Solution Engineer #2007933

CISSP Certified Information Systems Security Professional #11246

SSCP Systems Security Certified Practitioner #23259

NSA‑IAM NSA Information Assessment Methodology — certified 09/13/2002

Get in touch

Ready to get started?

Start your test now through our self-serve checkout, or email if you have questions before committing. We respond fast.

Start Your Test Now hello@pentestexpress.com